Version 3.0.11.0Version 3.0.21.0Version 3.0.22.0Version 3.0.24.0Version 3.1.0.0
‹ 9 ConfigurationBack to Index9.2 Container Permissions ›

9.1Users and Groups

Users and Groups
Users and Groups

Users are managed through the Config page’s Users and Groups section.

Here you will see a list of all of the users and groups that have been added to OVERLAPS and have the ability to edit or remove them.

9.1.1Add a New User or Group

To add a user, click the New User/Group button, a window will appear allowing you to enter the user or group’s account (user) name.

Adding a New User
Adding a New User

Start typing the username and OVERLAPS will search Active Directory for potential matches for you to select from.

Add a New User/Group Autosuggest
Add a New User/Group Autosuggest

Here you may also set the user or group’s site-wide permissions:

9.1.1.1Edit Settings

Users with this permission have full permission to everything in OVERLAPS. They are the only ones who can add or remove users, grant permission to OUs, and change the various system settings.

Warning: This allows the user full access to everything in OVERLAPS, including the ability to grant access to the LAPS password of any computer in the domain, including servers, to any other domain user.

9.1.1.2Edit Self Service

Granting this permission allows the user or group to add or remove Self Service computers from other users or groups.

9.1.1.3View History

Users with the View History permission can access the History page and view a log of everything that other users are doing within OVERLAPS.

9.1.1.4Set a Precise Expire Date & Time

If checked, this user/group can specify a date and time when expiring a computer’s password (instead of it expiring immediately).

9.1.1.5Disable Browser

If checked, the user or group is not allowed to browse Active Directory containers even if they have permission to do so. Their only means of accessing a computer that they have permission to is by searching for it.

9.1.2Editing Users

You can edit users in one of two ways:

9.1.2.1One at a Time

Click the user or group name in the list to access a dropdown allowing you to view or modify various settings for that user.

User Menu
User Menu
Group Menu
Group Menu

Both Users and Groups have options for editing the Rate Limits (see 9.1.3), Self Service Computers (see 9.1.5) and User Access Levels (see 9.1.4); Groups also have menu options for to View Members to see what users appear in the group, and Refresh Group to order the group to be updated. If the user has Two Factor Authentication enabled, you will also see the option Disable Two Factor Authentication which can be used to disable this for the user in case they become locked out of their account.

9.1.2.2Multiple Users/Groups at the Same Time

Select one or more users or groups by checkbox next to their entry in the user list, then click the Edit User button to edit the Rate Limits, Self Service Computers and User Access Levels for all of them at once.

When you edit multiple users at the same time, the edit window will have an additional Selected Users dropdown that you can use to confirm which users you have selected and toggle them off to exclude them from the edit operation if desired.

The Selected Users List
The Selected Users List

Clicking a user will deselect them, and any changes made when clicking Save Changes will no longer apply to them. Clicking the user again will re-select them, including them in the edit operation again.

9.1.3Setting Rate Limits

Edit Rate Limits
Edit Rate Limits

You can set a limit on users and groups which controls how many: a) Password Read Requests, and b) Password Expirations or Resets, those users can perform in a given time period.

This can be useful to prevent over-exposure of your Local Administrator passwords, and to prevent a user from mass-exporting them.

Password Request limits and Password Reset limits can be controlled independently. To set a limit:

  1. Click the checkbox to Enable the limit you want to impose (use the tabs to switch between Password Requests and Password Resets),
  2. Specify a maximum number of requests (Maximum Requests/Resets) that can be performed in a specific time frame,
  3. Specify the time span and period that this will be monitored over,
  4. If the user(s) attempt more than the maximum requests in the given time period, they will be blocked until that time period has passed.

For example, for a normal user you may want them to stay under 25 requests per day, so you would set it to - Maximum: 25, Every: 1, Period: Day.

A warning note on group memberships

In order to handle multi-group membership in an efficient and minimally complex way, there is an important point to remember: where a user is a member of multiple groups, each with its own rate limit, OVERLAPS will select the lowest value from all of the rate limit time periods AND the minimum number of requests.

This means if you have a group with a limit of 5 requests every day, and another with a limit of 25 requests every 10 minutes, a member of both groups will end up with the limit 5 requests every 10 minutes.

This is done to be in-line with least privilege best practices. If the need arises to override the rate limit a user is experiencing because of their group memberships, the correct way would be to add the user explicitly to OVERLAPS as explicit user settings always take priority over group memberships.

9.1.4Changing User Access Levels

Edit a User's Access Levels
Edit a User's Access Levels

This window allows you to change the overall access that the user(s) have to the OVERLAPS website.

Administrators (users with Edit Settings permission) have full access to every Active Directory container, and the ability to modify users and site settings. This should be limited to only a few trusted users.

Users who have the Edit Self Service permission can add and remove Self Service computers from other users and groups. This allows you to delegate the management of Self Service to non-administrators but be wary as they will be able to grant permission to any computer in the domain (including servers).

People with View History permission have the ability to view a history of events that occur within OVERLAPS such as users logging in/out and viewing passwords.

Users who can Set a Precise Expire Date & Time can specify when a computer’s password will expire instead of it occurring immediately.

When modifying a single user/group, you can either Enable or Disable each permission. When editing multiple users, setting an option to No Change means that no changes to each users’ current access will be made. Setting it to Remove disables the selected access for all selected users, and Enable will grant the selected access.

9.1.5Managing User Self Service Computers

Edit Self Service
Edit Self Service

The Self-Service Computers window allows you to specify one or more computers which the selected user(s) or group(s) will be able to access the Local Administrator password for. This allows for “power users” to be setup with access to a small number of computers where granting access to an entire Organizational Unit is not desirable.

Warning: When selecting multiple users/groups and opening this window, all of the Self-Service computers for all of the users will be shown. Saving Changes now will grant access to all of those computers to all of the selected users. For this reason, it is recommended to only edit one user at a time.

9.1.5.1Manually Adding Self-Service Computers

To add a computer, start typing its name in the Computer Name field. You will be presented with a list of similar matching computer names from Active Directory.

Adding a Self-Service Computer
Adding a Self-Service Computer

To add one of the displayed computers, simple click its name and it will be added to the list of computers below the computer name box.

9.1.5.2Using Active Directory's "Managed By" Property

An alternative (or addition) to adding the computers one-by-one here is to check one of the Active Directory “Managed By" option under the Managed By tab.

Self-Service 'Managed By'
Self-Service 'Managed By'

Selecting either the Authorisation Required or Authorisation Not Required options will, when a user goes to their Self-Service page, also show a list of any computers that the user is marked as the Manager of through Active Directory.

A Computer Managed by a User in Active Directory
A Computer Managed by a User in Active Directory

This can be a quicker way of setting up Self Service if you have already populated this value, or if you are planning to populate it by, for example, exporting the information from SCCM by a script.

For information about the Self-Service experience, see Self Service.

9.1.5.3Requiring Authorisation

For manually added computers, the “Auth Req” checkbox indicates that the user must first submit an Authorisation Request and have it approved before they can view the computer’s password.

When using the “Managed By” feature, you can also select whether an Authorisation Request is required or not by selecting the appropriate option.

9.1.5.4Authoriser

Self-Service Authoriser
Self-Service Authoriser

To nominate a user or group who can provide or deny authorisation requests generated by a Self Service user you can use one of two methods:

1. Authoriser

You can add a user or group to the Active Directory container permissions (see Container Permissions), and check the option Authorise Self-Service Access Requests. This will grant the user permission to authorise requests from Self Service users on all computers in this container.

2. Self-Service Authoriser

Alternatively, you can specify the user/group in the Self-Service settings dialog as shown above. This will allow the user to authorise Self Service requests only on the computers in this Self-Service setup.

9.1.6Removing a User

Removing a User
Removing a User

Selecting one or more users and clicking the Remove button will prompt you to confirm that you want to remove the user completely from OVERLAPS. This process is not reversible, and to re-add the user or group you would have to completely set up their settings and permissions again.

This document was last updated on the 5th March 2021
‹ 9 ConfigurationBack to Index9.2 Container Permissions ›

No part of this documentation may be reproduced or transmitted in any form or by any means, or stored in any retrieval system of any nature without the prior written permission of Int64 Software Limited, except for permitted fair dealing under the Copyright, Designs and Patents Act 1988.

Int64 Software Limited does not assume or accept any liability for any loss or damage of any kind to any person that may arise as a result of that person (or any other person) using this documentation or acting or refraining from action in reliance on any information (including expressions of opinion) contained in this document. This limitation/exclusion of liability does not apply in the case of death or personal injury caused by negligence on the part of Int64 Software Limited, or to the extent (if any) that a limitation and/or exclusion in these terms is not permitted under applicable law.

This website uses cookies

We use cookies to improve your experience on our site. Most of this is for core functionality, like our shopping cart, or logging in to our members section, but we also use it to help understand how our site is being used in order to continue providing a great service. If you'd like to know more, please view our Privacy Policy.