Rutgers EI

Enterprise Infrastructure

Integrating Systems

RAD – Managing your Delegated OU

Designated department IT staff will use a non-standard NetID account in RAD with elevated rights, to perform the functions below. These are known as ADM accounts. More Info can be found here. Once created these accounts would be added to the Departmental-OU admins, or Departmental-Workstations admins group, depending on the access needed.

OIT has defined naming convention guidelines for RAD objects. When creating these objects, OIT requires that you prefix the object with your delegated OU name if our naming standards do not meet your requirements.

Delegated -OU Admins will have full rights to manage their OU’s, as described below, except for manipulating standard NetID accounts. These accounts all reside in the People OU, managed by IDM, and any changes should come upstream from IDM processes. Passwords should be managed through to ensure all accounts stay in Sync (Portal, Luminous, AD, Email).

  • Create and Edit Group Policies:
    • OIT will create a Workstation baseline GP at the root of your delegated OU to enforce Loopback Group Policy-Merge and populate the Built-in Administrator’s group of each managed workstation with the departmental Workstation Admins group.
      1. Share mappings can be configured on this GP and it can also be used to push PC settings down to all Workstations within the delegated OU.
    • All other GP’s underneath the delegated OU will be created/administered by the delegated OU-Admins group. OIT will provide additional operational support through an HDRT Ticket. GP’s should be administered through an MMC using the GP management snap -in.
  • Security Groups:
    • OIT will create these default groups when setting up your delegated OU. All other groups will be created by the Delegated OU-Admins.
      1. OU-OU Admins
      2. OU-Workstations Admins
      3. OU-All Users
      4. OU-All Workstations
      5. OU-Restricted
  • Organizational Units (OU’s):
    • Each OU admin will have the ability to create and delete Sub-OU’s within their Delegated OU.
  • Printer Objects:
    • Listed in the directory and able to be setup as print queues or mapped by direct IP printing. Print Management is done through an MMC snap-in, configured to connect to the print server hosting your print queue.
  • You can request print queues to be created on the Enterprise RAD print server (ASBRADPRINT01, through HDRT.
    • Please ensure the Request Category = RAD-Rutgers Active Directory, and the Request Type = Printers. We need the following info to set up a print queue.
    • Print queue name = Must begin with Delegated OU name.
    • IP= Please ensure that you can access our print server from your subnet.
    • Driver to user = link to the driver you want us to use for this print queue.
  • Managing Restricted Drive NTFS Permissions: Only applies to schools that have requested Enterprise On-prem storage.
    • Each School’s OU admin group will be given Modify rights over the storage allocated to their school.
    • Each School will have a Global Restricted (R) drive.
      1. For each folder within this Drive, there should also be a corresponding AD security group created and added to the security of the folder.
      2. Access Based Enumeration (ABE) is enabled on Enterprise storage Servers, ensuring users will only be able to view folders they have permission to access
    • Each school will have a Shared (S) drive mapped.
      1. The department drive is designed to be accessible by anyone within a department.
      2. ‘Modify’ permissions are automatically granted to anyone that is a member of the ‘OU-All Users’ group within the department’s Organizational Unit (OU).

    Delegated OU-Workstation Admins will have rights to migrate machines to RAD and have administrative rights over the Departmental workstations through the Departmental Workstation baseline Group Policy. Delegated OU admins are a member of Workstation Admins group by default and have the same rights over PC objects as described below.

    • PC Objects:
      • All machines to be migrated will have to be pre-created in the Delegated OU, before it can be migrated. OIT has defined standard naming convention to be used for RAD managed PC objects.
      • PC management should be done through ADUC (Active Directory Users and Computers), or ADAC (Active Directory Administrative Center).
      • Once added to the delegated OU’s All workstations group, the baseline policy will allow them to have administrative access over these devices.
      • This group is also granted modify rights over their departmental print queues.