| Adaxes Web Interface Help | Show AllHide All |
Business Units are virtual collections of Active Directory objects, that allow to organize objects in an alternative way without breaking the Active Directory structure. They can be used to manage and view objects collectively. For example, you can use Business Units to group users from Human Resources departments located in different domains. After that, you will be able to view them collectively and to assign Security Roles, Business Rules and Property Patterns on them.
To facilitate Business Units browsing, they can be organized in containers. This provides additional capability to create complex alternative hierarchies of AD objects.Objects are added to Business Units with the help of the following membership rules:
Specific Objects
You can specify individual objects that you want to include to or exclude from a Business Unit. Objects included specifically will be the members of this Business Unit even if excluded by rules of other types.
Group Members
You can specify groups the members of which you want to include to or exclude from a Business Unit. This is a dynamic membership rule, so when you add a member to a group included by the rule of this type, this new group member automatically becomes a Business Unit member. In the same manner, when an object is removed from a group included by the rule of this type, this object is automatically excluded from the Business Unit.
| You can include/exclude either direct group members only or all members of a group including the members of nested groups. |
Container Children
You can specify containers or organizational units the children of which you want to include to or exclude from a Business Unit. This is a dynamic membership rule, so when you add an object to a container included by the rule of this type, this object automatically becomes a Business Unit member, and when you remove an object from such container, this object is automatically excluded from the Business Unit.
| You can include/exclude either immediate container children only or all descendants of a container including the children of nested containers. |
Query Result
You can define search criteria to include or exclude objects that match these criteria. To add a Query Results rule, you need to specify where to search (in all managed domains or in a specific domain, OU, container), the search scope (direct children only or all nested objects) and an LDAP Filter containing the criteria of your query. This is a dynamic membership rule, so when new objects that match the specified criteria are created or existing objects are modified so that they match the specified criteria, they are automatically included to or excluded from the Business Unit.
You can add several membership rules for a Business Unit. If the same objects are included by one membership rule and excluded by another, membership is determined by the priority of these rules. The priority is defined in the following order:
| The rules of the same type have different priority if one of them includes objects and the other excludes them. The excluding rule has a higher priority. |
For example, the Administrators Business Unit has two membership rules, one of which includes members of the Domain Administrators group, and the other excludes as a specific object the Security Admin user that is a member of this group. In this case, the Business Unit will contain all members of the Domain Administrators group except for Security Admin, because Specific Objects rule has a higher priority than Group Members rule.