AD Group Manager Web - Online Manual

Online Manual

Organizational Unit (OU) Access Control

What is OU Access Control?

The Organizational Unit (OU) Access Control feature allows administrators to restrict access to the AD Group Manager Web application based on users’ specific Organizational Units in Active Directory. This provides an additional layer of security and access management.

How OU Access Control Works

Basic Concept

  • Users can only log in to the application if their Active Directory account is located in one of the predefined Organizational Units
  • Administrators can specify multiple allowed OUs
  • Users outside these OUs will be denied access, even with valid credentials

Configuration Steps

1. Locate the Configuration File

Open the appsettings.json file located in the application’s wwwroot folder.

2. Define Allowed OUs

Add an AllowedOUs section to specify which Organizational Units can access the application:

{
  "AllowedOUs": [
    "OU=Users,DC=example,DC=com",
    "OU=IT,OU=Corporate,DC=example,DC=com"
  ]
}

3. Configuration Options

Multiple OU Support

  • You can specify multiple OUs
  • Users in any of the listed OUs will be granted access
  • OUs can be at different levels of the directory structure

Case Insensitivity

  • OU names are matched without regard to case
  • Works with variations in capitalization

Example Scenarios

Scenario 1: Simple OU Configuration

"AllowedOUs": [
  "OU=Users,DC=company,DC=com"
]
  • Only users directly in the Users OU can access the application

Scenario 2: Multiple OU Access

"AllowedOUs": [
  "OU=IT,OU=Corporate,DC=company,DC=com",
  "OU=Management,OU=Corporate,DC=company,DC=com"
]
  • Users in either the IT or Management OUs can access the application

Scenario 3: Nested OU Support

"AllowedOUs": [
  "OU=Engineering,OU=IT,OU=Corporate,DC=company,DC=com"
]
  • Users in the Engineering OU (or its sub-OUs) will have access

Edge Cases and Considerations

1. No OUs Configured

  • If no OUs are specified, all users will be allowed
  • Recommended to explicitly define access rules

2. Partial DN Matching

  • The system checks the entire Distinguished Name
  • Ensures precise OU matching

3. Admin Users Bypass

  • Users in admin groups (defined in Administration:AdminGroups) will always have access
  • OU restrictions do not apply to administrators

Troubleshooting

Common Issues

  • Access Denied: Verify the exact OU path in Active Directory
  • Case Sensitivity: Ensure correct OU naming
  • Nested OUs: Check the full Distinguished Name structure

Logging

  • Application logs will provide details about access attempts
  • Check logs for specific reasons of access denial

Best Practices

  1. Careful Planning: Map out your OU structure before implementation
  2. Test Thoroughly: Validate access for various user accounts
  3. Gradual Rollout: Start with a small group of OUs and expand
  4. Regular Review: Periodically review and update OU access rules

Security Considerations

  • OU access control provides an additional layer of access management
  • Combines with existing authentication mechanisms
  • Helps enforce organizational access policies

Performance Note

  • OU checking is performed during the authentication process
  • Minimal performance impact
  • Efficient matching algorithm

Use of this site constitutes acceptance of our Privacy Policy and EULA. Copyright © Albus Bit SIA