Department Group Tools

The Austin Active Directory Department Group Tools are used to manage a Department's groups using a convenient and easy to use web interface. They allow for group management in scenarios where the native Active Directory tools are not installed or where they cannot even be installed such as on a computer running a non-Windows OS.

Roles

The following roles are defined in the Department Group Tools:

Roles	Group Scope	Available Actions	How Someone Falls into Scope of the Role
OU OWNER	Groups native to the Department Group Tools	Add Department Group Administrator Remove Department Group Administrator	When a Department OU is created, the requestor provides a list of the initial OU Owners. Department OU Owners can edit (add/remove) owners of the Department OU. If a Department falls in the scenario where there are no valid OU Owners (for example, all of the owners are former staff), the owners can be updated by one of the following processes: The Head of the Department submits a request to the AD team, specifying the EIDs of the new OU Owners. IT staff member from the department contacts the ISO who will review it and then submit a request to the AD team, specifying the EIDs of the new OU Owners.
GROUP ADMINISTRATOR		Create Group Delete Group Rename Group Update Group Description Set Group Managers	Department OU Owners manage the Group Admins.
GROUP MANAGER		Add a Group Member Remove a Group Member
GROUP MANAGER	Groups existing within a Department OU	Add a Group Member Remove a Group Member	You (or a group you are a member of) is set on the ManagedBy of a group.

Group Location in AD

All groups created by the Department Group Tools are stored in the Department's sub-OU located in austin.utexas.edu/Groups/Managed

Add Department Group Administrator OU OWNER

Remove Department Group Administrator OU OWNER

Create Group GROUP ADMINISTRATOR

Delete Group GROUP ADMINISTRATOR

Rename Group GROUP ADMINISTRATOR

Update Group Description GROUP ADMINISTRATOR

Set Group Managers GROUP ADMINISTRATOR

Add a Group Member GROUP MANAGER

Remove a Group Member GROUP MANAGER

Add a Group Member GROUP MANAGER

Remove a Group Member GROUP MANAGER

Logging

All actions taken in the Department Group Tools is logged and sent to Splunk.

Moving a Group from a Department OU to Managed Groups

A department (Owner | Administrator | either?) can request the movement of a group from their Department OU to the corresponding Managed Groups OU.

Note if the group's Managed By attribute is set and whether the Manager can update membership list checkbox is checked (if checked, an ACE is present to allow the managed by entity to add/remove members.)
Set the value of the group's utexasEduAustinSingle10 attribute to the EID of the requestor
(This attribute is populated with the user that created the group by the Department Group Tools.)
Move the group to the Department's OU in austin.utexas.edu/Groups/Managed.
Reset permissions on the group to remove any permissions set on it while it was under the Department OU.
(Properties - Security tab, Advanced button, Restore Defaults button.)
Close out the request.
If the groups' Managed By was was filled out, and it has permissions to update the membership, provide this info and let the requestor know that it has been cleared out. They are responsible for adding it as the Group Manager if they want it still in place (this is so that the setting the Group Manager is logged by the Department Group Tools).