After upgrading from Active Roles Server 6.x to Active Roles 7.x, some Active Roles Admins may note reduced access or no access at all.
For example, they may be missing the Configuration node in the Active Roles Console, or one or more Active Directory Domains may not be present with no option to re-add them.
During the installation of Active Roles, the installer will prompt for the User or Group which will hold the Active Roles Admin Role.
In Active Roles Server 6.9 and previous versions, the Local Administrators group on the machine hosting Active Roles Server will be designated as Active Roles Admins by default.
In Active Roles 7.0 and later versions, the BUILTIN\Administrators group in the domain hosting Active Roles will be will be designated as Active Roles Admins by default.
Active Roles Admins have unlimited access within the Active Roles Console and Web Interface. Any assigned Access Templates are ignored and are redundant.
Note: If the Defender Active Roles Server Integration Pack is in use, Active Roles Administrators will also be able to modify Defender properties for all Users, including assigning and programming tokens.
For Active Roles 7.0 and later
For versions of Active Roles Server prior to Active Roles Server 6.9 Patch 2
This configuration setting is stored in the registry on the machine hosting Active Roles Server, and is unique for each instance.
If you have more than one ActiveRoles Server instance, you will need to make the changes on each host.
For Active Roles Server 6.9 Patch 2, 3 and 4
The above registry key is respected by default, but there is also a new optional configuration which can be used in environments where Active Roles Administration needs to be very strictly monitored and controlled. When this configuration is leveraged, the value of Active Roles Administrators Group is encrypted and stored in the Active Roles Server configuration database itself, and any value stored in the registry key above is ignored. Only a User who has the Active Roles Administrators Role for that instance may modify the Active Roles Administrators Group once this configuration has been implemented.
This was implemented as Enhancement Request TF00342457.