Assigning Access Template - Prevent "Propagate permissions to Active Directory"

Question

Hi, 
 When linking Access Templates to AD locations (in order to delegate Active Roles permissions to support teams), I'm always a bit worried that someone in my AR admin team (especially the new kids on the block) accidentally enable the option for "Propagate permissions to Active Directory" which appears on the final page of the Delegation Wizard. 
 Is it perhaps possible to make that option inaccessible to everyone, thereby forcing them to stick with AR-only permissions? Can I somehow revoke access to that option? 
 If not, and someone accidentally adds a DENY to the native AD structure - how can we get permissions back? Just by taking ownership + inheriting default permissions down again like you would with a traditional File/Folder structure? Is there a rollback or undo at that level? One of the major reasons for deploying AR was to keep native AD delegations to a minimum; would be unfortunate if we only make things worse by accidentally applying that "Propagate" option without noticing.. 
 
 Thanks; regards, 
 Michiel

JohnnyQuest · Answer

The behaviour is controlled by the VA edsaIsSynchronizedWithAD on each AT link. 
 You could setup a change workflow that watches for this value being set to "1" and then using a "Modify Requested Changes" workflow activity, sets it back to zero.

Assigning Access Template - Prevent "Propagate permissions to Active Directory"

Top Replies