Designated department IT staff will use a non-standard NetID account in RAD with elevated rights, to perform the functions below. These are known as ADM accounts. Learn more on how to get access to Rad ADM accounts. Once created, these accounts would be added to the Departmental-OU admins, or Departmental-Workstations admins group, depending on the access needed.

OIT has defined naming convention guidelines for RAD objects. When creating these objects, OIT requires that you prefix the object with your delegated OU name if our naming standards do not meet your requirements.

Delegated -OU Admins will have full rights to manage their OU’s, as described below, except for manipulating standard NetID accounts. These accounts all reside in the People OU, managed by IDM, and any changes should come upstream from IDM processes. Passwords should be managed through netid.rutgers.edu to ensure all accounts stay in Sync (Portal, Luminous, AD, Email).

Create and edit group policies

OIT will create a Workstation baseline GP at the root of your delegated OU to enforce Loopback Group Policy-Merge and populate the Built-in Administrator’s group of each managed workstation with the departmental Workstation Admins group.

• Group Policy Loopback Processing needs to be set to ‘Merge’. Since all user accounts are sitting in the People OU, we have to tell the PC Objects to process the user polices assigned to the machine. This allows user configurations to run on machines when the user isn’t in the same OU. This only needs to be set once on a machine, other delegated areas will set it in their workstation baseline policy.
• Share mappings can be configured on this GP and it can also be used to push PC settings down to all Workstations within the delegated OU.
• Additional information can be found on the Microsoft site: Loopback processing of Group Policy.

Security groups

OIT will create these default groups when setting up your delegated OU. All other groups will be created by the Delegated OU-Admins.

• OU-OU Admins
• OU-Workstations Admins
• OU-All Users
• OU-All Workstations
• OU-Restricted

Important notes regarding OU Admins vs Workstations Admin Group

Non ADM accounts should NOT be members of the OU Admins or OU Workstation Admin groups.

ADM accounts should only be in one group or the other. Being in the OU Admins group can grant technicians more access than they need. OU Admins are already nested members of the Workstation admin groups.  If they only need Workstation admin rights, they would be in the Workstation Admin group only. 

OU Admins: Users in this group are recommended to have the following permissions and responsibilities:

• The permissions to modify rights over Groups, OUs, Group Policies, and Printers.
• Creating and assigning group policies to control settings for the users and computers within the delegated OU.
• Delegating certain administrative tasks to other users or groups within the delegated OU.
• OU Admins are already members of the Delegated OU-Workstation Admins group.

Workstations Admins: Users in this group are recommended to have the following permissions and responsibilities:

• The rights to migrate workstations to the domain, administrative rights over delegated OU workstations, and can add machines to the Delegated OU-All Workstations group.
• Installing, configuring, and updating software applications on workstations.
• Managing hardware configurations and drivers on individual computers.
• Troubleshooting and resolving issues related to specific workstations.
• Ensuring that workstations are compliant with security policies and updates.
• Providing user support for workstation-related problems.

Organization Units (OUs)

Each OU admin will have the ability to create and delete Sub-OUs within their Delegated OU.

Printer objects

Listed in the directory and able to be setup as print queues or mapped by direct IP printing. Print Management is done through an MMC snap-in, configured to connect to the print server hosting your print queue.

You can request print queues to be created on the Enterprise RAD print server (ASBRADPRINT01, 172.29.219.151) through this form. 

• Please ensure the Request Category = RAD-Rutgers Active Directory, and the Request Type = Printers. We need the following info to set up a print queue.
• Print queue name = Must begin with Delegated OU name.
• IP= Please ensure that you can access our print server from your subnet.
• Driver to user = link to the driver you want us to use for this print queue.

Shared drives

Managing Restricted Drive NTFS Permissions: Only applies to schools that have requested Enterprise On-prem storage.

• Each School’s OU admin group will be given Modify rights over the storage allocated to their school.
• Each School will have a Global Restricted (R) drive.
  
  • User would have to be added to the top-level Restricted group to have the drive mapped (OU-Restricted)
  • For each folder within this Drive, there should also be a corresponding AD security group created and added to the security of the folder
  • Access Based Enumeration (ABE) is enabled on Enterprise storage Servers, ensuring users will only be able to view folders they have permission to access
  • User would need to be a member of the following groups
    
    • OU-All Users
    • OU-Restricted
    • OU-Restricted (Name of Folder)
• Each school will have a Shared (S) drive mapped.
  
  • The department drive is designed to be accessible by anyone within a department.
  • ‘Modify’ permissions are automatically granted to anyone that is a member of the ‘OU-All Users’ group within the department’s Organizational Unit (OU).
• Each school must request Home Drive space which is separate location from Departmental shares
  
  • Their H Drive (Home): Personal server storage location for saving work related files.
  • Restricted to the individual user and could potentially mitigate data loss if stored on the network instead of locally.

Delegated OU-Workstation Admins will have rights to migrate machines to RAD and have administrative rights over the Departmental workstations through the Departmental Workstation baseline Group Policy. Delegated OU admins are a member of Workstation Admins group by default and have the same rights over PC objects as described below.

PC objects

All machines to be migrated will have to be pre-created in the Delegated OU, before it can be migrated. OIT has defined standard naming convention to be used for RAD managed PC objects.

PC management should be done through ADUC (Active Directory Users and Computers), or ADAC (Active Directory Administrative Center).

Once added to the delegated OU’s All workstations group, the baseline policy will allow them to have administrative access over these devices.

This group is also granted modify rights over their departmental print queues.