Active Directory - Training - Access Procedure (Groups, Software, Printers)
Procedures which need to be followed when client requests access for themselves or for other staff to drives/groups in AD or install a software which is not listed in the Software Center/Self Service.
This document is intended for Help Desk or Endpoint staff who have rights to add access to groups and/or drives in the campus Active Directory (AD).
This document expects you to know how to add objects to groups, search for objects, and know basic object types.
If you do not know how to use Active Directory, Active Directory - Training - Basic Help Desk Functionalities is required reading.
What is Active Directory Used For?
Active Directory is the glue that holds university computers together. It allows us to organize computers, map printers, map share drives, install software, and so much more from the comfort of our desks. Computers, users, and printers are represented by objects which can be around with the directory, or can be members of other groups.
In other words, Active Directory is a data structure that allows us to group our clients and machines in such a way that makes applying policy to them easy. Changes in AD affect how the other management tools, like SCCM, take effect-- that's why keeping AD up to date and correct is so important.
Because this system is shared by the entire university and small changes can cause some problems, be careful and follow procedure when editing AD permissions.
The following is a simplified list of common actions we perform for our clients using Active Directory:
- User Roles
- Adding a user to a group in the SA\Groups\Security\User Roles (such as 'SA-UR-Housing-Administration') would give to everything that group is a member of, including scan shares, special software permissions, and uFile groups. It will also allow group policy to know that the mapping for the scan folder should exist for that user if item-level targeting is done.
- OU Machine organization
- Adding a computer to a group in the SA\Workstations\Units\*Department* (such as 'Athletics' or 'Housing\Cambridge\Front Desk Staff') will allow group policy to know what policies to apply based on where it is located (such as the correct printers available to the computer)
- Software Access
The following are procedures for granting access to certain types of groups, separated by type. These are based on extremely common requests by clients.
For any modification to permissions, you must log in the ticket the modifications made, and who gave authorization for them. See an example access procedure done correctly, ticket #255595.
Granting Shared Drive Access
Follow these steps if you are mapping a scan drive:
- Find the group corresponding with the drive in ad.uwm.edu\SA\Groups\Security\Endpoint\Scan Shares
- Obtain Supervisor Approval
- Most Scan Share groups are linked directly to other user roles. If this is the case, do not add individual members to the Scan Share--rather, follow it through to learn whom you should contact for user role (UR) membership.
Granting Software Access
Removing User from Shared Drive
- Find the user
- Double click their name.
- Go to the “member of” tab which will be a list of all the groups they are in.
- Find the group they need to be removed from and click remove.
Mapping Printers (Mac)
- Acquire the computer name and the printer name, record them in the ticket.
- Navigate to SA\Groups\Security\Endpoint\Printer Groups\LPR and see if a group exists.
- Find the group name associated with the printer.
- Add the computer as a member of the printer.
- Have the user restart their computer, and verify the user can print without problems.
Moving Computers Between OUs (Deploying printers for windows, makes department based policy happen)
- Acquire the computer name and where the computer is located
- Navigate to SA\Workstations\Units, and find the folder that best fits the description of the computer's location. This may be as simple as \Athletics or as involved as \Housing\Sandburg\Facilities\Andover.
- Find the computer and right click --> move
- In the dialog box, navigate to and select the folder you found in step 2. Click OK.
- Then, find and update the collection in SCCM. AD is just the data structure, SCCM is what reads AD's information and gets things done based on it. SCCM doesn't constantly check AD for updates, so we have to tell it to if we don't want to wait for the next refresh cycle.
- Once the machine shows in the correct collection in SCCM, it is settled in its new OU.
Misc. Tips and Tricks
Determining Group Name
Our clients may have names for these groups that do not make much sense to us. For example, a user may refer to a drive as the mount point ("Please map the V: drive") rather than the group ("Please map the Sandburg dock drive"). The best way to determine the name of the group is to ask the client questions or to ask for the ePantherID of someone with access to the drive and compare permissions.
Finding a User, Group, or Computer
- Right click on “ad.uwm.edu” at the top-left
- Click “Find…”
- If searching for a user or group, enter the username or group you are looking in the “Name:” field
- If searching for a computer, change the drop down menu in the top left to “computers” and enter the computer name in the “Computer Name:” field.