How to exclude OUs from SecureAuth

    Applies to:
  • SecureAuth Identity Platform
  • Legacy SecureAuth IdP
Deployment model:
  • Cloud
  • Hybrid
  • On Premises
  • Version Affected:  All


    When setting up the Data Tab to talk to AD, you can specify the starting OU as the Connection String. 

    However, if you have several top level OUs, you will need to connect to the root of the realm. 

    The problem comes when there is a specific OU you wish to avoid. 






    The easiest option would be to remove the ability for the SecureAuth Service Account to see the OU. 

    If your AD already has granualar permissions setup, you can simply remove the "Read" permissions from the ACL. 

    If you are running the standard AD permissions, where all Authenticated Users have read access, you'll need to add a Deny Read permissions for the service account over the OU in question. 


    Special Considerations:  

    You need to be very careful when applying deny permissions in AD. Consult your internal AD expert before making these changes.



    SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.

    Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.

    0 out of 0 found this helpful



    Please sign in to leave a comment.