Difference between revisions of "Active Directory/Special Groups"
Jump to navigation
Jump to search
| (21 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
| + | {{Active_Directory_toc}}The WOLFTECH domain has a number of special groups to apply security policies and provide access to resources. This document explains the function of these groups and their intended memberships. | ||
| + | |||
| + | ==Top Level Groups== | ||
| + | |||
<table> | <table> | ||
<tr> | <tr> | ||
| Line 5: | Line 9: | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
| − | <td> | + | <td valign=top>WT-<OU>-<NAME></td> |
| − | <td> | + | <td>Managed groups. The groups are defined using the [https://www.wolftech.ncsu.edu/wtmg/ WolfTech Managed Groups Tool].</td> |
</tr> | </tr> | ||
<tr> | <tr> | ||
| − | <td>NCSU- | + | <td width=200 valign=top>NCSU-ACS Users</td> |
| − | <td>A GPO ( | + | <td>This group is given Read access to the ACS Q Drive on the ACS domain. A GPO (NCSU-ACS Users) is linked at the People OU and is filtered to this group to automatically mount the Q drive. Only staff who need access to the ACS Q Drive should be members of this group. '''NOTE''': OU Admins should not move their local "ACS Users" group as this will cause this connection to fail.</td> |
</tr> | </tr> | ||
<tr> | <tr> | ||
| − | <td>NCSU- | + | <td valign=top>NCSU-Allow RIS</td> |
| − | <td> | + | <td>A GPO (Domain-Allow RIS) is linked to the domain root and filtered to this group to allow members of this group to use RIS to reinstall computers. Members of NCSU-Departmental OU Admins are a member of this group.</td> |
</tr> | </tr> | ||
<tr> | <tr> | ||
| − | <td>NCSU- | + | <td valign=top>NCSU-Computers</td> |
| − | <td></td> | + | <td>All computers under the NCSU OU are a member of this group.</td> |
</tr> | </tr> | ||
<tr> | <tr> | ||
| − | <td>NCSU- | + | <td valign=top>NCSU-Computer Migrators</td> |
| − | <td></td> | + | <td>All .admins which are members of this group have the ability to join a computer to the domain. For those whom you want to have this privilege without granting them full OU Admin status.</td> |
</tr> | </tr> | ||
<tr> | <tr> | ||
| − | <td>NCSU- | + | <td valign=top>NCSU-Departmental OU Admins</td> |
| − | <td></td> | + | <td>All OU admins are a member of this group. Members of this group are delegated Read access to all group policy objects.</td> |
</tr> | </tr> | ||
<tr> | <tr> | ||
| − | <td>NCSU- | + | <td valign=top>NCSU-Desktops</td> |
| − | <td></td> | + | <td>All desktop computers under the NCSU OU are a member of this group.</td> |
</tr> | </tr> | ||
<tr> | <tr> | ||
| − | <td>NCSU- | + | <td valign=top>NCSU-Laptops</td> |
| − | <td></td> | + | <td>All laptop computers under the NCSU OU are a member of this group. A GPO (Domain-Laptop Policy) is linked at the domain root and filtered to this group to set laptop specific policies.</td> |
| + | <tr> | ||
| + | <td valign=top>NCSU-Software Packagers</td> | ||
| + | <td>Members of this group have Full access to the NCSU software packages share (\\wolftech\files\common\ncsu\packages) and Full access to the SW-NCSU and FW-NCSU GPOs.</td> | ||
| + | </tr> | ||
| + | <tr> | ||
| + | <td valign=top>NCSU-User Account Managers</td> | ||
| + | <td>Members of this group have Full access to the People OU.</td> | ||
| + | </tr> | ||
| + | </table> | ||
| + | |||
| + | ==ECE Departmental Groups== | ||
| + | The following special groups are used in the ECE departmental OU. This is provided as a suggestion to other departments. | ||
| + | |||
| + | <table> | ||
| + | <tr> | ||
| + | <th>Group Name</th> | ||
| + | <th>Description</th> | ||
| + | </tr> | ||
| + | <tr> | ||
| + | <td width=200 valign=top>ECE-ACS Users</td> | ||
| + | <td>This group is a member of NCSU-ACS Users that gives Read access to the ACS Q Drive on the ACS domain. Only staff who need access to the ACS Q Drive should be members of this group.</td> | ||
| + | </tr> | ||
| + | <tr> | ||
| + | <td valign=top>ECE-Allow RIS</td> | ||
| + | <td>This groups is a member of NCSU-Allow RIS that allows members to use RIS to reinstall computers. This group is useful for users who need to be able to use RIS, but are not OU admins.</td> | ||
| + | </tr> | ||
| + | <tr> | ||
| + | <td valign=top>ECE-Computer Admins</td> | ||
| + | <td>This group is a member of the local Administrators group on all computers in the ECE OU. Members of this group have Administrator priveleges on all ECE computers, but no special domain priveleges. ECE-OU Admins is a member of this group.</td> | ||
| + | </tr> | ||
| + | <tr> | ||
| + | <td valign=top>ECE-Computers</td> | ||
| + | <td>All computers within the ECE OU are members of this group.</td> | ||
| + | </tr> | ||
| + | <tr> | ||
| + | <td valign=top>ECE-Desktops</td> | ||
| + | <td>All desktops within the ECE OU are members of this group.</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
| − | <td> | + | <td valign=top>ECE-Enable Remote Assistance</td> |
| − | <td></td> | + | <td>A GPO (ECE-Enable Remote Assistance) is linked at the root of the ECE OU and filtered to this group that enables Unsolicited Remote Assistance on all members of this group.</td> |
</tr> | </tr> | ||
<tr> | <tr> | ||
| − | <td> | + | <td valign=top>ECE-Enable Remote Desktop</td> |
| − | <td></td> | + | <td>A GPO (ECE-Enable Remote Desktop) is linked at the root of the ECE OU and filtered to this group that enables Remote Desktop on all members of this group.</td> |
| + | </tr> | ||
| + | <tr> | ||
| + | <td valign=top>ECE-Laptops</td> | ||
| + | <td>All laptops within the ECE OU are members of this group.</td> | ||
| + | </tr> | ||
| + | <tr> | ||
| + | <td valign=top>ECE-OU Admins</td> | ||
| + | <td>This group is delegated Full access to the ECE OU.</td> | ||
| + | </tr> | ||
| + | <tr> | ||
| + | <td valign=top>ECE-Users</td> | ||
| + | <td>All ECE users are a member of this group. This includes students who have access to teaching lab computers.</td> | ||
| + | </tr> | ||
| + | <tr> | ||
| + | <td valign=top>ECE-IT.Users</td> | ||
| + | <td>The regular user accounts of IT staff members are members of this group. This group is a member of all ECE computers local Users group. This allows IT staff members to logon using regular user credentials.</td> | ||
| + | </tr> | ||
| + | <tr> | ||
| + | <td valign=top>ECE-Remote Assistants</td> | ||
| + | <td>This group is referenced in the ECE-Enable Remote Assistance GPO to authorize users to provide Unsolicited Remote Assistance.</td> | ||
| + | </tr> | ||
| + | <tr> | ||
| + | <td valign=top>ECE-Software Installers</td> | ||
| + | <td>Members of the group have Full access to the ECE software share (\\wolftech\files\ece\software).</td> | ||
| + | </tr> | ||
| + | <tr> | ||
| + | <td valign=top>ECE-Software Packages</td> | ||
| + | <td>Members of this group have Full access to the ECE packages share (\\wolftech\files\ece\packages).</td> | ||
</tr> | </tr> | ||
| − | |||
Latest revision as of 17:07, 28 August 2017
The WOLFTECH domain has a number of special groups to apply security policies and provide access to resources. This document explains the function of these groups and their intended memberships.
Top Level Groups
| Group Name | Description |
|---|---|
| WT-<OU>-<NAME> | Managed groups. The groups are defined using the WolfTech Managed Groups Tool. |
| NCSU-ACS Users | This group is given Read access to the ACS Q Drive on the ACS domain. A GPO (NCSU-ACS Users) is linked at the People OU and is filtered to this group to automatically mount the Q drive. Only staff who need access to the ACS Q Drive should be members of this group. NOTE: OU Admins should not move their local "ACS Users" group as this will cause this connection to fail. |
| NCSU-Allow RIS | A GPO (Domain-Allow RIS) is linked to the domain root and filtered to this group to allow members of this group to use RIS to reinstall computers. Members of NCSU-Departmental OU Admins are a member of this group. |
| NCSU-Computers | All computers under the NCSU OU are a member of this group. |
| NCSU-Computer Migrators | All .admins which are members of this group have the ability to join a computer to the domain. For those whom you want to have this privilege without granting them full OU Admin status. |
| NCSU-Departmental OU Admins | All OU admins are a member of this group. Members of this group are delegated Read access to all group policy objects. |
| NCSU-Desktops | All desktop computers under the NCSU OU are a member of this group. |
| NCSU-Laptops | All laptop computers under the NCSU OU are a member of this group. A GPO (Domain-Laptop Policy) is linked at the domain root and filtered to this group to set laptop specific policies. |
| NCSU-Software Packagers | Members of this group have Full access to the NCSU software packages share (\\wolftech\files\common\ncsu\packages) and Full access to the SW-NCSU and FW-NCSU GPOs. |
| NCSU-User Account Managers | Members of this group have Full access to the People OU. |
ECE Departmental Groups
The following special groups are used in the ECE departmental OU. This is provided as a suggestion to other departments.
| Group Name | Description |
|---|---|
| ECE-ACS Users | This group is a member of NCSU-ACS Users that gives Read access to the ACS Q Drive on the ACS domain. Only staff who need access to the ACS Q Drive should be members of this group. |
| ECE-Allow RIS | This groups is a member of NCSU-Allow RIS that allows members to use RIS to reinstall computers. This group is useful for users who need to be able to use RIS, but are not OU admins. |
| ECE-Computer Admins | This group is a member of the local Administrators group on all computers in the ECE OU. Members of this group have Administrator priveleges on all ECE computers, but no special domain priveleges. ECE-OU Admins is a member of this group. |
| ECE-Computers | All computers within the ECE OU are members of this group. |
| ECE-Desktops | All desktops within the ECE OU are members of this group. |
| ECE-Enable Remote Assistance | A GPO (ECE-Enable Remote Assistance) is linked at the root of the ECE OU and filtered to this group that enables Unsolicited Remote Assistance on all members of this group. |
| ECE-Enable Remote Desktop | A GPO (ECE-Enable Remote Desktop) is linked at the root of the ECE OU and filtered to this group that enables Remote Desktop on all members of this group. |
| ECE-Laptops | All laptops within the ECE OU are members of this group. |
| ECE-OU Admins | This group is delegated Full access to the ECE OU. |
| ECE-Users | All ECE users are a member of this group. This includes students who have access to teaching lab computers. |
| ECE-IT.Users | The regular user accounts of IT staff members are members of this group. This group is a member of all ECE computers local Users group. This allows IT staff members to logon using regular user credentials. |
| ECE-Remote Assistants | This group is referenced in the ECE-Enable Remote Assistance GPO to authorize users to provide Unsolicited Remote Assistance. |
| ECE-Software Installers | Members of the group have Full access to the ECE software share (\\wolftech\files\ece\software). |
| ECE-Software Packages | Members of this group have Full access to the ECE packages share (\\wolftech\files\ece\packages). |