thank you very much for your reply. The Delegation isn’t exactly, what I was pointing to in my question. So I already delegated some parts of the UMC to a specific user group, that has limited access to an organizational unit in LDAP. In my scenario, I’d like to deny logins to the UMC for administrative Accounts (e.g. Administrator, Domain Admins) at all.
I’d like to achieve that an Administrator cannot log in via UMC. Similar to PermitRootLogin no in sshd_config, that allows non-priv users to login via ssh, but prohibits root to login.
Do you want to disallow any kind of web-interface login or just UMC access? The latter seems to be achievable by my listed suggestions, if no web UI access (e.g. a machine account) is wanted there is the possibility to use a simple authentification account: 6. User management — Univention Corporate Server - Manual for users and administrators
Last not least depending on the use case you could experiment with different kinds of deactivation, expiration or locks like user attributes or ppolicy, …
To prevent that we have a XY problem here: Why do you want to restrict the access in this way?
Hi @jlk,
I’d like to allow logins for users of a specific user-group only via web-interface. For all others, especially users in groups like Domain Admins, login via web-interface should be disallowed