AUB Enabled Desktop Environment (AUBede)
Contents
1. AllProfilesAdmins InstitutionalDataAdmins AllComputersAdmins CNS Director Domain Admin Built inADAdministrators DepartmentsAdmins CNS Director Domain Admin Built inADAdministrators AllLabsAdmins CNS Director Domain Admin Built inADAdministrators AllServersAdmin CNS Director Domain Admin Built inADAdministrators MCAdmins CNS Director AUBMC Domain Admin Built Director inADAdministrators AllHomeAdmins CNS Director Domain Admin Built inADAdministrators lt DepartmentName gt Admin Director Dean Chairperson or Manager of lt DepartmentName gt AllDepartmentsAdmins or MCAdmins lt DepartmentName1 gt Admin Manager or Supervisor of lt DepartmentName gt OUAdmin lt DepartmentName1 gt Win2kUser Registrar Personnel ADSync lt PCName gt Logon lt PCName gt Custodian lt DepartmentName gt OUAdmin lt PCName gt PowerUser lt PCName gt Custodian lt DepartmentName gt OUAdmin lt PCName gt Admin Domain Group Head of Department where lt PCNames is located lt PCName gt Custodian lt DepartmentName gt OUAdmin 43 AUBede User manual v 2 0 Aug 2007 Computing amp Networking ee American University of Beirut Services PCName Local Head of Department where Password Escrow Custodian Administrator Local PCName is located CNS Requesting Privileged A2. Add users that this GPO applies to per user PinerNam GPO Connection Type Remove nala VanDayk Lab Add LAB VDK Printers R2 Per Machine Remove All Figure 14 Select type of deployment g Click OK a few times and youll now see the printer under the list of deployed printers 31 AUBede User manual v 2 0 Aug 2007 CERES el Computing amp Networking D Ll American University of Beirut Services The second step is to add PushPrinterConnections exe to the computers h Open the Add printer to lt OUName gt in the Group Policy Object Editor and navigate to User Configuration Windows Settings Scripts Logon Logoff i Right click on the Logon policy in the right hand pane and select Properties j Click the Show Files button and copy the file PushPrinterConnections exe from the Windir PMCSnap folder into the open policy folder k Close the policy folder and click the Add button on Logon Properties and type PushPrinterConnections exe into the Script Name field l Click OK a couple of times The logon script will be displayed in the policy when it has been successfully added 6 9 Special Mapped Network Drives Each department may require that departmental shared folders be mapped as special network drives to users logging on to department computers The procedure to be followed for this requirement is as follows e Share the necessary folders with proper NTFS and share permission
3. PCName Logon Contains users who can logon to lt PCName gt lt PCName gt PowerUser Contains users with Power User privilege on lt PCName gt lt PCName gt Admin Domain Group Contains users with administrator user privilege on lt PCName gt 42 AUBede User manual 2 0 Aug 2007 American University of Beirut Computing amp Networking Services Organizational AllComputers The main OU under which are created OUs to hold Unit computer objects not acting as servers Departments Under AllComputersAdmins this OU contains all the departments OUs outside the medical center AllLabsAdmins Under AllComputersAdmin s this OU contains all the labs OUs AllServersAdmin The main OU under which are created OUs to hold computer objects acting as servers MedicalCenter Under AllComputersAdmins this OU contains all the departments OUs within the medical center AUBede Privileged Access Authority Type Table details the Privileged Access Rights and the corresponding Granting Revoking Authority and the final Execution entity to implement the requested change Table Privileged Access Role Granting Authority Executed by Domain Admin CNS Director Domain Admin Built inADAaministrators Built inADAdministrators CNS Director Domain Admin Built inADAdministrators
4. PCDeletion web form must be used The process will delete e The computer object and all related groups from active directory e The computer folder from DFS e Updates all necessary fields 6 8 Common Services 6 8 1 Printing Services Some departments may install a printer server where different printers are shared Each printer would be accessible to only a department or a lab Thus depending on the lab or department in other words depending on the OU the user must have the proper printer added to his profile For example if a user logged on in lt labA gt lt printerA gt located in lt labA gt should be added If the same user logged on in lab lt printerB gt located in lab should be added and lt printerA gt should be removed and so on so forth With the release of Windows Server 2003 R2 printers are now a lot easier to manage in an enterprise environment A new tool in R2 that lets you easily manage printers and print servers from a single central point of management The Print Management console once installed on an R2 machine can then be used to manage print servers running Windows 2000 Server Windows Server 2003 and Windows Server 2003 R2 and also to a limited extent print servers running Windows NT 4 0 To learn more about configuring the windows 2003 R2 print server click here To automate this process a procedure has been developed The procedure is as follows a Using group policy manageme
5. A detailed description of the Privileged Access rights roles and permissions is provided in the Access Rights Matrix Table 1 below provides a brief description of the main Organizational Units OUs and groups used in the AUBede design and in granting Privileged Access Table 1 Object Type Naming Covention Description Security Domain Admins Built in group Highest privileges on the domain Groups resources Membership of this group is highly restricted Any and all transactions performed by users in this group will be audited Built inADAdministrators Users in this group mostly used in scripts have the permission to modify Active Directory Such modifications are audited DataAdmin Has Administrator privileges on specific data folders AllComputersAdmins Administrators of the AllComputers OU DepartmentsAdmins Administrators of the Departments OU AllLabsAdmins Administrators of the AllLabs OU AllServersAdmin Administrators of the AllServers OU MCAdmins Administrators of the MedicalCenter OU AllHomeAdmins Administrators of the data in the Homes profiles and AllProfilesAdmins InstitutionalDataAdmins institutional data directories respectively lt DepartmentName gt Admin Administrators of the lt DepartmentName gt OU lt DepartmentName1 gt Admin Administrators of the lt DepartmentName1 gt OU
6. Within a department For already joined computers upon web form submission the computer object will be moved to the destination lab OU specified in the web form 5 7 For New Computers For computers not yet joined to the domain upon submission a computer object is created in the destination lab OU specified in the web form 5 8 Results and Effects e Allowing users to logon to Lab Computers Any user who must logon to any of the Lab Computers should be put member of the domain group lt OUname gt Logon 25 AUBede User manual 2 0 Aug 2007 we te American University of Beirut Services CERT sll Computing amp Networking e Granting administrative privileges on all Lab Computers Any user who must have administrative privilege on any computer in the lab OU should be put member of the domain group lt OUname gt Admins e Granting OU administrative privileges Any user who should manage an OU should be put member of the lt OUname gt OUAdmins 5 9 Disjoing Deleting Lab Computers As for department computers for every lab computer that will be renamed moved to another department disjoined from domain the PCDeletion web form must be used The process will delete the computer object from active directory and update all necessary fields The user running this form must be member of the PCDeletors domain group 6 Kiosk Organizational Units Kiosk Computers
7. are public computers used in different departments where only one user is always logged on to the machine This user is called the Kiosk user The windows interface on Kiosk Computers is customized to restrict users access to a limited set of applications 6 1 Running the PCcreation Migration Web form NOTE The kiosk user must be created in the proper OU before the web form is used A system administrator can request the right to create kiosk users for his her department in certain specific cases AUBede recommends against the creation of users that are not synchronized with the main HR and students databases The Organizational Unit that will contain kiosk users is called Kiosk Users and is located inside the Al Users Organizational Unit The administrator will be notified of what password to choose for kiosk users In order to add or migrate a machine to a kiosk machine the PCCreation Migration web form must be used by going to http aubede aub edu Ib After the administrator enters the barcode of the computer the following fields need to be filled as shown in Figure 10 Computer name As it will be created in Active Directory e Location Medical Center or Campus e Computer Type In this case it is a kiosk computer For details about lab and department computers please check the corresponding sections in this document 26 AUBede User manual v 2 0 Aug 2007 POPS Computing amp
8. Contro ForeignSecurit 0 account objects Users 0 aCSResourceLimits objects All Computers applicatioriversion objects 544 Departmer cettificationAuthority objects 81 AUBDP Computer objects Connection objects Greate selected objects in this folder Delete selected objects in this folder Figure 4 Delegation of Control Wizard Active directory object type 12 AUBede User manual v 2 0 Aug 2007 POPS Computing amp Networking Services Then the following permissions must be selected e Read e Write e Read all properties e Write all properties e Create computer objects e Delete computer objects e Create group objects e Delete group objects e Create GroupPolicyContainer objects e Delete GroupPolicyContainer objects e Create Organizational Unit objects e Delete Organizational Unit objects After completing the above steps the administrator running the delegation task must run the wizard again to give lt OUName gt OUAdmins full control on computer objects On the first page of the delegation of control wizard the same group is selected as in Figure 2 On the next page also Create a custom task to delegate is chosen as in Figure 3 On the following page Only the following objects in the folder radio button is selected and
9. Control Wizard lt 3 File Action Permissions x Select the permissions you want to delegate Active Directory Users t Saved Queries Show these permissions op win2k aub edu Ib Builtin General Computers Property specific Domain contra IV Creation deletion of specific child objects 1 ForeignSecurit Users Permissions 3 All Computers Full Control Read Write Create All Child Objects Delete All Child Objects Read All Properties 3 Departmer AUBDP Figure 6 Delegation of Control Wizard full control on computer objects 14 AUBede User manual 2 0 Aug 2007 CESS sll Computing amp Networking UniverstyofBeirut Services In order for the new lt OUName gt OUAdmins to be able to create group policies on their departments they must be added to the Group Policy Creator Owners group in addition to all previously granted permissions The higher level OU Administrator might not have the permission to add members to Group Policy Creator Owners group and the AUBede CNS coordinator shall be contacted for this purpose Note The permissions delegation process validation is automated by a script that runs weekly against all Departmental to reset the permission and correct any miss configured OUS 4 3 Creating Group Policies on
10. G Engg Library Server Name Agriculture LAB 8 Jafet Library Micro Film saab Medical Libary Science Library Deploy with Group Policy Per Liser GPO nala nala nala nala Help Figure 12 Deploy printer using PM MMC console d Click the Browse button and select the GPO you plan on using to deploy the printer 30 AUBede User manual v 2 0 Aug 2007 BES Computing amp Networking Amerian Services Deploy with Poli Browse for a Group Policy Object 21x Domains OUs Sites Al Look in Cause vok aug Labs Labs AllComputers winz 1 Domains OUs and linked Group Policy Objects Browse i Auto Shutdown All Computers In LAB VDK at 09 00 win2k aub edu lb Ey Restrict Administrators Membership of LAB DK win2k aub edu Ib Add Restrict Logon Locally Membership of LAB DK win2k aub edu lb Startup Script to Delete Local Printer test win2k aub edu Ib Add LAB VDK Printers R2 win2k aub edu lb Remove Remove All Cancel OK Apply Help Figure 13 Browse and select GPO e Click OK to return to the Deploy with Group Policy dialog box f Now click the Add button to add the connection settings Deploy with Group Policy x Printer Name nala YanDayk Lab Group Policy Object GPO name Add LAB VDK Printers R2 Browse Deploy this printer connection to the Following
11. Networking American University of Beirut Se rv ces Kiosk User Choose the user account which will always be logged on to the machine This user will logon automatically autologon to the computer when the machine is started e Computer Organizational Unit the OU in which the computer object should be created e Joined to Domain If the computer is already joined choose Yes otherwise choose No e Site Select the site domain controller where changes will first take effect before being replicated to other sites domain controllers AU Bede Enhanced Desktop Environment AUB Universi American University of Beirut 525 Authenticated User RIM GS Back Menu Quo V Log out COMPUTER DETAILS Bar Code adm27035 Get Info Computer Name vdklabd12 vdk Parent Department PC SUPPORT UNIT Location Medical Center O Campus Computer Type Computer Department Computer Kiosk Kiosk User C J Computer Organization Unit Joined to Domain O Yes 9 No Site Site ARH Last updated on July 14 2004 AUBede Enhanced Desktop Environment American University of Beirut Website created by Computing and Networking Services Comments suggestions help aubede aub edu lb Figure 10 PCCreation Migration form for Kiosk Computers 6 2 For new or Non Migrated computers After submitting the web form for Kiosk Co
12. and do not benefit from the AUBede automation and security policies and settings 3 3 Migrated A migrated Computer is one that is joined to win2k aub edu lb domain and has gone through the PCMigration process using the AUBede Administration Portal as described below Such a computer is now placed in a specific destination OU based on its assigned department and role 4 Departmental Organizational Units An OU is created for every department to allow for an easier administration of the department s resources under the AUBede framework 4 1 Department Organizational Unit If the Department OU is not already created a department s system administrator has to request an OU from an administrator who is delegated the administration of a higher level OU The higher level OU Administrator shall fill a Privileged Access Agreement form for the requested OU from the AUBede Administration Portal Guidelines for filling the form are in Appendix A and create the OU corresponding to the department s name following the AUBede Naming Convention in addition to the three corresponding groups in Active Directory e OUName OUAdmins Domain Local Group For AUBede Active Directory OU structure details please refer to the AUBede Configuration Document 8 AUBede User manual v 2 0 Aug 2007 CDS Computing amp Networking American University of Beirut Services
13. as needed 1 Each member of the OUname OUAdmins who creates any group policy shall grant the lt OUname gt OUAdmins the Full control permission on this Group Policy 2 Naming convention should be strictly followed when creating new group policies Group policies not complying with the standard naming convention will be automatically deleted as part of the regular AUBede maintenance S For better performance we are disabling the user portion from all GPO s linked to computers object 5 4 Creating the Lab Automation folder This is the same procedure as for department OUs Please refer to section Creating the Departmental Automation folder above 23 AUBede User manual v 2 0 Aug 2007 POPS Computing amp Networking AmeianUmwriyotBemt SS Services 5 5 Running the PCCreation Migration Web form For adding or migrating Lab Computers the PCCreation Migration web form from the AUBede portal http www aubede edu Ib should be used The user has to be authenticated and should be member of the PCCreators group The barcode of the computer to be created should then be entered The barcode should already exist in the HEAT database if the barcode does not exist in the HEAT database the user cannot continue If the barcode is found the system administrator will see the main page as shown in Figure 9 where the following fields have to be entered e Computer name As it will be created in Activ
14. lt OUName gt Admins Global group lt OUname gt Logon Domain Local Group These groups will be placed outside the newly created Department OU so that the higher level OU Administrator can control their memberships Example To join department A to AUBede department A s system administrator requests from a member of lt Departments gt OUadmins to create department A OU with the corresponding groups After the lt Departments gt OUadmins creates the OU the structure will be as shown in Figure 1 ziii File Action Window aL Active Directory Users and Computers Departments 4 objects H E Saved Queries B gy win2k aub edu Ib 28 Builtin Computers m Domain Controllers Ei ForeignSecurityPrincipals H E Users 5 01 All Computers Departments AUBDPT AUBDPT Organizational Admins Security Group ALogon Security Group 0 AOLlAdmins Security Group 2 Figure 1 win2k aub edu lb departments OU structure After the OU and the three corresponding groups are created the higher level OU Administrator will have to fill in the membership of these groups The lt OUName gt Admins group SHOULD contain as members higher level lt OUName gt admins group The lt OUName gt OUAdmins group SHOULD cont
15. the WDP tool 39 AUBede User manual v 2 0 Aug 2007 CIS sll Computing amp Networking American University of Beirt Services 10 Test Environment A test Environment Cloned copy of win2k real environment is available for system administrators wishing to test automated scripts policies or other Active Directory related technologies Administrators should contact the AUBede team aubede aub edu lb for testing appointment 11 Restoring objects OU Administrators may request to have one or more deleted objects restored by contacting the AUBede Support Team aubede aub edu lb Please provide the original LDAP path of the deleted object s CNS will make every effort to restore the objects to their original state however there are no guarantees as some attributes may not be restored or recoverable Individual units departments are encouraged to properly document their OUs for easier recovery Those wishing to implement their own backup restore mechanism are encouraged to do so CNS will be using command line tools Adrestore exe ver 1 1 provided by Sysinternal Microsoft to restore the deleted object 40 AUBede User manual 2 0 Aug 2007 CES al Computing amp Networking AmerianUniverstyotBent Services Appendix A Guidelines for Requesting Granting and Revoking Privileged Access on AUBede Active Directory Objects Applicable Policies 11 1 1 Policy on Privileged Access 11 1 2 http cns aub edu l
16. then computer objects and group objects checkbox is selected as shown in Figure 5 13 AUBede User manual v 2 0 Aug 2007 Gees Computing amp Networking American University of Beirut 5 5 Active Directory Us Delegation of Control Wizard 3 File Vi Action dew Active Directory Object Type tj Eg Indicate the scope of the task you want to delegate Active Directory Users t Saved Queries Delegate control of gy win2k aub edu lb F Builtin This folder existing objects in this folder and creation of new objects in this folder Computers Only the following objects in the folder Domain Contro E ForeignSecurit Computer objects Connection objects Contact objects R document objects documentSeries objects domainRelatedObject objects gt E Users 1 All Computers 2 08 Departmer 1 AUBDP Create selected objects in this folder Delete selected objects in this folder lt Back Cancel Figure 5 Delegation of Control Wizard select computer objects On the permissions page select Full Control to grant the group lt OUName gt OUAdmins full control on computer and group objects in their Department OU as shown in Figure 6 7 E Active Directory Us Delegation of
17. this folder Note To automate the events redirection process described in section 4 you can run the vbs script Events Redirection vbs located in the following location joumbaa Softwares Public labs toolkit Events Redirection 38 AUBede User manual 2 0 Aug 2007 SEES el Computing amp Networking UniverstyofBermt Services 9 4 Disabling System Hibernation When a system hibernates it writes the contents of the system RAM to a file on the disk Because modifications to the Windows partition are cleared when Windows Disk Protection is on and set to Clear changes with each restart hibernation will fail Thus the system hibernation must be disabled before turning on the WDP 9 5 WDP AUB Settings WDP is configured for all AUB public PCs as following Microsoft Updates enabled Updates Schedule weekly time is set in accordance with the closing hour of the lab Antivirus Script mcupdate exe Location C Program Files Network Associates Virus Scan s Windows Disk Protection loj xl Microsoft Shared Computer Toolkit for Windows XP Windows Disk Protection Is Off 9 Turn on Restart Option 3 00PM d Disabled ES OK Figure 18 auto update virus scan schedule Note WDP creates 3 scheduled tasks on the system At1 At2 and At3 for its maintenance period period of updates it s always recommended to delete any At scheduled task before turning on
18. AUBede CNS coordinator in order to be added to a special group PCCreators allowed to use this web form Note The PCCreation Migration web form SHOULD BE USED at all times to join a PC and place it in the department OU without missing any of the required tasks associated with the creation of a new PC object such as the creation of the 3 associated groups and initial migration scripts The web form is located at the following address http aubede aub edu lb in the PCCreation section and it will require user authentication The user will have to enter win2k lt username gt and the corresponding password to be authenticated After the user is authenticated the procedure shown in Figure 7 takes place 16 AUBede User manual v 2 0 Aug 2007 American University of Beirut 5 ces User Accountis checked if member of PCCreators User redirected to first page Enter Barcode of Computer Computer has a Barcode Barcode exists Contact Supply HEAT Database Unit to obtain a Barcode Yes User Redirected to User cannot main page shown in continue Contact figure 8 CNS Figure 7 Procedure after authenticating to PCCreation migration web form 17 AUBede User manual 2 0 Aug 2007 Coes Ss Computing amp Networking American University of Beirut 5 i ces A UBede Enhanced Desktop Environment AUB Univesity America
19. COMPUTERS WITHIN A DEPARTMENT 25 5 7 25 5 8 IRESULTS ANDIERFECIS Le Dev ewe pu PEU Tov e Y vv VY E 25 5 9 DISJOING DELETING LAB COMPUTERS ape eee E NE E HERR UE 26 6 KIOSK ORGANIZATIONAL UNITS ii ccc sccescccccciscscececcciecvecscelscvescscseccscsseusaecseceesvosassessudeussessicessausaveeevesaveecssteuvees 26 6 1 RUNNING THE PCCREATION MIGRATION WEB FORM 6 2 FOR NEW OR NON MIGRATED 6 3 INACTIVE DIRECTORY A 27 ST MEI 28 6 5 COMPUTER STARTUPS 28 6 6 MOVING ALREADY MIGRATED COMPUTERS ssscccccceceesseeececececenssececceeeeuenssecceeeseeuenssececessueuansceceeeesueaeneceeeeeesauganenss 29 6 7 DISJOING DELETING KIOSK 5 29 6 8 COMMON SERVICES E ERE 29 6 9 SPECIAL MAPPED NETWORK DRIVES ccccsccsssseeecccccccessscececccseceuseee
20. EE wink aub edu Ib H Builtin There are no items to show in this view Computers amp 3 Domain Controllers an ForeignSecurityPrincipals Users All Computers 5 1 Departments 83 AUBDPT All Groups 2 4 Alphabetical Groups 45 Courses Groups 5 Grouping Groups 5 8 Resource Groups Eo FA Figure 15 OU structure for security groups 34 AUBede User manual 2 0 Aug 2007 Sse pepe el Computing amp Networking D e American University of Beirut Services 8 Departmental Servers Every Administrator will be delegated permissions on an OU inside the Servers OU This OU will hold the department name The department system Administrator will place all department server computer objects inside this OU The department system administrator will have the permission to manage these servers It should be noted that like computer OUs each server OU should also have three corresponding groups e lt ServerOUname gt OUAdmins Members can manage OU lt ServerOUname gt Admins Members will have administrative privileges on servers in the OU ServerOUname Logon Members will have the right to logon to servers in the OU The Delegation is done at the OU level using the delegation of control wizard The permissions required are the same as delegating control on a department or lab computer OU Refer to section Delegat
21. Geass Computing amp Networking American University of Beirut i ces AUB Enabled Desktop Environment AUBede User Manual 2 2 Prepared By Samih Ajrouch Approved By Rim Kadi Published by the American University of Beirut Computing and Networking Services Beirut Lebanon 1 AUBede User manual 2 0 Aug 2007 CERES asta Computing amp Networking win American University of Beirut Services AUB All rights reserved No part of this document may be reproduced or copied in any form or by any means graphic electronic or mechanical including photocopying recording taping or information retrieval systems without express written permission from the American University of Beirut Furthermore no part of this document may be distributed or shown to persons or organizations other than those authorized by the American University of Beirut The information in this document pertains to the Enabled Desktop Environment plans for the American University of Beirut and is to be treated as confidential except where officially issued by the American University of Beirut for distribution Please direct questions or comments about this document to the assigned University representative 2 AUBede User manual 2 0 Aug 2007 ea Computing amp Networking AmerianUniverstyotBent Services Revision and Signoff Sheet Change Record Date Author Version Change Reference 01 08 2007 Samih Ajrouch Pr
22. RGANIZATIONAL UNIT 8 4 2 DELEGATING PERMISSIONS ON A DEPARTMENT OU ccccscccscccceeeceeesesseeeeeeeeeeeceeeseeeseeeseeeeesesueeeeeeseeeeeeeseeeeeeeeeeeeees 11 4 3 CREATING GROUP POLICIES ON THE NEWLY CREATED OR EXISTING 5 15 4 4 CREATING THE DEPARTMENTAL AUTOMATION FOLDER 4 5 RUNNING THE PCCREATION MIGRATION WEB FORM cssccessseessecessecessecessecesecessecessecessecessecessecessecensecessecesecessesenes 4 6 MOVING ALREADY MIGRATED COMPUTERS 4 7 DISJOING DELETING DEPARTMENT COMPUTERS 5 LAB ORGANIZATIONAL UNITS iccsicecccccccscccccccacstecssasvoncacscsodsssacscassseoncesssacuesssesssoacssacsescdsasseccasvsieasavacdaccsesceeass 22 5 1 REQUESTING AN ORGANIZATIONAL UNIT Ea sire asas tassa essa assis aa assa 22 5 2 DELEGATING PERMISSIONS ON THE NEW REQUESTED OU c cccssssseeecceececeessecceeeceeuenssececeseeeuenececeeessueuensceseeetseanenenss 22 5 3 CREATING GROUP POLICIES ON THE NEWLY CREATED OUS ccccsssseeecececeseessecceeeceeeenssececceeeeuensceceeseseeueneceeesetseeuanenss 22 5 4 CREATING THEILAB AUTOMATION i cicer xe eh t e be oi te i Deb eg dre redu dear it 23 5 5 RUNNING THE PCCREATION MIGRATION WEB FORM 24 5 6 FOR ALREADY JOINED
23. ain as members higher level OUnames OUadmins group The lt OUname gt Logon group SHOULD contain as members higher level lt OUname gt Logon group 9 AUBede User manual 2 0 Aug 2007 BES Computing amp Networking 1 Ll Amerian University of Bert Services Members of lt OUname gt OUAdmins will be the users who will manage the OU i e the system administrator who originally requested the OU in addition to other system administrators if applicable lt OUName gt OUAdmins will have the right to create delete manage computer and group objects create delete manage sub OUS create delete group policy objects and delegate permissions for other users on the sub OUs e Members of lt OUname gt Admins will be the users who will have administrative privileges on all computers inside the department OU Members of this group will be indirectly members of the local Administrators group of each computer in the department Members of lt OUname gt OUAdmins may also be members of this group e Members of OUname Logon will be the users and groups who will have the right to logon to all computers in the department 10 AUBede User manual v 2 0 Aug 2007 CSRS al Computing amp Networking Amerian ON Services 4 2 Delegating permissions on a department OU The required delegation permissions need to be set by the higher level OU Administrator for the lt OUName gt OUAdmin
24. anagement Services and Applications tz Disk 0 TR Basic D 37 27 GB 19 55 GB NTFS 4 88 GB 12 84 GB NTFS Online Healthy System 1 Unallocated Healthy CD ROM F No Media 4 gt BB Unallocated fll Primary partition li Extended partition B Logical drive Figure 17 Disk management windows Note If we are preparing an image for a public PC and it has to be deployed by using the Norton Ghost it s always recommended to create and format a partition for this unallocated space F for example to be deleted after the deployment 9 3 Placing Event Logs on a Persistent Partition Entries made to system and application event logs stored on the Windows partition will be lost each time the system restarts when Windows Disk Protection is on For this reason it may be worthwhile to move the event logs to a persistent partition We can accomplish this by modifying the paths saved in the following registry keys HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet Services EventLog Applicati on HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet Services EventLog Security HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet Services EventLog S ystem The new path is D CNS Events Logs evt CNS is a hidden folder created on D drive the administrators only can access the contents of this folder the users permissions are removed from NTFS Security of
25. at is characterized by e A computer object name lt PCName gt that is determined according to the AUBede Naming Convention by the department 3 letter abbreviation the AUB barcode number followed by a D For a definition of Organizational Unit OU please refer to the AUBede Blueprint or http www microsoft com technet prodtechnol windows2000serv reskit deploy dgbd ads dwvv mspx mfr true The AUBede Naming Convention can be found in the AUBede Technical Configuration guide 6 AUBede User manual v 2 0 Aug 2007 DANS lel Computing amp Networking ae American University of Beirut Services 3 associated user groups with Administrator Power User or Logon privileges e One main user usually either a staff or faculty member at all times typically granted Logon privileges and exceptionally Power User privileges 2 2 Lab computers Lab Computers are defined as a collection of computers to be used by a group of users interchangeably and indiscriminately A Computer is a machine that is characterized by An object name lt PCName gt that is determined according to the AUBede Naming Convention by the lab 3 letter abbreviation the AUB barcode number followed by a 2 3 Kiosk computers Kiosk Computers are PCs located in public areas where an Autologon Kiosk User 15 the only user allowed to logon to the PC and only a restricted set of applications is acc
26. b cns policy 2003 CNS P GEN PRIV ACCESS B pd 11 1 3 Information Technology Management Principles Policies and Guidelines 11 1 4 http cns aub edu Ib cns policy 2003 CNS P ADM A PPS A pdf Privileged Access Granting and Revoking Authority Deans Highest Privileged Access Granting Revoking Authority over their respective faculty Organizational Unit OU and corresponding resources under AlIComputers and Departments executed by proxy by the director of CNS or delegated as required Directors of Highest Privileged Access Granting Revoking Authority over Administrative and their respective department OU and corresponding resources Academic Units under AllComputers under their OU executed by proxy by CNS AD Administrator PC Custodian Privileged Access Granting Revoking Authority over the specific user s PC CNS AD The Computing and Networking Services department is Administrator entrusted with the CNS AD Administrator role As such CNS implements actions based on technical considerations 41 AUBede User manual v 2 0 Aug 2007 American University of Beirut Computing amp Networking Services that guarantee best AUBede practices in terms of safety functionality and security Access Rights Access Group Membership and Audit Mechanism for a Domain PC Access rights and permissions on resources depend on a user s group membership as well as the OU where the PC hosting the resources is located
27. c Copy the start menu shortcuts that should appear to users in this lab department and place them in this folder d On the department lab OU in Active Directory create the necessary group policy to redirect users start menus to this folder The configuration of the group policy is Computer Configuration Administrative Templates System Group policy User group policy loopback processing mode Enabled Merge User Configuration Windows Settings Folder Redirection 33 AUBede User manual 2 0 Aug 2007 Computing amp Networking American University of Beirut 5 5 Start Menu Redirect to the following location win2k aub edu b files automation department labname start menu 7 Departmental Security Groups Every department will require creating domain security groups in order to set permissions on folders printers or other resources For every department there will be a special OU where the department system Administrator will be delegated the right to create groups and modify their memberships Notes Access to resources should always be granted to domain groups rather than individual users The location of this OU will be as shown in Figure 1 Le Active Directory Users and Computers amp File Action View Window e x mu 11 Active Directory Users and Computers AUBRG objects E Saved Queries Name Descripti
28. cccecsecunseecceseueesnssersccseseueussescceseueuansesseesseeuanenes 32 6 10 STARTIMIENU REDIRECTION t dr dt de d uh it d edo o 33 7 DEPARTMENTAL SECURITY GROUPG ssscccssssccccssseccessccccesscccsensecccessesenensesecensesecenseseceesesenensesecesesenenss 34 8 DEPARTMENTAL SERVERS wscicsscicicacccaceuactcacacattcocicestvacdacetocaceevoccasecseeeaviecuassesechsoavtssuesueeabenseasshjncddvsebacvavanaeave 35 9 SETTINGS FOR PUBLIC LABS COMPUTERS esses sese shes sehe sese sehe ose senso 35 91 WINDOWS DISK PROTECTION tenete iren nut dH n ner ova dva doce cov vue rra y vaa 35 9 2 PREPARING THE HARD DISK FOR THE WINDOWS DISK PARTITION 37 4 AUBede User manual v 2 0 Aug 2007 oes Sis Computing amp Networking American University of Beirut Servi ces 9 3 PLACING EVENT LOGS ON A PERSISTENT PARTITION 38 9 4 DISABLING SYSTEM HIBERNATION iss ccessssessscccssccesesseaicacceasnscdnecteosddeasansaabevecabavauha Veg Ove vn x vvv EE Vi ea ava de Fa a Re Gu sas 39 95 WDPAUBSETTINGS 2 tec ederet deb anser sev de Pin ovd da god ev Ero p e de EE 39 10 TEST Sdbieuinsee 40 11 RESTORING OBJECTS woicesccccscecicssscretiscites e raso ob
29. ccess Workflow To request privileged access the requester Privileged Access User or PAU should 1 Read and accept receipt of the Policy on Privileged Access if first time PAU 2 Complete and sign a AD Privileged Access Agreement Form PAAF and secure his her supervisor approval 3 Forward the request to the parent OU administrator to assess and validate the requirements 4 Secure the approval of the appropriate granting authority for that OU 5 The parent OU Administrator would then execute the request and file the supporting documents Instructions on How to Fill the Privileged Access Agreement Form The first section of the form should be filled with the details of the system administrator requesting the privileged access The system administrator could be part of CNS system administrators team or a departmental system administrator who will be entrusted with the administration of the Departmental OU The form offers the following selection fields Scope select one of three different available scopes representing the level at which the Privileged Access will take effect Institution widest scope whereby the granted Privileged Access would affect users and or PCs on the whole of AUBede QU whereby the granted Privileged Access would affect users and or PCs under the specified OU PC whereby the granted Privileged Access would take effect only on the specified PC name as it appears in the win2k Active Di
30. ctory e The corresponding groups will be deleted from Active Directory e The automation folder will be deleted from Wwin2k aub edu IbMilesvautomationVaddstaffpc e The corresponding fields are updated in HEAT database Because the information in HEAT database must be updated whenever the computer s attributes are changed using the PCDeletion is mandatory in the case of e Renaming a computer 21 AUBede User manual v 2 0 Aug 2007 CESS lal Computing amp Networking AmerianUniverstyotBert Services e Moving computer between departments e Changing computer primary owners Disjoining a computer 5 Lab Organizational Units 5 1 Requesting an organizational unit The process for requesting an organizational unit for Lab Computers is the same as that for department computers The higher level OU Administrator shall create the OU with the three groups e lt OUname gt OUAdmins Domain Local Group Members should contain groups users who will administer the lab OU OUname Admins Domain Local Group unlike for departments where it was global group Members should include groups users who will be members of the local administrators group on each computer in the lab e OUname Logon Domain Local Group Members should include all groups users who are allowed to logon to these Lab Computers 5 2 Delegating permissions on the new requested OU This is also the same proce
31. dure as for department OUs Please refer to section Delegating permissions on a department OU above 5 3 Creating Group Policies on the newly created OUs For lab organizational units there are two mandatory group policies that should be created before any computer is migrated to this OU These two group policies define e The users or groups that have the right to logon locally to Lab Computers e The users or groups that will be members of the administrators group on Lab Computers The first group will have the following configuration Computer Configuration Windows Settings 22 AUBede User manual v 2 0 Aug 2007 CES al Computing amp Networking AmerianUniverstyotBent Services Security Settings Local Policies User Rights Assignment Allow Logon locally Add win2k Domain admins win2k lt OUname gt Logon win2k lt OUname gt Admins Administrators The second group policy will define and restrict groups users who will be members of the local administrators group on each computer in the lt OUname gt OU The configuration of this policy is as follows Computer configuration Windows Settings Security Settings Restricted Groups Add group Write Administrators without choosing the Browse option Members of this group Add Administrator without choosing the Browse option Win2k administrators and win2k lt OUname gt Admins The lab administrator can later on create additional Group policies
32. e Directory e Location Medical Center or Campus e Computer Type In this case it is a lab computer For a description of Department and Kiosk computers please refer to the corresponding sections in this document Computer Organizational Unit i e the lab OU in which the computer object should be created e Joined to Domain If the computer is already joined choose Yes otherwise choose No e Site Select the site domain controller where changes will first take effect before being replicated to other sites domain controllers 24 AUBede User manual v 2 0 Aug 2007 Goes Ss Computing amp Networking American University of Beirut 5 5 m American AU Bede Enhanced Desktop Environment AUB hype American University of Beirut e AS Authenticated User RIM KADI GY Back To Menu Log out COMPUTER DETAILS Bar Code adm27035 Get Info Computer Name wdklabd12 wdk Parent Department PC SUPPORT UNIT Location Medical Center O Campus Computer Type 9Lab Computer Department Computer Kiosk Computer Organization J Unit Joined to Domain Yes No Site Site ARH Last updated on July 14 2004 AUBede Enhanced Desktop Environment American University of Beirut Website created by Computing and Networking Services Comments suggestions help aubede aub edulb Figure 9 PCCreation Migration form for Lab Computers 5 6 For already joined computers
33. erelease 2 0 Updates and new additions to Rev 1 0 AUBede Manual for sys admins ver 2 doc 07 08 2007 Rim Kadi Prerelease 2 0r Review and editing AUBede Manual for sys admins ver 1 2R docx 13 08 2007 Samih Ajrouch Prerelease 2 0 Review and editing AUBede Manual for sys admins ver 2 2 doc Document Reviewed and Approved by Name Date reviewed Samih Ajrouch CNS Rim Kadi CNS 3 AUBede User manual 2 0 Aug 2007 ea Gems Sed amp Networking American University of Beirut Services TABLE OF CONTENTS 1 INTRODUCTION 6 2 COMPUTER ROLES m 6 2 1 DEPARTMENT ee Ud c 6 2 2 Weed cr E 7 2 3 KIOSK COMPUTERS 3 JOINED NOT JOINED AND MIGRATED COMPUTERS 3 1 NOTJOINED TO THE DOMAINE cane eh dcr vo areae rb eeu Ur coun E Pai Gru oun CR Ca Qa Vae wd ure Cuv vu E Vue c a EE 8 3 2 ec T LT 8 3732 MIGRATED deba eei etes 8 4 DEPARTMENTAL ORGANIZATIONAL UNITS cccssccsseccsscccscccseccnscccssccnseccessccscccessccsescscecensceseccnsssosscoesesens 8 4 1 DEPARTMENT O
34. esse euo ego cued cecuecsewaulideusseisincaasissntcssouceascbdeussaseisannaisassuussabecenasee 40 APPENDIX Ses E M 41 5 AUBede User manual v 2 0 Aug 2007 ORAS sl Computing amp Networking Universty of Bert Services 1 Introduction This document is intended to provide departmental system administrators with the operational guidelines to manage and maintain Active Directory objects and network resources in their department s Organizational Units OUs under the AUBede framework Such system administrators are typically in charge of managing computing resources and personal computers used by a department staff faculty and or students This manual outlines the AUBede standard operation procedures of relevance For further details and an overview of the AUBede design the reader may refer to the AUBede Blueprint Applicable Policies This AUBede Blueprint document is based on the following policies Policy on privileged Access pdf format AUBnet accounts and email policies pdf format AUBnet Code of Conduct AUBnet Minimal Data Backup Policy IT Management Principles Policies and Guidelines pdf format AUBede Baseline Configuration in progress 2 Computer Roles 2 1 Department Computers The AUBede framework identifies a Department Computer role by a group of configuration settings A Department Computer is a machine th
35. essible These PCs only operate in kiosk mode A Kiosk Computer is a machine that is characterized by An object name lt PCName gt that is determined according to the AUBede Naming Convention by the department 3 letter abbreviation the AUB barcode number followed by a 3 associated user groups with Administrator Power User or Logon privileges e One main user usually either a staff or faculty member at all times typically granted Logon privileges and exceptionally Power User privileges 3 Joined Not Joined and Migrated Computers A personal computer at AUB or AUBMC can be in any of the following states in relation to AUBede and its associated Active Directory win2k aub edu lb The AUBede Naming Convention can be found in the AUBede Technical Configuration guide The AUBede Naming Convention can be found in the AUBede Technical Configuration guide 7 AUBede User manual 2 0 Aug 2007 American University of Beirut Services 3 1 Not Joined to the Domain The computer is still member of a workgroup or of a domain other than the win2k aub edu lb and will be joined to the domain 3 2 Joined to Domain A Departmental Administrator or Support Staff has already joined the computer to the win2k aub edu lb domain but it is still not migrated to AUBede Such computers are not yet migrated to their corresponding department OU
36. gt Administrators and lt Computername gt Powerusers groups will be added to the lt Computername gt Logon group e In DFS 19 AUBede User manual v 2 0 Aug 2007 Gees Sisal Computing amp Networking a American University of Beirut Services In win2k aub edu Ib files automation addstaffpc a folder holding the computer name will be created Inside this folder a file named runonce bat is created This file contains the configuration commands that should be executed the first time the computer starts up after the web form has been filled and submitted At Computer Startup When the computer starts up for the first time after the web form has been filled and submitted the following steps take place automatically All members of the local administrators group of the computer are removed except the Administrator account and the Domain Admins group local group named logonlocally will be created on the computer The domain group lt Computername gt Logon will be added to the local group logonlocally The domain group lt Computername gt Administrators will be added to the local computer group Administrators The domain group lt Computername gt Powerusers will be added to the local group power user A local group denynetwork will be created and the domain group lt Computername gt Administrators will be added to this group Runonce bat inside win2k aub edu lb files a
37. he username of the user who will use this computer e User Type Choose whether this user will be a Power User on the computer or a normal user e Site Select the site domain controller where changes will first take effect before being replicated to other sites domain controllers After the system administrator submits the form the following process takes place e In HEAT Database The computer barcode is used to locate the computer in the database For every barcode the following fields are retrieved and updated Computer name Computer user Department Type of computer user Normal User or Power User e In Active Directory If the computer is not already joined the computer object will be created in the Department OU chosen from the web form If the computer was already joined to the domain the computer object will be moved to the Department OU specified in the web form Three global groups are created in the same Department OU where the computer object is created These groups are lt Computername gt Administrators lt Computername gt Powerusers and lt Computername gt Logon lt OUName gt Admins will be added to the group lt Computername gt Administrators user account of the user who will use the computer filled in the web form wil be added to the Computername Logon and to the lt Computername gt Powerusers groups if requested The lt Computername
38. ing permissions on a department OU above Two group policies are required on each OU e The first policy defines who has the right to logon to the servers e The second policy restricts the membership of the local administrators group on the servers Refer to section Printing Services Printing Services 9 Settings for Public Labs Computers To maintain the systems stable and reliable in AUB public labs the CNS introduces the Microsoft Shared Computer Toolkit This tool provides a simple and effective way to defend shared computers from viruses Spywares and malicious software by clearing changes to the hard disk or effectively resetting the disk every time the computer restarts This toolkit includes several tools designed especially to help manage individual computers that are members of windows workgroups One of these tools is the Windows Disk Protection WDP that can be used in domain environments to protect computers from unwanted changes 9 1 Windows Disk Protection Unauthorized changes to a hard disk can make shared computers less reliable Windows Disk Protection clears all changes that are made to the Windows partition each time the computer restarts WDP ensures that computers start from a clean and trusted copy of 35 AUBede User manual v 2 0 Aug 2007 CORES Sel Computing amp Networking Amerian Services Windows each time removing viruses spyware temporary files and personal data from the compute
39. ive Directory Usi Delegation of Control Wizard m lt j File Action View De ation vew Tasks to Delegate fa ER X You can select common tasks or customize your own Active Directory Users G Saved Queries C Delegate the following common tasks 89 win2k aub edu lb Builtin Create delete and manage user accounts Computers 0 Reset user passwords and force password change at next logon Domain Contra 0 Read all user information ForeignSecurit Create delete and manage groups Users Modify the membership of a group All Computers Manage Group Policy links B Departmer 8 AUBDP Generate Resultant Set of Policy Planning Generate Resultant Set of Policy Logging x lt Back Cancel Figure 3 Delegation of Control Wizard custom task In answer to the Delegate Control of option This folder existing objects in this folder and creation of new objects in this folder should be selected as shown in Figure 4 Bias Active Directory Us Delegation of Control Wizard Fi 3 Action view Active Directory Object Type fa M Indicate the scope of the task you want to delegate Active Directory Users Saved Queries Delegate control of winzk aub edu lb E Euiltin x Computers C Only the following objects in the folder E Domain
40. mputers the following procedure takes place 6 3 In Active Directory If the computer is not already joined the computer object will be created in the OU chosen from the web form If the computer was already joined to the domain the computer object will be moved to the OU specified in the web form 27 AUBede User manual 2 0 Aug 2007 CORSIA Computing amp Networking ee American University of Beirut Services e Three global groups are created in the same OU where the computer object is created These groups are lt Computername gt Administrators lt Computername gt Powerusers and lt Computername gt Logon OUname Admins will be added to the group lt Computername gt Administrators e The kiosk user account chosen in the web form will be added to the lt Computername gt Logon domain group e The lt Computername gt Administrators and lt Computername gt Powerusers groups will be added to the lt Computername gt Logon group 6 4 In DES In win2k aub edu Ib files automation addstaffpc a folder holding the computer name will be created Inside this folder a file named runonce bat will be created This file contains the configuration commands that should be executed the first time the computer starts up after the web form has been filled and submitted 6 5 AtComputer Startup When the computer starts up for the first time after the web form has been filled and submitted the following
41. n University of Beirut eyes Authenticated User RIM KADI GY Back To Menu 0 Log out COMPUTER DETAILS Bar Code 4 27035 Get Info Computer Name vdklabd12 vdk Parent Department PC SUPPORT UNIT Location O Medical Center O campus Computer Type OLab Computer Department Computer Kiosk Computer Organization CJ Unit Joined to Domain O Yes No UserName O Power User 9 Normal User Site Site ARH Submit Reset Last updated on July 14 2004 AUBede Enhanced Desktop Environment American University of Beirut Website created by Computing and Networking Services Figure 8 PCCreation Migration Web Form for Department computers 4 5 1 For new or non migrated department computers Fill in the following information Computer name As it will be created in Active Directory e Location Medical Center or Campus Computer Type In this case it is a Department Computer Department computers are usually used by a specific and known staff or faculty member Two other options are also available and will be discussed in later sections Lab computer and kiosk Computer Organizational OU This is the Department OU in which the computer object should be placed 18 AUBede User manual 2 0 Aug 2007 Cees Computing amp Networking AmerianUniverstyotBert Services e Joined to Domain If the computer is already joined choose Yes otherwise choose No e Username Enter t
42. niversity of Beirut Services 4 4 Creating the Departmental Automation folder For every department joining AUBede the OU Administrator can optionally request a folder under win2k aub edu lb files automation directory This folder will be named by the department s name ex AUBDPT A and will be used by the department s administrator to e Create and store automation scripts such as the printers scripts e Store automation utilities that should be deployed on the OU computers e Store start menu shortcuts to which users start menus shall be redirected e Other automation procedures The administrator of the new OU should request the automation folder if and when needed from the higher level OU Administrator This Administrator will e Create the folder holding the new lt OUName gt This folder will be created inside win2k aub edu 1b files automation lt higherlevelOUfolder gt Grant the lower level lt OUName gt OUAdmins administrator the Modify permission on this folder 4 5 Running the PCCreation Migration Web form To move or join new computers to a department OU a web form has been developed for system administrators to use This web form will move already joined computers to the correct department or create computer objects for computers that will be joined It will also create groups and scripts required to migrate the computer The system administrator must contact
43. nt console create and link a blank Add printer to lt OUName gt PO to the OU 29 AUBede User manual v 2 0 Aug 2007 Gigas este American University of Beirut Computing amp Networking Services 1 88 LAB VDK 3p Add LAB VDK Printers R2 aj Auto Shutdown All Computers In LAB VDK at 09 00PM A Restrict Administrators Membership of LAB VDK A Restrict Logon Locally Membership of LAB VDK A Startup Script to Delete Local Printer test B FEA Labs S FEA Event Log Settings FEA Iexplorer settings Restrict Administrators of FEA admins Restrict Disable McShield Service Special WSUS Configurations For FEA Labs 21 Architecture Graduates LAB FEA ARD Add LAB VDK Printers R2 Data collected on 7 31 2007 8 57 47 AM Computer Configuration Enabled Windows Settings Scripts Startup hide Name Parameters pushprinterconnections exe User Configuration Enabled No settings defined Figure 11 Create GPO to add printer to deploy Open up the Print Management console from the print server and select the printer you wish Right click on Printer Name and select Deploy with Group Policy from the shortcut menu This opens the Deploy with Group Policy dialog box in Print Management File Action View Help B 2 Print Management 81 Custom Printer Filters a Print Servers 530 Deployed Printers Biology Lab
44. r with each restart Because certain changes such as critical updates and antivirus signatures need to be permanently saved Windows Disk Protection allows you to schedule such changes to occur automatically at whatever time you choose Windows Disk Protection 42 eS A1TAQ TN ess Microsoft Shared Computer Toolkit for Windows XP 5 Disk Protection is Initializing Enabled Disabled Figure 16 WDP main Window When an Administrator needs to install software or update system settings she he must follow the following procedure 1 Restart the system To ensure that recent disk changes are cleared 2 Install software or update the system 3 Access the WDP graphical tool Shortcut available in the start menu 4 Enable the option Saves changes with next restart 5 Restart the system the WDP filter works before the windows startup to save the changes made by the Administrator 36 AUBede User manual v 2 0 Aug 2007 CESS lal Computing amp Networking AmerianUniverstyotBert Services Windows starts with the option clear changes with next restart enabled therefore no need to adjust any WDP settings after the restart As a Summary the WDP e Helps protect operating system files e Clears changes when the computer restarts e Automates critical and antivirus updates e Lets you choose to save changes to disk 9 2 Preparing the Hard Di
45. rectory Role depending on the chosen Scope one of a number of roles can be selected A detailed description of each role can be read from the Access Rights Matrix and the accompanying Authorized Security Document 44 AUBede User manual v 2 0 Aug 2007 CESS sll Computing amp Networking AmerianUniverstyotBent Services Access Audited by select out of the available options the type of audit alert if any applied to the Privileged Access to be granted OU PC name enter the name of the OU or PC the on which the Privileged Access would apply The PAAF should be signed and approved as follows 1 The requester PAU requesting the privileged access should first sign the submitted form 2 The form is then forwarded to the parent OU Administrator for assessment comments and approval 3 The form has then to be approved by the prime custodian of the subject system data the Granting Authority 45 AUBede User manual v 2 0 Aug 2007
46. rk 4 6 Moving Already Migrated Computers To move already migrated computers from one department to another or from one user to another within the same department the computer must be disjoined from the domain by using the PCDeletion web form as detailed in the Disjoing Deleting Department Computers section below The same computer must be joined again using the PCCreation web form 4 7 Disjoing Deleting Department Computers Whenever a computer is to be renamed moved to another department moved to another user within the same department or disjoined from the domain the PCDeletion web form must be used Using the PCDeletion webform guarantees the proper and complete AD object deprovisioning process This web form is part of AUBede administration portal http aubede aub edu Ib under the PCDeletion section Only members of the PCDeletors domain group are allowed to use this web form Thus after a user is authenticated his her account is checked against the PCDeletors membership If the user is not member of this group he she cannot continue and must contact CNS AUBede coordinator otherwise he she is redirected to the next page The System administrator will have to enter the computer barcode and or computer name Then upon submission of the web form the following procedure takes place Since this 1s a Department Computer e The computer account will be deleted from Active Dire
47. s e On the OU that contains the computers where the users who will see the mapped drives shall logon configure the following group policy 1 Name lt Departmentname gt Map folderdescription to network drive 2 Configuration Computer Configuration Administrative Templates System Group Policy User group policy loopback processing mode Enabled Merge User Configuration Windows Settings Scripts 32 AUBede User manual v 2 0 Aug 2007 American University of Beirut Services Logon Add logon script named mapfolderdescription bat Use the net use command to map the folder to a chose network drive Note NEVER use the X or P drive letters The X drive points to home or institutional folders of all users at AUB The P drive is used for the automation process of automatic updates on all computers at AUB 6 10 Start Menu Redirection Some administrators require that users in the lab department share the same start menu The Administrator may choose to personalize the start menu on lab department computers by hiding some shortcuts and adding others This is possible using start menu redirection The procedure to be followed for start menu redirection is a In the automation folder corresponding the department lab in win2k aub edu Ib files automation department labname create a folder named start menu b Grant authenticated users the Read and Execute permission on this folder
48. s on their department OU The higher level OU Administrator can run the Delegation of Control wizard on a Department OU that he she created for the previous example a member of Departments OUAdmins will run the delegation of control wizard on lt AUBDPT gt OU to grant permissions to lt AUBDPT gt OUAdmins At the prompt the user running the wizard should choose the lt OUName gt OUAdmins group for which he she will delegate control on the Department OU as shown in the Figure 2 amp Active Directory Usi Delegation of Control Wizard M 20 File Action view n ee Users or Groups fa 25 Select more users groups to whom you want to delegate control Active Directory Users Saved Queries 5 win2k aub edu lb Builtin Selected users and groups AUBDPT AOUAdmins wWINZKN amp UBDPT AOUAdmins F E Computers Domain Contro ForeignSecurit users All Computers 5 01 Departmer AUBDP 0 2 Add Remove Figure 2 Delegation of Control Wizard select group The next window will prompt the higher level OU Administrator to select a delegation task The custom task option should be selected at this stage as shown in Figure 3 11 AUBede User manual 2 0 Aug 2007 BES Computing amp Networking American Services amp Act
49. sk for the Windows Disk Partition The WDP requires a minimum of GB of unallocated disk space This unallocated disk space will become the protection partition for storing disk changes temporarily when WDP is turned on To turn on the WDP we must fulfill the following requirements 1 At least 1GB or approximately 10 of the windows partition whichever is greater is available as unallocated disk space 2 The unallocated disk space must follow a primary partition it cannot be at the beginning of the disk 3 The disk that contains unallocated disk space may have no more than three primary partitions 4 The position of the unallocated disk space is not significant but normally for AUB public PCs it s located between C and D partitions 37 AUBede User manual v 2 0 Aug 2007 Goes Ss Computing amp Networking American University of Beirut Se rv ces c Computer Management 101 xj File Action View Window 18 x me 2 uu Computer Management Local volume Layout Type File system Capacity Free Space HB System Tools item Partition Basic NTFS Healthy System 19 55GB 16 02 GB Event Viewer Shared Folders 8 Local Users and Groups Performance Logs and Alerts amp D Partition Basic NTFS Healthy 12 84 GB 12 74 GB Device Manager orage Sti f Removable Storage Disk Defragmenter Disk M
50. steps take place automatically e All members of the local administrators group of the computer are removed except the Administrator account and the Domain Admins group e A local group named logonlocally will be created on the computer e The domain group lt Computername gt Logon will be added to the local group logonlocally e The domain group lt Computername gt Administrators will be added to the local computer group Administrators The domain group lt Computername gt Powerusers will be added to the local group Power User A local group denynetwork will be created and the domain group lt Computername gt Administrators will be added to this group e The kiosk user account is configured for autologon that is every time the computer starts up the kiosk user account is automatically logged on Runonce bat inside win2k aub edu lb files automation addstaffpc file is deleted 28 AUBede User manual v 2 0 Aug 2007 aa AUG University of Beirut Services 6 6 Moving Already Migrated Computers To move already migrated Kiosk Computers from one department to another or for changing the kiosk user the computer must be disjoined from the domain by using the PCDeletion web form The computer must be rejoined using the PCCreation web form 6 7 Disjoing Deleting Kiosk Computers For every kiosk computer to be renamed moved to another department or disjoined from the domain the
51. the newly created or existing OUs Now as the lt OUName gt OUAdmins can create group policies on their OUs there is one mandatory group policy that shall be created before any computer is migrated to the OU This group policy defines who will have the right to logon to computers in this department Thus the department administrator will create this group policy on the new OU for the previous example a member of the Departments AOUAdmins will create the policy on the lt DepartmentOU gt OU The configuration of this group policy will be as follows Computer Configuration Windows Settings Security Settings Local Policies User Rights Assignment Allow Logon locally Add win2k Domain Admins win2k lt OUName gt Logon win2k lt OUName gt Admins administrators logonlocally The lt OUName gt OUAdmins can later create additional group policies Notes 1 Any member of OUName OUAdmins who creates a Group Policy on the department s OU shall grant the OUName OUAdmins Full Control permission on this Group Policy 2 Naming Convention should be strictly followed when creating new group policies Group policies not complying with the standard naming convention will be automatically deleted as part of the regular AUBede maintenance For further details on the Naming Convention please refer to the AUBede Technical Configuration document 15 AUBede User manual v 2 0 Aug 2007 lt lt American U
52. utomation addstaffpc file is deleted 4 5 2 Results and Effects e Allowing users to logon to a Department Computer The group policy Logon rights to lt Department gt OUnam on each Department OU grants the logon right to the local group logonlocally group of each computer At the first computer startup the domain group lt Computername gt Logon is added to the logonlocally group Thus to grant any user the logon right to a specific Department Computer his her user account must be added to the lt Computername gt Logon domain group from Active Directory e Giving users administrative rights a Department Computer The domain group lt Computername gt Administrators is put member of the local Administrators group of the computer Thus members of the domain group lt Computername gt Administrators have administrative privileges on the Department Computer Every user who needs such privileges must be added to this domain group The same process applies for the domain group lt Computername gt Administrators 20 AUBede User manual 2 0 Aug 2007 ea American University of Beirut Se rvices Computing amp Networking e Denied network access Members of the domain group lt Computername gt Administrators are put members of the local group Denynetwork There is a group policy on all Department Computers that denies this group the access to the computer from the netwo
Download Pdf Manuals
Related Search