9.2Container Permissions

OVERLAPS uses an ACL-like permissions system where each user or group can be granted granular permissions to individual containers in your Active Directory structure.

The Permissions section is split vertically into two parts: A navigation tree for finding the container you want to edit, and a list of the Users/Groups who have permission to the currently selected container.

It is important to note that any changes made here are set in OVERLAPS only. No changes are made to your Active Directory structure or permissions.

Organizational Unit Permissions Interface – Organisational Unit Browser

Organizational Unit Permissions Interface – User Permissions for this Container

With a valid container selected, you can add or remove users using the relevant buttons, and change their permissions (see below) accordingly, but the permissions are only saved when you click the Save Changes button.

9.2.1Container Permission Icons

The permissions available to each user are split into sections:

9.2.1.1Computer Information Permissions

Permission	Description
	Read Computer Information - Allows the user to bring up the Computer Information window for computers in this container.
	Write Computer Information - (Requires the Read Computer Information permission) This allows the user to edit the description of the computer from the Computer Information window. This requires OVERLAPS to have write permission to the Description property.

9.2.1.2Computer Management Tools

Permission	Description
	Group Policy Update – Allows the user to run a Group Policy Update Computer Management Tool on the selected computers in this container.
	Ping – Permits the user to run an ICMP Ping on any computers selected in this container.
	Restart – Permits the user to remotely restart any computers in this container.
	Shutdown – Permits the user to remotely shutdown computers in this container.

9.2.1.3Read Password Permissions

Permission	Description
	With this option checked, the user/group can read the password of any computer in this Organizational Unit.
	Alternatively, checking this option will allow the user/group to read the password of any computer in this Organizational Unit, but they will need to submit an Authorisation Request first which must be authorised by one or more nominated Authorisers (see Authorisation).

9.2.1.4Reset/Expire Password Permissions

Permission	Description
	With this option checked, the user/group can expire the password of any computer in this Organizational Unit. This will trigger the computer to reset its password when it next runs a Group Policy update.
	As with the Read Password permissions, this also allows users to expire passwords, but will require them to submit an Authorisation Request first.

9.2.1.5Authoriser Permissions

Permission

Description

Checking this option nominates this user/group as an Authoriser for normal user requests. When a user who requires authorisation attempts to perform a relevant action, these users will be notified by email and must login to OVERLAPS to authorise the action.

In order to have users who require authorisation to read or expire passwords, the container must also have at least one Authoriser.

As with the regular Authoriser permissions, except this user has permission to authorise Self-Service users to read computer passwords.

9.2.2Rules for Permissions

There are a few rules to consider when settings permissions on a container:

Users can either have Read permission or Read with Authorisation permission, you cannot check both.
Similarly, users can only have Expire or Expire with Authorisation permissions.
In order to add users who require authorisation, the container must have at least one nominated Authoriser user.

9.2.3Permission Inheritance

To simplify the process, OVERLAPS does not support traditional permission inheritance. Instead, you can opt when saving permissions to overwrite the permissions for all child OU’s with the ones being saved for the current container.

9.2.4Renaming a Container

Often Active Directory containers are named in a utilitarian way which may make sense from an Administration point of view but may be confusing of unclear to regular users. For this purpose, OVERLAPS supports the ability to give containers an alternative name which will show in OVERLAPS only.

This does not affect the container itself and does not make any change to Active Directory, it is purely cosmetic and only visible within OVERLAPS.

To “rename” a container, select it from the tree view, then click the Rename button next to its Distinguished Name.

Renamed containers will show as blue in OVERLAPS, and hovering over it will reveal its original name.

This document was last updated on the 5th March 2021

No part of this documentation may be reproduced or transmitted in any form or by any means, or stored in any retrieval system of any nature without the prior written permission of Int64 Software Limited, except for permitted fair dealing under the Copyright, Designs and Patents Act 1988.

Int64 Software Limited does not assume or accept any liability for any loss or damage of any kind to any person that may arise as a result of that person (or any other person) using this documentation or acting or refraining from action in reliance on any information (including expressions of opinion) contained in this document. This limitation/exclusion of liability does not apply in the case of death or personal injury caused by negligence on the part of Int64 Software Limited, or to the extent (if any) that a limitation and/or exclusion in these terms is not permitted under applicable law.