ADHQ Permissions Control
A major feature of ADHQ profiles is their ability to control access to ADHQ. Profiles define who can run ADHQ, what areas of your network can be managed, and what actions can be performed on objects in those areas. Profiles can be restricted to a specific set of domains or OUs, or can be limited by object type. ADHQ admins logged in to the built-in User Manager profile, for example, cannot see or modify non-user objects in the domain.
The following paragraphs describe the various types of control that can be granted or denied with ADHQ profiles.
Who can run ADHQ?
The Enterprise version of ADHQ is a whitelist-based application. Only users explicitly assigned to one or more profiles are able to logon and use the software. Assign users to profiles with the Profile Members list on the General tab of the Profile Editor. By default, the ADHQ Admin Group is assigned to all profiles.
What areas of the directory can be managed?
ADHQ profiles can be limited to working within a list of locations, or limited to specified types of objects. Specify a list of domains, OUs, or even individual objects that can be modified by users of the profile with the Managed Locations list. Use the Managed Objects section of the Profile Editor to control what types of objects can be modified by users of the selected profile. Take advantage of the Show only managed objects checkbox to hide any object types that can't be managed from view.
What actions can be performed?
For more granular control over what actions can be performed by users of the profile, the Profile Editor allows you to completely customize the toolset users will see when logged on. Add or remove default tools from the set, or edit a tool to control exactly what operations are included. Change default values, make fields mandatory, or hide controls from view. The tools are entirely customizable, giving you the freedom to make the interface exactly how you want it for your admins.