Difference between revisions of "Active Directory/Documentation/Default OU"

From WolfTech
Jump to navigation Jump to search
 
(35 intermediate revisions by 3 users not shown)
Line 1: Line 1:
 +
The following is created using the script located at https://www.wolftech.ncsu.edu/pgmurphy/phpAD/create_departmental_ou.php.  Please notice the Manual Steps at the end.
 +
 
=Default Setup=
 
=Default Setup=
 
==Organizational Units==
 
==Organizational Units==
Line 7: Line 9:
 
<td><Root OU></td>
 
<td><Root OU></td>
 
<td>The departmental root OU is the top level OU delegated to the department or college.  This OU should be named using the organization's common abbreviation.  For example, the Department of Electrical and Computer Engineering uses the abbreviation, ECE, so its root OU should be named ECE.
 
<td>The departmental root OU is the top level OU delegated to the department or college.  This OU should be named using the organization's common abbreviation.  For example, the Department of Electrical and Computer Engineering uses the abbreviation, ECE, so its root OU should be named ECE.
 
+
<BR>This OU should be placed under the NCSU OU hierarchy corresponding to its place within NCSU's organizational hierarchy.  For example, the Department of Electrical and Computer Engineering is part of the College of Engineering, so the Department of Electrical and Computer Engineering's OU should be created under the College of Engineering's OU.
<BR><BR>This OU should be placed under the NCSU OU hierarchy corresponding to its place within NCSU's organizational hierarchy.  For example, the Department of Electrical and Computer Engineering is part of the College of Engineering, so the Department of Electrical and Computer Engineering's OU should be created under the College of Engineering's OU.</td>
+
<BR>The managedBy property should be set to the primary OU Admin.</td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
Line 76: Line 78:
 
<tr valign=top>
 
<tr valign=top>
 
<td><Root OU>\Software Packages\<Root OU> Software</td>
 
<td><Root OU>\Software Packages\<Root OU> Software</td>
 +
<td></td>
 +
</tr>
 +
<tr valign=top>
 +
<td><Root OU>\Software Packages\<Parent OU> Software</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
Line 127: Line 133:
 
<th>Description</th>
 
<th>Description</th>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>\<OU Root>-ACS Users</td>
+
<td><Root OU>\<Root OU>-ACS Users</td>
<td></td>
+
<td>Members are given read access to the ACS Q drive.<br>A GPO (NCSU-ACS Users) is linked at the People OU and is filtered to the NCSU-ACS Users group to automatically mount the Q drive. This group is a member of NCSU-ACS Users.  Only staff who need access to the ACS Q Drive should be members of this group.</td>
 +
</tr>
 +
<tr valign=top>
 +
<td><Root OU>\<Root OU>-Allow RIS</td>
 +
<td>Allows members to install computers using Remote Installation Services (RIS)<br>A GPO (Domain-Allow RIS) is linked to the domain root and filtered to the NCSU-Allow RIS group to allow members of this group to use RIS to reinstall computers. This group is a member of NCSU-Allow RIS.</td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>\<OU Root>-Allow RIS</td>
+
<td><Root OU>\<Root OU>-Computer Admins</td>
<td></td>
+
<td>Members of this group have Administrator priveleges on all <Root OU> computers.<br>This group is a member of the local Administrators group on all computers in the <Root OU> OU. Members of this group have Administrator priveleges on all <Root OU> computers, but no special domain priveleges. <Root OU>-OU Admins is a member of this group.</td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>\<OU Root>-Computer Admins</td>
+
<td><Root OU>\<Root OU>-Computer Migrators</td>
<td></td>
+
<td>Members of this group have the ability to join computers to the domain.</td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>\<OU Root>-Computers</td>
+
<td><Root OU>\<Root OU>-Computers</td>
<td></td>
+
<td>This group contains all computers under the <Root OU> OU.</td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>\<OU Root>-Departmental OU Admins</td>
+
<td><Root OU>\<Root OU>-Desktops</td>
<td></td>
+
<td>This group contains all desktop computers under the <Root OU> OU.</td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>\<OU Root>-Desktops</td>
+
<td><Root OU>\<Root OU>-Enable Remote Assistance</td>
<td></td>
+
<td>Enables Unsolicited Remote Assistance on member computers.<br>A GPO (<Root OU>-Enable Remote Assistance) is linked at the <Root OU> OU and filtered to this group that enables Unsolicited Remote Assistance on all members of this group.</td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>\<OU Root>-Enable Remote Assistants</td>
+
<td><Root OU>\<Root OU>-Enable Remote Desktop</td>
<td></td>
+
<td>Enables Remote Desktop on member computers.<br>A GPO (<Root OU>-Enable Remote Desktop) is linked at the <Root OU> OU and filtered to this group that enables Remote Desktop on all members of this group.</td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>\<OU Root>-Enable Remote Desktop</td>
+
<td><Root OU>\<Root OU>-Laptops</td>
<td></td>
+
<td>This group contains all laptop computers under the <Root OU> OU.</td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>\<OU Root>-Laptops</td>
+
<td><Root OU>\<Root OU>-OU Admins</td>
<td></td>
+
<td>This group is delegated Full access to the <Root OU> OU.</td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>\<OU Root>-OU Admins</td>
+
<td><Root OU>\<Root OU>-Remote Assistants</td>
<td></td>
+
<td>Members of this group are permitted to provide Unsolicited Remote Assistance.</td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>\<OU Root>-Users</td>
+
<td><Root OU>\<Root OU>-Users</td>
<td></td>
+
<td>This group contains all users associated with the <Root OU> department.</td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>\Faculty\<OU Root>-Faculty</td>
+
<td><Root OU>\Faculty\<Root OU>-Faculty</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>\Faculty\<OU Root>-Faculty.Computers</td>
+
<td><Root OU>\Faculty\<Root OU>-Faculty.Computers</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>\Faculty\<OU Root>-Faculty.Desktops</td>
+
<td><Root OU>\Faculty\<Root OU>-Faculty.Desktops</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>\Faculty\<OU Root>-Faculty.Laptops</td>
+
<td><Root OU>\Faculty\<Root OU>-Faculty.Laptops</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>\Research Labs\<OU Root>-Research Labs.Computers</td>
+
<td><Root OU>\Research Labs\<Root OU>-Research Labs.Computers</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>\Research Labs\<OU Root>-Research Labs.Desktops</td>
+
<td><Root OU>\Research Labs\<Root OU>-Research Labs.Desktops</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>\Research Labs\<OU Root>-Research Labs.Laptops</td>
+
<td><Root OU>\Research Labs\<Root OU>-Research Labs.Laptops</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>\Research Labs\<OU Root>-Research Labs.Users</td>
+
<td><Root OU>\Research Labs\<Root OU>-Research Labs.Users</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>\Research Labs\Sample Rlab\<OU Root>-Sample Rlab.Administrators</td>
+
<td><Root OU>\Research Labs\Sample Rlab\<Root OU>-Sample Rlab.Administrators</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>\Research Labs\Sample Rlab\<OU Root>-Sample Rlab.Computers</td>
+
<td><Root OU>\Research Labs\Sample Rlab\<Root OU>-Sample Rlab.Computers</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>\Research Labs\Sample Rlab\<OU Root>-Sample Rlab.Desktops</td>
+
<td><Root OU>\Research Labs\Sample Rlab\<Root OU>-Sample Rlab.Desktops</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>\Research Labs\Sample Rlab\<OU Root>-Sample Rlab.Laptops</td>
+
<td><Root OU>\Research Labs\Sample Rlab\<Root OU>-Sample Rlab.Laptops</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>\Research Labs\Sample Rlab\<OU Root>-Sample Rlab.Users</td>
+
<td><Root OU>\Research Labs\Sample Rlab\<Root OU>-Sample Rlab.Users</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>\Staff\<OU Root>-Staff</td>
+
<td><Root OU>\Staff\<Root OU>-Staff</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>\Staff\<OU Root>-Staff.Computers</td>
+
<td><Root OU>\Staff\<Root OU>-Staff.Computers</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>\Staff\<OU Root>-Staff.Desktops</td>
+
<td><Root OU>\Staff\<Root OU>-Staff.Desktops</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>\Staff\<OU Root>-Staff.Laptops</td>
+
<td><Root OU>\Staff\<Root OU>-Staff.Laptops</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>\Teaching Labs\<OU Root>-Teaching Labs.Computers</td>
+
<td><Root OU>\Teaching Labs\<Root OU>-Teaching Labs.Computers</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>\Teaching Labs\<OU Root>-Teaching Labs.Desktops</td>
+
<td><Root OU>\Teaching Labs\<Root OU>-Teaching Labs.Desktops</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>\Teaching Labs\<OU Root>-Teaching Labs.Laptops</td>
+
<td><Root OU>\Teaching Labs\<Root OU>-Teaching Labs.Laptops</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>\Teaching Labs\<OU Root>-Teaching Labs.Users</td>
+
<td><Root OU>\Teaching Labs\<Root OU>-Teaching Labs.Users</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>\Teaching Labs\Sample Tlab\<OU Root>-Sample Tlab.Administrators</td>
+
<td><Root OU>\Teaching Labs\Sample Tlab\<Root OU>-Sample Tlab.Administrators</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>\Teaching Labs\Sample Tlab\<OU Root>-Sample Tlab.Computers</td>
+
<td><Root OU>\Teaching Labs\Sample Tlab\<Root OU>-Sample Tlab.Computers</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>\Teaching Labs\Sample Tlab\<OU Root>-Sample Tlab.Desktops</td>
+
<td><Root OU>\Teaching Labs\Sample Tlab\<Root OU>-Sample Tlab.Desktops</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>\Teaching Labs\Sample Tlab\<OU Root>-Sample Tlab.Laptops</td>
+
<td><Root OU>\Teaching Labs\Sample Tlab\<Root OU>-Sample Tlab.Laptops</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>\Teaching Labs\Sample Tlab\<OU Root>-Sample Tlab.Users</td>
+
<td><Root OU>\Teaching Labs\Sample Tlab\<Root OU>-Sample Tlab.Users</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
Line 285: Line 295:
 
<th>Description</th>
 
<th>Description</th>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>-ACS Users --> <Parent OU>-ACS Users</td>
+
<td><Root OU>-ACS Users --> <Parent OU>-ACS Users</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>-Allow RIS --> <Parent OU-Allow RIS</td>
+
<td><Root OU>-Allow RIS --> <Parent OU>-Allow RIS</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>-Computer Admins --> <OU Root>-Allow RIS</td>
+
<td><Root OU>-Computer Admins --> <Root OU>-Allow RIS</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>-Computer Admins --> <OU Root>-Remote Assistants</td>
+
<td><Root OU>-Computer Admins --> <Root OU>-Remote Assistants</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>-Desktops --> <Parent OU>-Desktops</td>
+
<td><Root OU>-Computer Migrators --> <Parent OU>-Computer Migrators</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>-Desktops --> <OU Root>-Computers</td>
+
<td><Root OU>-Desktops --> <Parent OU>-Desktops</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>-Laptops --> <Parent OU>-Laptops</td>
+
<td><Root OU>-Desktops --> <Root OU>-Computers</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>-Laptops --> <OU Root>-Computers</td>
+
<td><Root OU>-Laptops --> <Parent OU>-Laptops</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>-OU Admins --> <Parent OU>-Departmental OU Admins</td>
+
<td><Root OU>-Laptops --> <Root OU>-Computers</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>-OU Admins --> <OU Root>-Allow RIS</td>
+
<td><Root OU>-OU Admins --> <Parent OU>-Departmental OU Admins</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>-Users --> <Parent OU>-Users</td>
+
<td><Root OU>-OU Admins --> <Root OU>-Allow RIS</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><unityid>.admin --> <OU Root>-Computer Admins</td>
+
<td><Root OU>-Users --> <Parent OU>-Users</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><unityid>.admin --> <OU Root>-OU Admins</td>
+
<td><unityid>.admin --> <Root OU>-Computer Admins</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>-Faculty --> <OU Root>-Users</td>
+
<td><unityid>.admin --> <Root OU>-OU Admins</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>-Faculty.Desktops --> <OU Root>-Desktops</td>
+
<td><Root OU>-Faculty --> <Root OU>-Users</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>-Faculty.Desktops --> <OU Root>-Faculty.Computers</td>
+
<td><Root OU>-Faculty.Desktops --> <Root OU>-Desktops</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>-Faculty.Laptops --> <OU Root>-Laptops</td>
+
<td><Root OU>-Faculty.Desktops --> <Root OU>-Faculty.Computers</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>-Faculty.Laptops --> <OU Root>-Faculty.Computers</td>
+
<td><Root OU>-Faculty.Laptops --> <Root OU>-Laptops</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>-Research Labs.Users --> <OU Root>-Users</td>
+
<td><Root OU>-Faculty.Laptops --> <Root OU>-Faculty.Computers</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>-Research Labs.Desktops --> <OU Root>-Desktops</td>
+
<td><Root OU>-Research Labs.Users --> <Root OU>-Users</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>-Research Labs.Desktops --> <OU Root>-Research Labs.Computers</td>
+
<td><Root OU>-Research Labs.Desktops --> <Root OU>-Desktops</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>-Research Labs.Laptops --> <OU Root>-Laptops</td>
+
<td><Root OU>-Research Labs.Desktops --> <Root OU>-Research Labs.Computers</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>-Research Labs.Laptops --> <OU Root>-Research Labs.Computers</td>
+
<td><Root OU>-Research Labs.Laptops --> <Root OU>-Laptops</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>-Sample Rlab.Administrators --> <OU Root>-Sample Rlab.Users</td>
+
<td><Root OU>-Research Labs.Laptops --> <Root OU>-Research Labs.Computers</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>-Sample Rlab.Desktops --> <OU Root>-Research Labs.Desktops</td>
+
<td><Root OU>-Sample Rlab.Administrators --> <Root OU>-Sample Rlab.Users</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>-Sample Rlab.Desktops --> <OU Root>-Sample Rlab.Computers</td>
+
<td><Root OU>-Sample Rlab.Desktops --> <Root OU>-Research Labs.Desktops</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>-Sample Rlab.Laptops --> <OU Root>-Research Labs.Laptops</td>
+
<td><Root OU>-Sample Rlab.Desktops --> <Root OU>-Sample Rlab.Computers</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>-Sample Rlab.Laptops --> <OU Root>-Sample Rlab.Computers</td>
+
<td><Root OU>-Sample Rlab.Laptops --> <Root OU>-Research Labs.Laptops</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>-Sample Rlab.Users --> <OU Root>-Research Labs.Users</td>
+
<td><Root OU>-Sample Rlab.Laptops --> <Root OU>-Sample Rlab.Computers</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>-Staff --> <OU Root>-Users</td>
+
<td><Root OU>-Sample Rlab.Users --> <Root OU>-Research Labs.Users</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>-Staff.Desktops --> <OU Root>-Desktops</td>
+
<td><Root OU>-Staff --> <Root OU>-Users</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>-Staff.Desktops --> <OU Root>-Staff.Computers</td>
+
<td><Root OU>-Staff.Desktops --> <Root OU>-Desktops</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>-Staff.Laptops --> <OU Root>-Laptops</td>
+
<td><Root OU>-Staff.Desktops --> <Root OU>-Staff.Computers</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>-Staff.Laptops --> <OU Root>-Staff.Computers</td>
+
<td><Root OU>-Staff.Laptops --> <Root OU>-Laptops</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>-Teaching Labs.Users --> <OU Root>-Users</td>
+
<td><Root OU>-Staff.Laptops --> <Root OU>-Staff.Computers</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>-Teaching Labs.Desktops --> <OU Root>-Desktops</td>
+
<td><Root OU>-Teaching Labs.Users --> <Root OU>-Users</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>-Teaching Labs.Desktops --> <OU Root>-Teaching Labs.Computers</td>
+
<td><Root OU>-Teaching Labs.Desktops --> <Root OU>-Desktops</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>-Teaching Labs.Laptops --> <OU Root>-Laptops</td>
+
<td><Root OU>-Teaching Labs.Desktops --> <Root OU>-Teaching Labs.Computers</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>-Teaching Labs.Laptops --> <OU Root>-Teaching Labs.Computers</td>
+
<td><Root OU>-Teaching Labs.Laptops --> <Root OU>-Laptops</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>-Sample Tlab.Administrators --> <OU Root>-Sample Tlab.Users</td>
+
<td><Root OU>-Teaching Labs.Laptops --> <Root OU>-Teaching Labs.Computers</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>-Sample Tlab.Desktops --> <OU Root>-Teaching Labs.Desktops</td>
+
<td><Root OU>-Sample Tlab.Administrators --> <Root OU>-Sample Tlab.Users</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>-Sample Tlab.Desktops --> <OU Root>-Sample Tlab.Computers</td>
+
<td><Root OU>-Sample Tlab.Desktops --> <Root OU>-Teaching Labs.Desktops</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>-Sample Tlab.Laptops --> <OU Root>-Teaching Labs.Laptops</td>
+
<td><Root OU>-Sample Tlab.Desktops --> <Root OU>-Sample Tlab.Computers</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>-Sample Tlab.Laptops --> <OU Root>-Sample Tlab.Computers</td>
+
<td><Root OU>-Sample Tlab.Laptops --> <Root OU>-Teaching Labs.Laptops</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>-Sample Tlab.Users --> <OU Root>-Teaching Labs.Users</td>
+
<td><Root OU>-Sample Tlab.Laptops --> <Root OU>-Sample Tlab.Computers</td>
 +
<td></td>
 +
</tr>
 +
<tr valign=top>
 +
<td><Root OU>-Sample Tlab.Users --> <Root OU>-Teaching Labs.Users</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
Line 484: Line 498:
 
</table>
 
</table>
  
==Delegation==
+
==Manual Steps==
 
<table>
 
<table>
<th width=350>Delegation</th>
+
<th width=525>Step</th>
 
<th>Description</th>
 
<th>Description</th>
 
<tr valign=top>
 
<tr valign=top>
<td><Root OU> --> <Root OU>-OU Admins</td>
+
<td>Delegate: <Root OU> --> <Root OU>-OU Admins</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
</table>
+
<tr>
 
+
<td>Managed By: <Root OU> --> <unityid>.admin</td>
==Other==
 
<table>
 
<th width=150></th>
 
<th>Description</th>
 
<tr valign=top>
 
 
<td></td>
 
<td></td>
<td></td>
 
</tr>
 
</table>
 
 
=Basic Setup=
 
==Organizational Units==
 
<table>
 
<th width=350>OU</th>
 
<th>Description</th>
 
<tr valign=top>
 
<td><Root OU></td>
 
<td>The departmental root OU is the top level OU delegated to the department or college.  This OU should be named using the organization's common abbreviation.  For example, the Department of Electrical and Computer Engineering uses the abbreviation, ECE, so its root OU should be named ECE.
 
 
<BR><BR>This OU should be placed under the NCSU OU hierarchy corresponding to its place within NCSU's organizational hierarchy.  For example, the Department of Electrical and Computer Engineering is part of the College of Engineering, so the Department of Electrical and Computer Engineering's OU should be created under the College of Engineering's OU.</td>
 
 
</tr>
 
</tr>
<tr valign=top>
+
<tr>
<td><Root OU>\Departmental Users</td>
+
<td>Add in additonal OU admins</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
<tr valign=top>
+
<tr>
<td><Root OU>\Departmental Users\OU Admins</td>
+
<td>Copy: <Root OU>-OU Policy</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
<tr valign=top>
+
<tr>
<td><Root OU>\Software Packages</td>
+
<td>Copy: <Root OU>-Enable Remote Assistance</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
<tr valign=top>
+
<tr>
<td><Root OU>\Software Packages\Freeware</td>
+
<td>Copy: <Root OU>-Enable Remote Desktop</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
<tr valign=top>
+
<tr>
<td><Root OU>\Software Packages\NCSU Software</td>
+
<td>Link: <Root OU>-OU Policy --> <Root OU></td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
<tr valign=top>
+
<tr>
<td><Root OU>\Software Packages\<Root OU> Software</td>
+
<td>Link: <Root OU>-Enable Remote Assistance --> <Root OU></td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
</table>
+
<tr>
 
+
<td>Link: <Root OU>-Enable Remote Desktop --> <Root OU></td>
==Users==
 
<table>
 
<th width=375>User</th>
 
<th>Description</th>
 
<tr valign=top>
 
<td><Root OU>\Departmental Users\OU Admins\<unityid>.admin</td>
 
<td>Create an Administrator account for each desired IT staff member in the department.  The account should be created in the <Root OU>\Departmental Users\OU Admins OU.  These accounts will be given Administrator priveleges in the departmental OU and local administrator on all computers in the departmental OU.</td>
 
</tr>
 
</table>
 
 
 
==Groups==
 
<table>
 
<th width=475>Group</th>
 
<th>Description</th>
 
<tr valign=top>
 
<td><OU Root>\<OU Root>-ACS Users</td>
 
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
<tr valign=top>
+
<tr>
<td><OU Root>\<OU Root>-Allow RIS</td>
+
<td>Filter: <Root OU>-Enable Remote Assistance --> <Root OU>-Enable Remote Assistance</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
<tr valign=top>
+
<tr>
<td><OU Root>\<OU Root>-Computer Admins</td>
+
<td>Filter: <Root OU>-Enable Remote Desktop --> <Root OU>-Enable Remote Desktop</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
<tr valign=top>
+
<tr>
<td><OU Root>\<OU Root>-Computers</td>
+
<td>Delegate: <Root OU>-OU Policy --> <Root OU>-OU Admins</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
<tr valign=top>
+
<tr>
<td><OU Root>\<OU Root>-Desktops</td>
+
<td>Delegate: <Root OU>-Enable Remote Assistance --> <Root OU>-OU Admins</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
<tr valign=top>
+
<tr>
<td><OU Root>\<OU Root>-Laptops</td>
+
<td>Delegate: <Root OU>-Enable Remote Desktop --> <Root OU>-OU Admins</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
<tr valign=top>
+
<tr>
<td><OU Root>\<OU Root>-OU Admins</td>
+
<td>Edit GPO: <Root OU>-OU Policy</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
<tr valign=top>
+
<tr>
<td><OU Root>\<OU Root>-Users</td>
+
<td>Edit GPO: <Root OU>-Enable Remote Assistance</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
</table>
+
<tr>
 
+
<td>Configure software group replication</td>
==Group Memberships==
 
<table>
 
<th width=475>Group Membership</th>
 
<th>Description</th>
 
<tr valign=top>
 
<td><OU Root>-ACS Users --> <Parent OU>-ACS Users</td>
 
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
<tr valign=top>
+
<tr>
<td><OU Root>-Allow RIS --> <Parent OU-Allow RIS</td>
+
<td>Add OU admins to departmental_ou_admins table.</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
<tr valign=top>
+
<tr>
<td><OU Root>-Computer Admins --> <OU Root>-Allow RIS</td>
+
<td>Add OU to departmental_ous table.</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
<tr valign=top>
+
<tr>
<td><OU Root>-Computer Admins --> <OU Root>-Remote Assistants</td>
+
<td>Setup user account creation.</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
<tr valign=top>
+
<tr>
<td><OU Root>-Desktops --> <Parent OU>-Desktops</td>
+
<td>Authorize DNS domain name in msDS-AllowedDNSSuffixes.</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 +
</table>
 +
 +
=Basic Setup=
 +
==Organizational Units==
 +
<table>
 +
<th width=350>OU</th>
 +
<th>Description</th>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>-Desktops --> <OU Root>-Computers</td>
+
<td><Root OU></td>
<td></td>
+
<td>The departmental root OU is the top level OU delegated to the department or college.  This OU should be named using the organization's common abbreviation.  For example, the Department of Electrical and Computer Engineering uses the abbreviation, ECE, so its root OU should be named ECE.
 +
 
 +
<BR><BR>This OU should be placed under the NCSU OU hierarchy corresponding to its place within NCSU's organizational hierarchy.  For example, the Department of Electrical and Computer Engineering is part of the College of Engineering, so the Department of Electrical and Computer Engineering's OU should be created under the College of Engineering's OU.</td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>-Laptops --> <Parent OU>-Laptops</td>
+
<td><Root OU>\Departmental Users</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>-Laptops --> <OU Root>-Computers</td>
+
<td><Root OU>\Departmental Users\OU Admins</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>-OU Admins --> <Parent OU>-Departmental OU Admins</td>
+
<td><Root OU>\Software Packages</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>-OU Admins --> <OU Root>-Allow RIS</td>
+
<td><Root OU>\Software Packages\Freeware</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>-Users --> <Parent OU>-Users</td>
+
<td><Root OU>\Software Packages\NCSU Software</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><unityid>.admin --> <OU Root>-Computer Admins</td>
+
<td><Root OU>\Software Packages\<Root OU> Software</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><unityid>.admin --> <OU Root>-OU Admins</td>
+
<td><Root OU>\Software Packages\<Parent OU> Software</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 +
</table>
 +
 +
==Users==
 +
<table>
 +
<th width=375>User</th>
 +
<th>Description</th>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>-Faculty --> <OU Root>-Users</td>
+
<td><Root OU>\Departmental Users\OU Admins\<unityid>.admin</td>
<td></td>
+
<td>Create an Administrator account for each desired IT staff member in the department.  The account should be created in the <Root OU>\Departmental Users\OU Admins OU.  These accounts will be given Administrator priveleges in the departmental OU and local administrator on all computers in the departmental OU.</td>
 
</tr>
 
</tr>
 +
</table>
 +
 +
==Groups==
 +
<table>
 +
<th width=475>Group</th>
 +
<th>Description</th>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>-Faculty.Desktops --> <OU Root>-Desktops</td>
+
<td><Root OU>\<Root OU>-ACS Users</td>
<td></td>
+
<td>Members are given read access to the ACS Q drive.<br>A GPO (NCSU-ACS Users) is linked at the People OU and is filtered to the NCSU-ACS Users group to automatically mount the Q drive. This group is a member of NCSU-ACS Users.  Only staff who need access to the ACS Q Drive should be members of this group.</td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>-Faculty.Desktops --> <OU Root>-Faculty.Computers</td>
+
<td><Root OU>\<Root OU>-Allow RIS</td>
<td></td>
+
<td>Allows members to install computers using Remote Installation Services (RIS)<br>A GPO (Domain-Allow RIS) is linked to the domain root and filtered to the NCSU-Allow RIS group to allow members of this group to use RIS to reinstall computers. This group is a member of NCSU-Allow RIS.</td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>-Faculty.Laptops --> <OU Root>-Laptops</td>
+
<td><Root OU>\<Root OU>-Computer Admins</td>
<td></td>
+
<td>Members of this group have Administrator priveleges on all <Root OU> computers.<br>This group is a member of the local Administrators group on all computers in the <Root OU> OU. Members of this group have Administrator priveleges on all <Root OU> computers, but no special domain priveleges. <Root OU>-OU Admins is a member of this group.</td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>-Faculty.Laptops --> <OU Root>-Faculty.Computers</td>
+
<td><Root OU>\<Root OU>-Computer Migrators</td>
<td></td>
+
<td>Members of this group have the ability to join computers to the domain.</td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>-Research Labs.Users --> <OU Root>-Users</td>
+
<td><Root OU>\<Root OU>-Computers</td>
<td></td>
+
<td>This group contains all computers under the <Root OU> OU.</td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>-Research Labs.Desktops --> <OU Root>-Desktops</td>
+
<td><Root OU>\<Root OU>-Desktops</td>
<td></td>
+
<td>This group contains all desktop computers under the <Root OU> OU.</td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>-Research Labs.Desktops --> <OU Root>-Research Labs.Computers</td>
+
<td><Root OU>\<Root OU>-Laptops</td>
<td></td>
+
<td>This group contains all laptop computers under the <Root OU> OU.</td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>-Research Labs.Laptops --> <OU Root>-Laptops</td>
+
<td><Root OU>\<Root OU>-OU Admins</td>
<td></td>
+
<td>This group is delegated Full access to the <Root OU> OU.</td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>-Research Labs.Laptops --> <OU Root>-Research Labs.Computers</td>
+
<td><Root OU>\<Root OU>-Users</td>
<td></td>
+
<td>This group contains all users associated with the <Root OU> department.</td>
 
</tr>
 
</tr>
 +
</table>
 +
 +
==Group Memberships==
 +
<table>
 +
<th width=475>Group Membership</th>
 +
<th>Description</th>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>-Sample Rlab.Administrators --> <OU Root>-Sample Rlab.Users</td>
+
<td><Root OU>-ACS Users --> <Parent OU>-ACS Users</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>-Sample Rlab.Desktops --> <OU Root>-Research Labs.Desktops</td>
+
<td><Root OU>-Allow RIS --> <Parent OU>-Allow RIS</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>-Sample Rlab.Desktops --> <OU Root>-Sample Rlab.Computers</td>
+
<td><Root OU>-Computer Admins --> <Root OU>-Allow RIS</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>-Sample Rlab.Laptops --> <OU Root>-Research Labs.Laptops</td>
+
<td><Root OU>-Computer Migrators --> <Parent OU>-Computer Migrators</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>-Sample Rlab.Laptops --> <OU Root>-Sample Rlab.Computers</td>
+
<td><Root OU>-Desktops --> <Parent OU>-Desktops</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>-Sample Rlab.Users --> <OU Root>-Research Labs.Users</td>
+
<td><Root OU>-Desktops --> <Root OU>-Computers</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>-Staff --> <OU Root>-Users</td>
+
<td><Root OU>-Laptops --> <Parent OU>-Laptops</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>-Staff.Desktops --> <OU Root>-Desktops</td>
+
<td><Root OU>-Laptops --> <Root OU>-Computers</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>-Staff.Desktops --> <OU Root>-Staff.Computers</td>
+
<td><Root OU>-OU Admins --> <Parent OU>-Departmental OU Admins</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>-Staff.Laptops --> <OU Root>-Laptops</td>
+
<td><Root OU>-OU Admins --> <Root OU>-Allow RIS</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>-Staff.Laptops --> <OU Root>-Staff.Computers</td>
+
<td><Root OU>-Users --> <Parent OU>-Users</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>-Teaching Labs.Users --> <OU Root>-Users</td>
+
<td><unityid>.admin --> <Root OU>-Computer Admins</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>-Teaching Labs.Desktops --> <OU Root>-Desktops</td>
+
<td><unityid>.admin --> <Root OU>-OU Admins</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 +
</table>
 +
 +
==Group Policies==
 +
<table>
 +
<th width=250>Group Policy</th>
 +
<th>Description</th>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>-Teaching Labs.Desktops --> <OU Root>-Teaching Labs.Computers</td>
+
<td><Root OU>-OU Policy</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 +
</table>
 +
 +
==Manual Steps==
 +
<table>
 +
<th width=350>Step</th>
 +
<th>Description</th>
 
<tr valign=top>
 
<tr valign=top>
<td><OU Root>-Teaching Labs.Laptops --> <OU Root>-Laptops</td>
+
<td>Delegate: <Root OU> --> <Root OU>-OU Admins</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
<tr valign=top>
+
<tr>
<td><OU Root>-Teaching Labs.Laptops --> <OU Root>-Teaching Labs.Computers</td>
+
<td>Managed By: <Root OU> --> <unityid>.admin</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
<tr valign=top>
+
<tr>
<td><OU Root>-Sample Tlab.Administrators --> <OU Root>-Sample Tlab.Users</td>
+
<td>Add in additonal OU admins</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
<tr valign=top>
+
<tr>
<td><OU Root>-Sample Tlab.Desktops --> <OU Root>-Teaching Labs.Desktops</td>
+
<td>Copy: <Root OU>-OU Policy</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
<tr valign=top>
+
<tr>
<td><OU Root>-Sample Tlab.Desktops --> <OU Root>-Sample Tlab.Computers</td>
+
<td>Link: <Root OU>-OU Policy --> <Root OU></td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
<tr valign=top>
+
<tr>
<td><OU Root>-Sample Tlab.Laptops --> <OU Root>-Teaching Labs.Laptops</td>
+
<td>Delegate: <Root OU>-OU Policy --> <Root OU>-OU Admins</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
<tr valign=top>
+
<tr>
<td><OU Root>-Sample Tlab.Laptops --> <OU Root>-Sample Tlab.Computers</td>
+
<td>Edit GPO: <Root OU>-OU Policy</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
<tr valign=top>
+
<tr>
<td><OU Root>-Sample Tlab.Users --> <OU Root>-Teaching Labs.Users</td>
+
<td>Configure software group replication</td>
<td></td>
 
</tr>
 
</table>
 
 
 
==Group Policies==
 
<table>
 
<th width=250>Group Policy</th>
 
<th>Description</th>
 
<tr valign=top>
 
<td><Root OU>-OU Policy</td>
 
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
<tr valign=top>
+
<tr>
<td><Root OU>-Enable Remote Assistance</td>
+
<td>Add OU admins to departmental_ou_admins table.</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
<tr valign=top>
+
<tr>
<td><Root OU>-Enable Remote Desktop</td>
+
<td>Add OU to departmental_ous table.</td>
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
</table>
+
<tr>
 
+
<td>Setup user account creation.</td>
==Delegation==
 
<table>
 
<th width=350>Delegation</th>
 
<th>Description</th>
 
<tr valign=top>
 
<td><Root OU> --> <Root OU>-OU Admins</td>
 
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
</table>
+
<tr>
 
+
<td>Authorize DNS domain name in msDS-AllowedDNSSuffixes.</td>
==Other==
 
<table>
 
<th width=150></th>
 
<th>Description</th>
 
<tr valign=top>
 
<td></td>
 
 
<td></td>
 
<td></td>
 
</tr>
 
</tr>
 
</table>
 
</table>

Latest revision as of 16:09, 11 June 2008

The following is created using the script located at https://www.wolftech.ncsu.edu/pgmurphy/phpAD/create_departmental_ou.php. Please notice the Manual Steps at the end.

Default Setup

Organizational Units

OU Description
<Root OU> The departmental root OU is the top level OU delegated to the department or college. This OU should be named using the organization's common abbreviation. For example, the Department of Electrical and Computer Engineering uses the abbreviation, ECE, so its root OU should be named ECE.


This OU should be placed under the NCSU OU hierarchy corresponding to its place within NCSU's organizational hierarchy. For example, the Department of Electrical and Computer Engineering is part of the College of Engineering, so the Department of Electrical and Computer Engineering's OU should be created under the College of Engineering's OU.


The managedBy property should be set to the primary OU Admin.
<Root OU>\Departmental Users
<Root OU>\Departmental Users\Class Accounts
<Root OU>\Departmental Users\OU Admins
<Root OU>\Departmental Users\Other Users
<Root OU>\Departmental Users\Service Accounts
<Root OU>\Faculty
<Root OU>\Faculty\Desktops
<Root OU>\Faculty\Laptops
<Root OU>\Research Labs
<Root OU>\Research Labs\Sample RLab
<Root OU>\Research Labs\Sample RLab\Destops
<Root OU>\Research Labs\Sample RLab\Laptops
<Root OU>\Servers
<Root OU>\Software Packages
<Root OU>\Software Packages\Freeware
<Root OU>\Software Packages\NCSU Software
<Root OU>\Software Packages\<Root OU> Software
<Root OU>\Software Packages\<Parent OU> Software
<Root OU>\Staff
<Root OU>\Staff\Desktops
<Root OU>\Staff\Laptops
<Root OU>\Teaching Labs
<Root OU>\Teaching Labs\Sample Tlab
<Root OU>\Teaching Labs\Sample Tlab\Desktops
<Root OU>\Teaching Labs\Sample Tlab\Laptops
<Root OU>\Unassigned

Users

User Description
<Root OU>\Departmental Users\OU Admins\<unityid>.admin Create an Administrator account for each desired IT staff member in the department. The account should be created in the <Root OU>\Departmental Users\OU Admins OU. These accounts will be given Administrator priveleges in the departmental OU and local administrator on all computers in the departmental OU.

Groups

Group Description
<Root OU>\<Root OU>-ACS Users Members are given read access to the ACS Q drive.
A GPO (NCSU-ACS Users) is linked at the People OU and is filtered to the NCSU-ACS Users group to automatically mount the Q drive. This group is a member of NCSU-ACS Users. Only staff who need access to the ACS Q Drive should be members of this group.
<Root OU>\<Root OU>-Allow RIS Allows members to install computers using Remote Installation Services (RIS)
A GPO (Domain-Allow RIS) is linked to the domain root and filtered to the NCSU-Allow RIS group to allow members of this group to use RIS to reinstall computers. This group is a member of NCSU-Allow RIS.
<Root OU>\<Root OU>-Computer Admins Members of this group have Administrator priveleges on all <Root OU> computers.
This group is a member of the local Administrators group on all computers in the <Root OU> OU. Members of this group have Administrator priveleges on all <Root OU> computers, but no special domain priveleges. <Root OU>-OU Admins is a member of this group.
<Root OU>\<Root OU>-Computer Migrators Members of this group have the ability to join computers to the domain.
<Root OU>\<Root OU>-Computers This group contains all computers under the <Root OU> OU.
<Root OU>\<Root OU>-Desktops This group contains all desktop computers under the <Root OU> OU.
<Root OU>\<Root OU>-Enable Remote Assistance Enables Unsolicited Remote Assistance on member computers.
A GPO (<Root OU>-Enable Remote Assistance) is linked at the <Root OU> OU and filtered to this group that enables Unsolicited Remote Assistance on all members of this group.
<Root OU>\<Root OU>-Enable Remote Desktop Enables Remote Desktop on member computers.
A GPO (<Root OU>-Enable Remote Desktop) is linked at the <Root OU> OU and filtered to this group that enables Remote Desktop on all members of this group.
<Root OU>\<Root OU>-Laptops This group contains all laptop computers under the <Root OU> OU.
<Root OU>\<Root OU>-OU Admins This group is delegated Full access to the <Root OU> OU.
<Root OU>\<Root OU>-Remote Assistants Members of this group are permitted to provide Unsolicited Remote Assistance.
<Root OU>\<Root OU>-Users This group contains all users associated with the <Root OU> department.
<Root OU>\Faculty\<Root OU>-Faculty
<Root OU>\Faculty\<Root OU>-Faculty.Computers
<Root OU>\Faculty\<Root OU>-Faculty.Desktops
<Root OU>\Faculty\<Root OU>-Faculty.Laptops
<Root OU>\Research Labs\<Root OU>-Research Labs.Computers
<Root OU>\Research Labs\<Root OU>-Research Labs.Desktops
<Root OU>\Research Labs\<Root OU>-Research Labs.Laptops
<Root OU>\Research Labs\<Root OU>-Research Labs.Users
<Root OU>\Research Labs\Sample Rlab\<Root OU>-Sample Rlab.Administrators
<Root OU>\Research Labs\Sample Rlab\<Root OU>-Sample Rlab.Computers
<Root OU>\Research Labs\Sample Rlab\<Root OU>-Sample Rlab.Desktops
<Root OU>\Research Labs\Sample Rlab\<Root OU>-Sample Rlab.Laptops
<Root OU>\Research Labs\Sample Rlab\<Root OU>-Sample Rlab.Users
<Root OU>\Staff\<Root OU>-Staff
<Root OU>\Staff\<Root OU>-Staff.Computers
<Root OU>\Staff\<Root OU>-Staff.Desktops
<Root OU>\Staff\<Root OU>-Staff.Laptops
<Root OU>\Teaching Labs\<Root OU>-Teaching Labs.Computers
<Root OU>\Teaching Labs\<Root OU>-Teaching Labs.Desktops
<Root OU>\Teaching Labs\<Root OU>-Teaching Labs.Laptops
<Root OU>\Teaching Labs\<Root OU>-Teaching Labs.Users
<Root OU>\Teaching Labs\Sample Tlab\<Root OU>-Sample Tlab.Administrators
<Root OU>\Teaching Labs\Sample Tlab\<Root OU>-Sample Tlab.Computers
<Root OU>\Teaching Labs\Sample Tlab\<Root OU>-Sample Tlab.Desktops
<Root OU>\Teaching Labs\Sample Tlab\<Root OU>-Sample Tlab.Laptops
<Root OU>\Teaching Labs\Sample Tlab\<Root OU>-Sample Tlab.Users

Group Memberships

Group Membership Description
<Root OU>-ACS Users --> <Parent OU>-ACS Users
<Root OU>-Allow RIS --> <Parent OU>-Allow RIS
<Root OU>-Computer Admins --> <Root OU>-Allow RIS
<Root OU>-Computer Admins --> <Root OU>-Remote Assistants
<Root OU>-Computer Migrators --> <Parent OU>-Computer Migrators
<Root OU>-Desktops --> <Parent OU>-Desktops
<Root OU>-Desktops --> <Root OU>-Computers
<Root OU>-Laptops --> <Parent OU>-Laptops
<Root OU>-Laptops --> <Root OU>-Computers
<Root OU>-OU Admins --> <Parent OU>-Departmental OU Admins
<Root OU>-OU Admins --> <Root OU>-Allow RIS
<Root OU>-Users --> <Parent OU>-Users
<unityid>.admin --> <Root OU>-Computer Admins
<unityid>.admin --> <Root OU>-OU Admins
<Root OU>-Faculty --> <Root OU>-Users
<Root OU>-Faculty.Desktops --> <Root OU>-Desktops
<Root OU>-Faculty.Desktops --> <Root OU>-Faculty.Computers
<Root OU>-Faculty.Laptops --> <Root OU>-Laptops
<Root OU>-Faculty.Laptops --> <Root OU>-Faculty.Computers
<Root OU>-Research Labs.Users --> <Root OU>-Users
<Root OU>-Research Labs.Desktops --> <Root OU>-Desktops
<Root OU>-Research Labs.Desktops --> <Root OU>-Research Labs.Computers
<Root OU>-Research Labs.Laptops --> <Root OU>-Laptops
<Root OU>-Research Labs.Laptops --> <Root OU>-Research Labs.Computers
<Root OU>-Sample Rlab.Administrators --> <Root OU>-Sample Rlab.Users
<Root OU>-Sample Rlab.Desktops --> <Root OU>-Research Labs.Desktops
<Root OU>-Sample Rlab.Desktops --> <Root OU>-Sample Rlab.Computers
<Root OU>-Sample Rlab.Laptops --> <Root OU>-Research Labs.Laptops
<Root OU>-Sample Rlab.Laptops --> <Root OU>-Sample Rlab.Computers
<Root OU>-Sample Rlab.Users --> <Root OU>-Research Labs.Users
<Root OU>-Staff --> <Root OU>-Users
<Root OU>-Staff.Desktops --> <Root OU>-Desktops
<Root OU>-Staff.Desktops --> <Root OU>-Staff.Computers
<Root OU>-Staff.Laptops --> <Root OU>-Laptops
<Root OU>-Staff.Laptops --> <Root OU>-Staff.Computers
<Root OU>-Teaching Labs.Users --> <Root OU>-Users
<Root OU>-Teaching Labs.Desktops --> <Root OU>-Desktops
<Root OU>-Teaching Labs.Desktops --> <Root OU>-Teaching Labs.Computers
<Root OU>-Teaching Labs.Laptops --> <Root OU>-Laptops
<Root OU>-Teaching Labs.Laptops --> <Root OU>-Teaching Labs.Computers
<Root OU>-Sample Tlab.Administrators --> <Root OU>-Sample Tlab.Users
<Root OU>-Sample Tlab.Desktops --> <Root OU>-Teaching Labs.Desktops
<Root OU>-Sample Tlab.Desktops --> <Root OU>-Sample Tlab.Computers
<Root OU>-Sample Tlab.Laptops --> <Root OU>-Teaching Labs.Laptops
<Root OU>-Sample Tlab.Laptops --> <Root OU>-Sample Tlab.Computers
<Root OU>-Sample Tlab.Users --> <Root OU>-Teaching Labs.Users

Group Policies

Group Policy Description
<Root OU>-OU Policy
<Root OU>-Enable Remote Assistance
<Root OU>-Enable Remote Desktop

Manual Steps

Step Description
Delegate: <Root OU> --> <Root OU>-OU Admins
Managed By: <Root OU> --> <unityid>.admin
Add in additonal OU admins
Copy: <Root OU>-OU Policy
Copy: <Root OU>-Enable Remote Assistance
Copy: <Root OU>-Enable Remote Desktop
Link: <Root OU>-OU Policy --> <Root OU>
Link: <Root OU>-Enable Remote Assistance --> <Root OU>
Link: <Root OU>-Enable Remote Desktop --> <Root OU>
Filter: <Root OU>-Enable Remote Assistance --> <Root OU>-Enable Remote Assistance
Filter: <Root OU>-Enable Remote Desktop --> <Root OU>-Enable Remote Desktop
Delegate: <Root OU>-OU Policy --> <Root OU>-OU Admins
Delegate: <Root OU>-Enable Remote Assistance --> <Root OU>-OU Admins
Delegate: <Root OU>-Enable Remote Desktop --> <Root OU>-OU Admins
Edit GPO: <Root OU>-OU Policy
Edit GPO: <Root OU>-Enable Remote Assistance
Configure software group replication
Add OU admins to departmental_ou_admins table.
Add OU to departmental_ous table.
Setup user account creation.
Authorize DNS domain name in msDS-AllowedDNSSuffixes.

Basic Setup

Organizational Units

OU Description
<Root OU> The departmental root OU is the top level OU delegated to the department or college. This OU should be named using the organization's common abbreviation. For example, the Department of Electrical and Computer Engineering uses the abbreviation, ECE, so its root OU should be named ECE.

This OU should be placed under the NCSU OU hierarchy corresponding to its place within NCSU's organizational hierarchy. For example, the Department of Electrical and Computer Engineering is part of the College of Engineering, so the Department of Electrical and Computer Engineering's OU should be created under the College of Engineering's OU.
<Root OU>\Departmental Users
<Root OU>\Departmental Users\OU Admins
<Root OU>\Software Packages
<Root OU>\Software Packages\Freeware
<Root OU>\Software Packages\NCSU Software
<Root OU>\Software Packages\<Root OU> Software
<Root OU>\Software Packages\<Parent OU> Software

Users

User Description
<Root OU>\Departmental Users\OU Admins\<unityid>.admin Create an Administrator account for each desired IT staff member in the department. The account should be created in the <Root OU>\Departmental Users\OU Admins OU. These accounts will be given Administrator priveleges in the departmental OU and local administrator on all computers in the departmental OU.

Groups

Group Description
<Root OU>\<Root OU>-ACS Users Members are given read access to the ACS Q drive.
A GPO (NCSU-ACS Users) is linked at the People OU and is filtered to the NCSU-ACS Users group to automatically mount the Q drive. This group is a member of NCSU-ACS Users. Only staff who need access to the ACS Q Drive should be members of this group.
<Root OU>\<Root OU>-Allow RIS Allows members to install computers using Remote Installation Services (RIS)
A GPO (Domain-Allow RIS) is linked to the domain root and filtered to the NCSU-Allow RIS group to allow members of this group to use RIS to reinstall computers. This group is a member of NCSU-Allow RIS.
<Root OU>\<Root OU>-Computer Admins Members of this group have Administrator priveleges on all <Root OU> computers.
This group is a member of the local Administrators group on all computers in the <Root OU> OU. Members of this group have Administrator priveleges on all <Root OU> computers, but no special domain priveleges. <Root OU>-OU Admins is a member of this group.
<Root OU>\<Root OU>-Computer Migrators Members of this group have the ability to join computers to the domain.
<Root OU>\<Root OU>-Computers This group contains all computers under the <Root OU> OU.
<Root OU>\<Root OU>-Desktops This group contains all desktop computers under the <Root OU> OU.
<Root OU>\<Root OU>-Laptops This group contains all laptop computers under the <Root OU> OU.
<Root OU>\<Root OU>-OU Admins This group is delegated Full access to the <Root OU> OU.
<Root OU>\<Root OU>-Users This group contains all users associated with the <Root OU> department.

Group Memberships

Group Membership Description
<Root OU>-ACS Users --> <Parent OU>-ACS Users
<Root OU>-Allow RIS --> <Parent OU>-Allow RIS
<Root OU>-Computer Admins --> <Root OU>-Allow RIS
<Root OU>-Computer Migrators --> <Parent OU>-Computer Migrators
<Root OU>-Desktops --> <Parent OU>-Desktops
<Root OU>-Desktops --> <Root OU>-Computers
<Root OU>-Laptops --> <Parent OU>-Laptops
<Root OU>-Laptops --> <Root OU>-Computers
<Root OU>-OU Admins --> <Parent OU>-Departmental OU Admins
<Root OU>-OU Admins --> <Root OU>-Allow RIS
<Root OU>-Users --> <Parent OU>-Users
<unityid>.admin --> <Root OU>-Computer Admins
<unityid>.admin --> <Root OU>-OU Admins

Group Policies

Group Policy Description
<Root OU>-OU Policy

Manual Steps

Step Description
Delegate: <Root OU> --> <Root OU>-OU Admins
Managed By: <Root OU> --> <unityid>.admin
Add in additonal OU admins
Copy: <Root OU>-OU Policy
Link: <Root OU>-OU Policy --> <Root OU>
Delegate: <Root OU>-OU Policy --> <Root OU>-OU Admins
Edit GPO: <Root OU>-OU Policy
Configure software group replication
Add OU admins to departmental_ou_admins table.
Add OU to departmental_ous table.
Setup user account creation.
Authorize DNS domain name in msDS-AllowedDNSSuffixes.
Retrieved from "https://tools.wolftech.ncsu.edu/support/index.php?title=Active_Directory/Documentation/Default_OU&oldid=8590"