Difference between revisions of "Active Directory/Special Groups"

From WolfTech
Jump to navigation Jump to search
 
(7 intermediate revisions by 2 users not shown)
Line 1: Line 1:
The WOLFTECH domain has a number of special groups to apply security policies and provide access to resources.  This document explains the function of these groups and their intended memberships.
+
{{Active_Directory_toc}}The WOLFTECH domain has a number of special groups to apply security policies and provide access to resources.  This document explains the function of these groups and their intended memberships.
  
 
==Top Level Groups==
 
==Top Level Groups==
Line 7: Line 7:
 
<th>Group Name</th>
 
<th>Group Name</th>
 
<th>Description</th>
 
<th>Description</th>
 +
</tr>
 +
<tr>
 +
<td valign=top>WT-<OU>-<NAME></td>
 +
<td>Managed groups.  The groups are defined using the [https://www.wolftech.ncsu.edu/wtmg/ WolfTech Managed Groups Tool].</td>
 
</tr>
 
</tr>
 
<tr>
 
<tr>
 
<td width=200 valign=top>NCSU-ACS Users</td>
 
<td width=200 valign=top>NCSU-ACS Users</td>
<td>This group is given Read access to the ACS Q Drive on the ACS domain. A GPO (NCSU-ACS Users) is linked at the People OU and is filtered to this group to automatically mount the Q drive.  Only staff who need access to the ACS Q Drive should be members of this group.</td>
+
<td>This group is given Read access to the ACS Q Drive on the ACS domain. A GPO (NCSU-ACS Users) is linked at the People OU and is filtered to this group to automatically mount the Q drive.  Only staff who need access to the ACS Q Drive should be members of this group. '''NOTE''': OU Admins should not move their local "ACS Users" group as this will cause this connection to fail.</td>
 
</tr>
 
</tr>
 
<tr>
 
<tr>
Line 19: Line 23:
 
<td valign=top>NCSU-Computers</td>
 
<td valign=top>NCSU-Computers</td>
 
<td>All computers under the NCSU OU are a member of this group.</td>
 
<td>All computers under the NCSU OU are a member of this group.</td>
 +
</tr>
 +
<tr>
 +
<td valign=top>NCSU-Computer Migrators</td>
 +
<td>All .admins which are members of this group have the ability to join a computer to the domain. For those whom you want to have this privilege without granting them full OU Admin status.</td>
 
</tr>
 
</tr>
 
<tr>
 
<tr>
Line 37: Line 45:
 
<tr>
 
<tr>
 
<td valign=top>NCSU-User Account Managers</td>
 
<td valign=top>NCSU-User Account Managers</td>
<td>Members of this group have Full access to the People OU.  Once user account creation scripting is completed, this group will be retired.</td>
+
<td>Members of this group have Full access to the People OU.</td>
 
</tr>
 
</tr>
 
</table>
 
</table>
Line 71: Line 79:
 
<tr>
 
<tr>
 
<td valign=top>ECE-Enable Remote Assistance</td>
 
<td valign=top>ECE-Enable Remote Assistance</td>
<td>A GPO (ECE-Enable Remote Assistance) is linked at the root of the ECE OU and filtered to this group that enables Unsolicited Remote Assistance on all members of this group..</td>
+
<td>A GPO (ECE-Enable Remote Assistance) is linked at the root of the ECE OU and filtered to this group that enables Unsolicited Remote Assistance on all members of this group.</td>
 
</tr>
 
</tr>
 
<tr>
 
<tr>

Latest revision as of 16:07, 28 August 2017

The WOLFTECH domain has a number of special groups to apply security policies and provide access to resources. This document explains the function of these groups and their intended memberships.

Top Level Groups

Group Name Description
WT-<OU>-<NAME> Managed groups. The groups are defined using the WolfTech Managed Groups Tool.
NCSU-ACS Users This group is given Read access to the ACS Q Drive on the ACS domain. A GPO (NCSU-ACS Users) is linked at the People OU and is filtered to this group to automatically mount the Q drive. Only staff who need access to the ACS Q Drive should be members of this group. NOTE: OU Admins should not move their local "ACS Users" group as this will cause this connection to fail.
NCSU-Allow RIS A GPO (Domain-Allow RIS) is linked to the domain root and filtered to this group to allow members of this group to use RIS to reinstall computers. Members of NCSU-Departmental OU Admins are a member of this group.
NCSU-Computers All computers under the NCSU OU are a member of this group.
NCSU-Computer Migrators All .admins which are members of this group have the ability to join a computer to the domain. For those whom you want to have this privilege without granting them full OU Admin status.
NCSU-Departmental OU Admins All OU admins are a member of this group. Members of this group are delegated Read access to all group policy objects.
NCSU-Desktops All desktop computers under the NCSU OU are a member of this group.
NCSU-Laptops All laptop computers under the NCSU OU are a member of this group. A GPO (Domain-Laptop Policy) is linked at the domain root and filtered to this group to set laptop specific policies.
NCSU-Software Packagers Members of this group have Full access to the NCSU software packages share (\\wolftech\files\common\ncsu\packages) and Full access to the SW-NCSU and FW-NCSU GPOs.
NCSU-User Account Managers Members of this group have Full access to the People OU.

ECE Departmental Groups

The following special groups are used in the ECE departmental OU. This is provided as a suggestion to other departments.

Group Name Description
ECE-ACS Users This group is a member of NCSU-ACS Users that gives Read access to the ACS Q Drive on the ACS domain. Only staff who need access to the ACS Q Drive should be members of this group.
ECE-Allow RIS This groups is a member of NCSU-Allow RIS that allows members to use RIS to reinstall computers. This group is useful for users who need to be able to use RIS, but are not OU admins.
ECE-Computer Admins This group is a member of the local Administrators group on all computers in the ECE OU. Members of this group have Administrator priveleges on all ECE computers, but no special domain priveleges. ECE-OU Admins is a member of this group.
ECE-Computers All computers within the ECE OU are members of this group.
ECE-Desktops All desktops within the ECE OU are members of this group.
ECE-Enable Remote Assistance A GPO (ECE-Enable Remote Assistance) is linked at the root of the ECE OU and filtered to this group that enables Unsolicited Remote Assistance on all members of this group.
ECE-Enable Remote Desktop A GPO (ECE-Enable Remote Desktop) is linked at the root of the ECE OU and filtered to this group that enables Remote Desktop on all members of this group.
ECE-Laptops All laptops within the ECE OU are members of this group.
ECE-OU Admins This group is delegated Full access to the ECE OU.
ECE-Users All ECE users are a member of this group. This includes students who have access to teaching lab computers.
ECE-IT.Users The regular user accounts of IT staff members are members of this group. This group is a member of all ECE computers local Users group. This allows IT staff members to logon using regular user credentials.
ECE-Remote Assistants This group is referenced in the ECE-Enable Remote Assistance GPO to authorize users to provide Unsolicited Remote Assistance.
ECE-Software Installers Members of the group have Full access to the ECE software share (\\wolftech\files\ece\software).
ECE-Software Packages Members of this group have Full access to the ECE packages share (\\wolftech\files\ece\packages).