Difference between revisions of "Active Directory/Scripts & Tools/WTMG"
Jump to navigation
Jump to search
| (3 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
| + | =Usage= | ||
| + | * All managed group names are prefixed with 'WT-<OU>-'. | ||
| + | * Group names can only contain letters, numbers, and spaces. No symbols are permitted! | ||
| + | * Group names may be no longer than 64 total characters, including prefix. | ||
| + | * Please make group names as descriptive as possible. | ||
| + | * Expiration date can be set to 'Never' or '0000-00-00 00:00:00' to make the group non-expiring. | ||
| + | * New groups are created in Active Directory every 10 minutes. | ||
| + | * Group memberships are updated in Active Directory daily at 1:00 AM, 7:00 AM, 1:00 PM, and 7:00 PM. This means that enabled, disabled, or unexpired groups will not be updated until the next membership refresh. | ||
| + | * Updates to NCSU's data sources are typically reflected in the 1:00 PM update. | ||
| + | * Managed groups are located in the NCSU\Managed Groups OU. | ||
| + | |||
| + | =Group Strategy= | ||
| + | WolfTech recommends using the WolfTech Managed Groups in conjunction with the A G DL P strategy. The managed groups are global groups of users and are descriptive of their membership. You should create domain local groups within your OU with names descriptive of their permissions. You can then make the global managed group a member of your local group. | ||
| + | |||
| + | For more information on the A G DL P strategy, see: | ||
| + | |||
| + | |||
| + | From [http://www.microsoft.com/technet/prodtechnol/sppt/sharepoint/maintain/optimize/winsec.mspx Microsoft TechNet]: | ||
| + | |||
| + | [[Image:Winsec03.gif]] | ||
| + | |||
| + | When you use groups in a single domain, you use the A G DL P strategy. The A G DL P strategy is: You put user accounts (A) into global groups (G), put the global groups into domain local groups (DL), and then grant permissions (P) to the domain local group. | ||
| + | |||
| + | When creating the groups, Windows 2000 recommends the following strategy: | ||
| + | |||
| + | * Identify users with common responsibilities and add the user accounts to a global group. For example, in a sales department, add user accounts for all sales employees that use the same resources to a global group called Sales. | ||
| + | * Determine whether you can use a built-in domain local group, or if you must create one to provide users with access to domain resources. For example, if you want users to be able to print to a shared color printer in the domain, create a domain local group called Color Printer Users. | ||
| + | * Make all global groups that share the same access needs for resources members of the appropriate domain local group. For example, add the appropriate global groups, including Sales, to the domain local group Color Printer Users. | ||
| + | * Grant the required permissions to the domain local group on the domain controller. You grant permissions at the resource. For example, grant the necessary permissions to use color printers to the Color Printers Users domain local group. | ||
| + | |||
=Components= | =Components= | ||
| Line 28: | Line 58: | ||
** Cronjob that updates group membership. | ** Cronjob that updates group membership. | ||
** Runs every 6 hours at 1AM, 7AM, 1PM, 7PM. | ** Runs every 6 hours at 1AM, 7AM, 1PM, 7PM. | ||
| + | |||
| + | =Future Features= | ||
| + | * God mode | ||
| + | * Integration with group notifications. | ||
| + | * Transaction based communication with backend. | ||
| + | * Notify requesting user when transactions complete. | ||
| + | * More robust error checking and exception handling. | ||
| + | * Interface beautification | ||
| + | * Itegration with MyIT framework. | ||
| + | * Support for Virtual GuardDog groups. | ||
| + | * Commit enable/disable actions immediately. | ||
| + | * Advanced interface, perhaps AJAX. | ||
| + | * Log monitoring/analysis. | ||
Latest revision as of 15:26, 5 July 2007
Usage
- All managed group names are prefixed with 'WT-<OU>-'.
- Group names can only contain letters, numbers, and spaces. No symbols are permitted!
- Group names may be no longer than 64 total characters, including prefix.
- Please make group names as descriptive as possible.
- Expiration date can be set to 'Never' or '0000-00-00 00:00:00' to make the group non-expiring.
- New groups are created in Active Directory every 10 minutes.
- Group memberships are updated in Active Directory daily at 1:00 AM, 7:00 AM, 1:00 PM, and 7:00 PM. This means that enabled, disabled, or unexpired groups will not be updated until the next membership refresh.
- Updates to NCSU's data sources are typically reflected in the 1:00 PM update.
- Managed groups are located in the NCSU\Managed Groups OU.
Group Strategy
WolfTech recommends using the WolfTech Managed Groups in conjunction with the A G DL P strategy. The managed groups are global groups of users and are descriptive of their membership. You should create domain local groups within your OU with names descriptive of their permissions. You can then make the global managed group a member of your local group.
For more information on the A G DL P strategy, see:
From Microsoft TechNet:
When you use groups in a single domain, you use the A G DL P strategy. The A G DL P strategy is: You put user accounts (A) into global groups (G), put the global groups into domain local groups (DL), and then grant permissions (P) to the domain local group.
When creating the groups, Windows 2000 recommends the following strategy:
- Identify users with common responsibilities and add the user accounts to a global group. For example, in a sales department, add user accounts for all sales employees that use the same resources to a global group called Sales.
- Determine whether you can use a built-in domain local group, or if you must create one to provide users with access to domain resources. For example, if you want users to be able to print to a shared color printer in the domain, create a domain local group called Color Printer Users.
- Make all global groups that share the same access needs for resources members of the appropriate domain local group. For example, add the appropriate global groups, including Sales, to the domain local group Color Printer Users.
- Grant the required permissions to the domain local group on the domain controller. You grant permissions at the resource. For example, grant the necessary permissions to use color printers to the Color Printers Users domain local group.
Components
Interace
- avail_groups.inc.php
- Available Groups Pane
- footer.inc.php
- Footer
- groups_xml.php
- Provides available "GuardDog Groups" list interface.
- header.inc.php
- Header
- index.php
- Displays interface to the user.
- my_groups.inc.php
- My Groups Pane
- myitUser.inc.php
- Manages information about the user.
- wtmgInterface.inc.php
- Functions that power the WTMG interface.
Backend
- wtmg.inc.php
- Functions that power the WTMG backend.
- wtmg_groups.php
- Cronjob that processes changes to groups.
- Runs every 10 minutes.
- wtmg_members.php
- Cronjob that updates group membership.
- Runs every 6 hours at 1AM, 7AM, 1PM, 7PM.
Future Features
- God mode
- Integration with group notifications.
- Transaction based communication with backend.
- Notify requesting user when transactions complete.
- More robust error checking and exception handling.
- Interface beautification
- Itegration with MyIT framework.
- Support for Virtual GuardDog groups.
- Commit enable/disable actions immediately.
- Advanced interface, perhaps AJAX.
- Log monitoring/analysis.