Rutgers EI

Enterprise Infrastructure

Integrating Systems

RAD – Managing your Delegated OU

OU-Admins will have full rights to manage their OU’s, with the exception of manipulating standard NetID accounts. These accounts all reside in the People OU, and are managed by IDM, and any changes should come upstream from IDM processes. Passwords should be managed through to ensure all accounts stay in Sync (Portal, Luminous, AD, Email). Designated department IT staff will use a non-standard NetID accounts in RAD with elevated rights, to perform the following functions:

  • Create and Edit Group Policies:
    • RAD will create a GP at the root of the delegated OU to enforce Loopback Group Policy-Merge. All other GP’s underneath the delegated OU will be created/administered by the IT support staff. OIT will provide additional operational support through an HDRT Ticket. GP’s should be administered through an MMC using the GP management snap -in.
  • PC Objects:
    • All machines to be migrated will have to be pre-created in the delegated OU, before it can be migrated. OIT has a defined standard naming convention to be used for RAD managed PC objects, that is asked to be followed. If IT Partners have their own naming convention OIT asks that it be provided in case we are asked to provide support to that area. PC management should be done through ADUC (Active Directory Users and Computers), or the ADAC (Active Directory Administrative Center).
  • Printer Objects:
    • Listed in the directory and able to be setup as print queues or mapped by direct IP printing. Print Management is done through an MMC snap-in, configured to connect to the print server hosting your print queue.
  • Managing Restricted Drive NTFS Permissions:
    • Each School will have a File System admin group assigned to manage their area.
    • Each School will have a Global Restricted (R) drive mapped.
    • For each folder within this Drive, there should also be a corresponding AD security group created, and added to the security of the folder.
    • Access Based Enumeration (ABE) is enabled on Enterprise storage Servers, ensuring users will only be able to view folders they have permission to access.
  • Workstation Administration:
    • A Baseline workstation GP will be created to populate the admins group with a Workstation Admin group containing members of the local IT support Staff.
    • This baseline GP can also be used to push PC settings down to all Workstations within the delegated OU.
  • Kace:
    • OIT Enterprise Solution for PC management. All PC’s migrated to RAD Will have Kace installed.
    • IT support teams will have the ability to manage their PC’s through Kace, using their delegated OU structure.