# User and Role Administration **Last Updated On**: 19 Jan 2026 **14 minutes read** User administration refers to the process of managing user accounts within a system or application for better management. In the context of OS Deployer, user administration involves tasks such as creating, modifying, and deleting user accounts. This includes defining user roles, assigning scopes (permissions), and ensuring that users have the appropriate access levels to perform their tasks. ## Users and Roles User accounts are individual accounts created under a scope that provides them access to endpoints and remote offices. Roles, on the other hand, define a set of permissions that determine what actions a user can perform within the system. Each user is assigned a role, which governs and determines their level of access and authority. **Role Management** Some of the most commonly used roles are specified under Pre-defined Roles. However, you also have the flexibility to define roles that best suit your requirements under User-defined Roles and grant appropriate permissions. Here's a brief on the Pre-defined and User-defined roles: ### User-defined Role You can create roles and customize them based on your personalized needs. These customized roles fall under the User-defined category. Follow the steps mentioned below to create a new User-defined role: 1. Select the **Admin** tab, navigate to **User Administration**. 2. Select the **Role** tab and click the **Add Role** button. 3. Specify the Role Name and a small description about it. 4. Define module-wise permission levels for the Role in the Select Control Section. This includes options like Full Control, Read, and No Access. 5. Click **Add**. This completes the process of creating a new role. > **Note:** Role deletion cannot be performed if that role is associated even with a single user. However, you can modify the permission levels for all User-defined roles. ### Pre-defined Roles You will find the following roles in the Pre-defined category: - **Administrator Role**: The Administrator role signifies the Super Admin who exercises full control on all modules. The operations that are listed under the Admin tab include: 1. Full control over all modules. 2. Defining or modifying Scope of Management. 3. Adding Inactive Users. 4. Changing mail server settings. 5. Scheduling vulnerability database updates, and more. - **Guest Role**: The Guest Role retains Read-Only permission to all modules. A user who is associated with the Guest Role will have the privileges to scan and view various information about different modules, although making changes is strictly prohibited. Guest Role also has Read-Only permission for viewing MDM inventory details, reports, profiles, and apps of mobile devices. 1. Read-only access to all modules. 2. Privileges limited to viewing information without the ability to make changes. - **OS Deployer**: The OS Deployer role provides the associated user the privilege to capture images of Windows OS and deploy them across network computers. ### How to associate users with roles? 1. Open the Web Console → Navigate to **Admin** tab → **User Administration**. 2. Click **User** → **Add User**. 3. Select the Authentication type as **Active Directory Authentication** or **Local Authentication**. For Active Directory Authentication, select a domain in Domain Name. > **Note:** Active Directory Authentication is available for on-premises environments only. 4. Specify a **User Name**. 5. Specify the **Role** from the drop-down list. This list will contain both Pre-defined and User-defined roles. 6. For Active Directory Authentication, the email address of the user will be fetched from Active Directory, if available. If not, specify the email address manually. The email address should be manually entered for Local Authentication. 7. If required, enter the **phone number** of the user. 8. Click **Add User**. ## Secure Authentication The Secure Authentication feature under User Administration ensures additional security of the application by implementing various security measures. This ensures that only users with authorized privileges can perform operations in OS Deployer. There are three sub-features under Secure Authentication: - **Two-factor authentication**: The user will only be able to log in after entering the username and password, followed by an OTP received via email. - **User Account Policy**: Refers to the set of rules and requirements that govern user accounts within the system. This policy includes: - Actions against invalid login attempts (such as the number of invalid login attempts allowed and lockout duration). - Domain settings during login, such as hiding the domain list and setting a default domain for authentication. - Actions against account inactivity. - Session expiration time for users. - **Password Policy**: Allows administrators to create rules for users when setting up passwords. This includes: - Minimum password length. - Minimum number of special characters. - Number of last passwords that users can reuse. - Enforcing periodic password changes. ## Notifications The Notification feature allows administrators to get notified when users perform various operations. For the admin to receive notifications, their email addresses should be specified. Notifications are sent when: - A user resets the password. - A user account gets locked or disabled due to invalid login attempts. - A user account gets disabled due to inactivity. - A disabled account is reactivated by the admin. - An account is manually disabled by the admin. - A new user account is created or deleted. ## Related Articles 1. [How to add a domain in OS Deployer](https://www.manageengine.com/products/os-deployer/help/integrating-directory-services/how-to-configure-active-directory.html) 2. [How to create remote offices in OS Deployer](https://www.manageengine.com/products/os-deployer/help/remote-office/creating-remote-office.html)