Designated department IT staff will use a non-standard NetID account in RAD with elevated rights, to perform the functions below. These are known as ADM accounts. Learn more on how to get access to Rad ADM accounts. Once created, these accounts would be added to the Departmental-OU admins, or Departmental-Workstations admins group, depending on the access needed.
OIT has defined naming convention guidelines for RAD objects. When creating these objects, OIT requires that you prefix the object with your delegated OU name if our naming standards do not meet your requirements.
Delegated -OU Admins will have full rights to manage their OU’s, as described below, except for manipulating standard NetID accounts. These accounts all reside in the People OU, managed by IDM, and any changes should come upstream from IDM processes. Passwords should be managed through netid.rutgers.edu to ensure all accounts stay in Sync (Portal, Luminous, AD, Email).
OIT will create a Workstation baseline GP at the root of your delegated OU to enforce Loopback Group Policy-Merge and populate the Built-in Administrator’s group of each managed workstation with the departmental Workstation Admins group.
OIT will create these default groups when setting up your delegated OU. All other groups will be created by the Delegated OU-Admins.
Non ADM accounts should NOT be members of the OU Admins or OU Workstation Admin groups.
ADM accounts should only be in one group or the other. Being in the OU Admins group can grant technicians more access than they need. OU Admins are already nested members of the Workstation admin groups. If they only need Workstation admin rights, they would be in the Workstation Admin group only.
OU Admins: Users in this group are recommended to have the following permissions and responsibilities:
Workstations Admins: Users in this group are recommended to have the following permissions and responsibilities:
Each OU admin will have the ability to create and delete Sub-OUs within their Delegated OU.
Listed in the directory and able to be setup as print queues or mapped by direct IP printing. Print Management is done through an MMC snap-in, configured to connect to the print server hosting your print queue.
You can request print queues to be created on the Enterprise RAD print server (ASBRADPRINT01, 172.29.219.151) through this form.
Managing Restricted Drive NTFS Permissions: Only applies to schools that have requested Enterprise On-prem storage.
Delegated OU-Workstation Admins will have rights to migrate machines to RAD and have administrative rights over the Departmental workstations through the Departmental Workstation baseline Group Policy. Delegated OU admins are a member of Workstation Admins group by default and have the same rights over PC objects as described below.
All machines to be migrated will have to be pre-created in the Delegated OU, before it can be migrated. OIT has defined standard naming convention to be used for RAD managed PC objects.
PC management should be done through ADUC (Active Directory Users and Computers), or ADAC (Active Directory Administrative Center).
Once added to the delegated OU’s All workstations group, the baseline policy will allow them to have administrative access over these devices.
This group is also granted modify rights over their departmental print queues.