Rutgers EI

Enterprise Infrastructure

Integrating Systems

RAD – Managing your Delegated OU

Designated department IT staff will use a non-standard NetID account in RAD with elevated rights, to perform the functions below. These are known as ADM accounts. More Info can be found here. Once created these accounts would be added to the Departmental-OU admins, or Departmental-Workstations admins group, depending on the access needed.

OIT has defined naming convention guidelines for RAD objects. https://ei.rutgers.edu/index.php/rad-naming-conventions/ When creating these objects, OIT requires that you prefix the object with your delegated OU name if our naming standards do not meet your requirements.

Delegated -OU Admins will have full rights to manage their OU’s, as described below, except for manipulating standard NetID accounts. These accounts all reside in the People OU, managed by IDM, and any changes should come upstream from IDM processes. Passwords should be managed through netid.rutgers.edu to ensure all accounts stay in Sync (Portal, Luminous, AD, Email).

  • Create and Edit Group Policies:
    • OIT will create a Workstation baseline GP at the root of your delegated OU to enforce Loopback Group Policy-Merge and populate the Built-in Administrator’s group of each managed workstation with the departmental Workstation Admins group.
      1. Group Policy Loopback Processing needs to be set to ‘Merge’. Since all user accounts are sitting in the People OU, we have to tell the PC Objects to process the user polices assigned
        to the machine. This allows user configurations to run on machines when the user isn’t in the same OU. This only needs to be set once on a machine, other delegated areas will set it in their workstation baseline policy.
      2. Share mappings can be configured on this GP and it can also be used to push PC settings down to all Workstations within the delegated OU.
      3. Additional information can be found at the following Microsoft link:
        https://docs.microsoft.com/en-us/troubleshoot/windows-server/group-policy/loopback-processing-of-group-policy
  • Security Groups:
    • OIT will create these default groups when setting up your delegated OU. All other groups will be created by the Delegated OU-Admins.
      1. OU-OU Admins
      2. OU-Workstations Admins
      3. OU-All Users
      4. OU-All Workstations
      5. OU-Restricted
  • Organizational Units (OU’s):
    • Each OU admin will have the ability to create and delete Sub-OU’s within their Delegated OU.
  • Printer Objects:
    • Listed in the directory and able to be setup as print queues or mapped by direct IP printing. Print Management is done through an MMC snap-in, configured to connect to the print server hosting your print queue.
  • You can request print queues to be created on the Enterprise RAD print server (ASBRADPRINT01, 172.29.219.151) through HDRT.
    • https://oitforms.rutgers.edu/esssn_req Please ensure the Request Category = RAD-Rutgers Active Directory, and the Request Type = Printers. We need the following info to set up a print queue.
    • Print queue name = Must begin with Delegated OU name.
    • IP= Please ensure that you can access our print server from your subnet.
    • Driver to user = link to the driver you want us to use for this print queue.
  • Shared Drives Explained:
    • Managing Restricted Drive NTFS Permissions: Only applies to schools that have requested Enterprise On-prem storage./li>
      • Each School’s OU admin group will be given Modify rights over the storage allocated to their school.
      • Each School will have a Global Restricted (R) drive.
        1. User would have to be added to the top-level Restricted group to have the drive mapped (OU-Restricted)
        2. For each folder within this Drive, there should also be a corresponding AD security group created and added to the security of the folder
        3. Access Based Enumeration (ABE) is enabled on Enterprise storage Servers, ensuring users will only be able to view folders they have permission to access
        4. User would need to be a member of the following groups
          • OU-All Users
          • OU-Restricted
          • OU-Restricted (Name of Folder)
      • Each school will have a Shared (S) drive mapped.
        1. The department drive is designed to be accessible by anyone within a department.
        2. ‘Modify’ permissions are automatically granted to anyone that is a member of the ‘OU-All Users’ group within the department’s Organizational Unit (OU).
      • Each school must request Home Drive space which is separate location from Departmental shares
        1. Their H Drive (Home): Personal server storage location for saving work related files.
        2. Restricted to the individual user and could potentially mitigate data loss if stored on the network instead of locally.

    Delegated OU-Workstation Admins will have rights to migrate machines to RAD and have administrative rights over the Departmental workstations through the Departmental Workstation baseline Group Policy. Delegated OU admins are a member of Workstation Admins group by default and have the same rights over PC objects as described below.

    • PC Objects:
      • All machines to be migrated will have to be pre-created in the Delegated OU, before it can be migrated. https://ei.rutgers.edu/index.php/rad-administering-ous-and-migrating-workstations-to-rad/#Accounts OIT has defined standard naming convention to be used for RAD managed PC objects.
      • PC management should be done through ADUC (Active Directory Users and Computers), or ADAC (Active Directory Administrative Center).
      • Once added to the delegated OU’s All workstations group, the baseline policy will allow them to have administrative access over these devices.
      • This group is also granted modify rights over their departmental print queues.