Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 8 Next »

The Austin Active Directory Department Group Tools are used to manage a Department's groups using a convenient and easy to use web interface.  They allow for group management where native Active Directory tools are not installed or where that can not even be installed such as on a computer running a non-Windows OS.


There are three roles within the tool: Department OU Owner, Account Assignee, and Account Claimant.


Roles

The following roles are defined in the Department Group Tools:

RolesGroup ScopeAvailable ActionsHow Someone Falls into Scope of the Role

OU OWNER

Groups native to the Department Group Tools

Add Department Group Administrator

Remove Department Group Administrator

When a Department OU is created, the requestor provides a list of the initial OU Owners.

Department OU Owners can edit (add/remove) owners of the Department OU.

If a Department falls in the scenario where there are no valid OU Owners (for example, all of the owners are former staff), the owners can be updated by one of the following processes:

  • The Head of the Department submits a request to the AD team, specifying the EIDs of the new OU Owners.
  • IT staff member from the department contacts the ISO who will review it and then submit a request to the AD team, specifying the EIDs of the new OU Owners.

GROUP ADMINISTRATOR

Create Group

Delete Group

Rename Group

Update Group Description

Set Group Managers

Department OU Owners manage the Group Admins.

GROUP MANAGER

Add a Group Member

Remove a Group Member


MANAGED BY

Groups existing within a Department OUManage the memberships of the group (add/remove members)You (or a group you are a member of) is set on the ManagedBy of a group.

Group Location in AD

All groups created by the Department Group Tools are stored in the Department's sub-OU located in austin.utexas.edu/Groups/Managed

Logging

All actions taken in the Department Group Tools is logged and sent to Splunk.

Moving a Group from a Department OU to Managed Groups

A department (Owner | Administrator | either?) can request the movement of a group from their Department OU to the corresponding Managed Groups OU.

  1. Note if the group's Managed By attribute is set and whether the Manager can update membership list checkbox is checked (if checked, an ACE is present to allow the managed by entity to add/remove members.)
  2. Set the value of the group's utexasEduAustinSingle10 attribute to the EID of the requestor
    (This attribute is populated with the user that created the group by the Department Group Tools.)
  3. Move the group to the Department's OU in austin.utexas.edu/Groups/Managed.
  4. Reset permissions on the group to remove any permissions set on it while it was under the Department OU.
    (Properties - Security tab, Advanced button, Restore Defaults button.)
  5. Close out the request.
    If the groups' Managed By was was filled out, and it has permissions to update the membership, provide this info and let the requestor know that it has been cleared out.  They are responsible for adding it as the Group Manager if they want it still in place (this is so that the setting the Group Manager is logged by the Department Group Tools).
  • No labels

Confluence Documentation | Web Privacy Policy | Web Accessibility