Default OU Layout
This document describes the purpose of the standard AD administrative groups and default layout when an OU is provisioned in the WolfTech Active Directory Environment. Most of the provisioning of an OU is done by a script, followed by some steps that are done manually by a NCSU or Domain Admin. After creation, a meeting is had between one or more NCSU Admins and the OU Admins of the new OU to do some initial customization.
Organizational Units
OU | Description |
---|---|
<Root OU> | The departmental root OU is the top level OU delegated to the department or college. This OU should be named using the organization’s common abbreviation. For example, the Department of Electrical and Computer Engineering uses the abbreviation, ECE, so its root OU should be named ECE. This OU should be placed under the NCSU OU hierarchy corresponding to its place within NCSU’s organizational hierarchy, primarily following the OUC structure. For example, the Department of Electrical and Computer Engineering is part of the College of Engineering, so the Department of Electrical and Computer Engineering’s OU should be created under the College of Engineering’s OU.The managedBy property should be set to the primary OU Admin. |
<Root OU>\Departmental Users | This OU is meant to contain all Users within the OU. |
<Root OU>\Departmental Users\Class Accounts | This OU is meant to contain all class accounts within the OU, thought using shared logins are discouraged. Feel free to delete if not applicable. |
<Root OU>\Departmental Users\OU Admins | This OU is meant to contain all OU Admin accounts within the OU. Departmental IT staff should create a <dot>admin account to perform IT administrative functions. OU Admin accounts need to have their CN attribute be the same as their samAccountName attribute for all scripts to function correctly. It is strongly advised to: a) not use UnityIDs in this group, b) not have student workers in this group due to the high security permissions on the departments AD & SCCM resources. Do not delete. |
<Root OU>\Departmental Users\Other Users | Feel free to delete if not applicable. |
<Root OU>\Departmental Users\Service Accounts | This OU is meant to contain all Service Accounts within the OU. Feel free to delete if not applicable. |
<Root OU>\Faculty | This OU is meant to contain all Faculty Computers within the OU. Feel free to delete if not applicable. |
<Root OU>\Faculty\Desktops | |
<Root OU>\Faculty\Laptops | |
<Root OU>\Research Labs | This OU is meant to contain all Research Labs within the OU. Feel free to delete if not applicable. |
<Root OU>\Research Labs\Sample RLab | |
<Root OU>\Research Labs\Sample RLab\Destkops | |
<Root OU>\Research Labs\Sample RLab\Laptops | |
<Root OU>\Servers | This OU is meant to contain all Servers within the OU. Feel free to delete if not applicable. |
<Root OU>\Software Packages | This OU is meant to contain all Software groups within the OU. Do not delete this or any OU’s created within it. |
<Root OU>\Software Packages\NCSU Software | This OU is where Freeware and Licensed Software groups will be located that are replicated down from the WolfTech\NCSU\Software Packages\NCSU Software OU. See Services\Software Distribution for more info. |
<Root OU>\Software Packages\Operating Systems | This OU is where SCCM Operating System groups will be located that are replicated down from the WolfTech\NCSU\Software Packages\Operating Systems OU. See Services\Imaging\SCCM Based Imaging for more info. |
<Root OU>\Software Packages\Special Configurations | This OU is where Special Configurations groups will be located that are replicated down from the WolfTech\NCSU\Software Packages\Special Configurations OU. See Services\Special Configurations for more info. |
<Root OU>\Software Packages\<Root OU> Software | This OU is where Freeware and Licensed Software groups will be located that are created and managed solely within the scope of the OU being created. See Services\Software Distribution for more info. |
<Root OU>\Software Packages\<Parent OU> Software | This OU is where Freeware and Licensed Software groups will be located that are replicated down from the WolfTech\NCSU\<Parent OU>Software Packages\<Parent OU> Software OU, if it exists. See Services\Software Distribution for more info. |
<Root OU>\Staff | This OU is meant to contain all Staff computers within the OU. Feel free to delete if not applicable. |
<Root OU>\Staff\Desktops | |
<Root OU>\Staff\Laptops | |
<Root OU>\Teaching Labs | This OU is meant to contain all Teaching Labs within the OU. Feel free to delete if not applicable. |
<Root OU>\Teaching Labs\Sample Tlab | |
<Root OU>\Teaching Labs\Sample Tlab\Desktops | |
<Root OU>\Teaching Labs\Sample Tlab\Laptops | |
<Root OU>\Unassigned |
Users
User | Description |
---|---|
<Root OU>\Departmental Users\OU Admins\<unityid>.admin | Create an Administrator account for each desired IT staff member in the department. The account should be created in the <Root OU>\Departmental Users\OU Admins OU. These accounts will be given Administrator priveleges in the departmental OU and local administrator on all computers in the departmental OU. |
Groups
Group | Description |
---|---|
<Root OU>\<Root OU>-ACS Users | DEPRECATED Members are given read access to the ACS Q drive. A GPO (NCSU-ACS Users) is linked at the People OU and is filtered to the NCSU-ACS Users group to automatically mount the Q drive. This group is a member of NCSU-ACS Users. Only staff who need access to the ACS Q Drive should be members of this group. |
<Root OU>\<Root OU>-Allow Imaging | Allows members to install computers using WDS or SCCM A GPO is linked to the domain root and filtered to the NCSU-Allow Imaging group to allow members of this group to use join computers to the domain. This group is a member of NCSU-Allow RIS. This group is given permissions to custom images in WDS and SCCM. This group is not given any permissions to the <Root OU> OU by default. |
<Root OU>\<Root OU>-Computer Admins | Members of this group have Administrator privileges on all <Root OU> computers. This group is a member of the local Administrators group on all computers in the <Root OU> OU. Members of this group have Administrator privileges on all <Root OU> computers, but no special domain privileges. <Root OU>-OU Admins is a member of this group. |
<Root OU>\<Root OU>-Computer Migrators | Members of this group have the ability to join computers to the domain. This group is not given any permissions to the <Root OU> OU by default. Here is more information on recommended usage. |
<Root OU>\<Root OU>-Computers | This group contains all computers under the <Root OU> OUthrough group nesting. |
<Root OU>\<Root OU>-Desktops | This group contains all desktop computers under the <Root OU> OU through group nesting. |
<Root OU>\<Root OU>-Enable Remote Assistance | Enables Unsolicited Remote Assistance on member computers. A GPO (<Root OU>-Enable Remote Assistance) is linked at the <Root OU> OU and filtered to this group that enables Unsolicited Remote Assistance on all members of this group. |
<Root OU>\<Root OU>-Enable Remote Desktop | Enables Remote Desktop on member computers. A GPO (<Root OU>-Enable Remote Desktop) is linked at the <Root OU> OU and filtered to this group that enables Remote Desktop on all members of this group. |
<Root OU>\<Root OU>-Laptops | This group contains all laptop computers under the <Root OU> OUthrough group nesting. |
<Root OU>\<Root OU>-OU Admins | This group is delegated Full access to the <Root OU> OU. Do not delete, move, or rename. |
<Root OU>\<Root OU>-Remote Assistants | Members of this group are permitted to provide Unsolicited Remote Assistance. |
<Root OU>\<Root OU>-Users | This group contains all users associated with the <Root OU> department. |
<Root OU>\Faculty\<Root OU>-Faculty | |
<Root OU>\Faculty\<Root OU>-Faculty.Computers | |
<Root OU>\Faculty\<Root OU>-Faculty.Desktops | |
<Root OU>\Faculty\<Root OU>-Faculty.Laptops | |
<Root OU>\Research Labs\<Root OU>-Research Labs.Computers | |
<Root OU>\Research Labs\<Root OU>-Research Labs.Desktops | |
<Root OU>\Research Labs\<Root OU>-Research Labs.Laptops | |
<Root OU>\Research Labs\<Root OU>-Research Labs.Users | |
<Root OU>\Research Labs\Sample Rlab\<Root OU>-Sample Rlab.Administrators | |
<Root OU>\Research Labs\Sample Rlab\<Root OU>-Sample Rlab.Computers | |
<Root OU>\Research Labs\Sample Rlab\<Root OU>-Sample Rlab.Desktops | |
<Root OU>\Research Labs\Sample Rlab\<Root OU>-Sample Rlab.Laptops | |
<Root OU>\Research Labs\Sample Rlab\<Root OU>-Sample Rlab.Users | |
<Root OU>\Staff\<Root OU>-Staff | |
<Root OU>\Staff\<Root OU>-Staff.Computers | |
<Root OU>\Staff\<Root OU>-Staff.Desktops | |
<Root OU>\Staff\<Root OU>-Staff.Laptops | |
<Root OU>\Teaching Labs\<Root OU>-Teaching Labs.Computers | |
<Root OU>\Teaching Labs\<Root OU>-Teaching Labs.Desktops | |
<Root OU>\Teaching Labs\<Root OU>-Teaching Labs.Laptops | |
<Root OU>\Teaching Labs\<Root OU>-Teaching Labs.Users | |
<Root OU>\Teaching Labs\Sample Tlab\<Root OU>-Sample Tlab.Administrators | |
<Root OU>\Teaching Labs\Sample Tlab\<Root OU>-Sample Tlab.Computers | |
<Root OU>\Teaching Labs\Sample Tlab\<Root OU>-Sample Tlab.Desktops | |
<Root OU>\Teaching Labs\Sample Tlab\<Root OU>-Sample Tlab.Laptops | |
<Root OU>\Teaching Labs\Sample Tlab\<Root OU>-Sample Tlab.Users | |
Group Memberships
Group Membership |
---|
<Root OU>-ACS Users –> <Parent OU>-ACS Users |
<Root OU>-Allow RIS –> <Parent OU>-Allow RIS |
<Root OU>-Computer Admins –> <Root OU>-Allow RIS |
<Root OU>-Computer Admins –> <Root OU>-Remote Assistants |
<Root OU>-Computer Migrators –> <Parent OU>-Computer Migrators |
<Root OU>-Desktops –> <Parent OU>-Desktops |
<Root OU>-Desktops –> <Root OU>-Computers |
<Root OU>-Laptops –> <Parent OU>-Laptops |
<Root OU>-Laptops –> <Root OU>-Computers |
<Root OU>-OU Admins –> <Parent OU>-Departmental OU Admins |
<Root OU>-OU Admins –> <Root OU>-Allow RIS |
<Root OU>-Users –> <Parent OU>-Users |
<unityid>.admin –> <Root OU>-Computer Admins |
<unityid>.admin –> <Root OU>-OU Admins |
<Root OU>-Faculty –> <Root OU>-Users |
<Root OU>-Faculty.Desktops –> <Root OU>-Desktops |
<Root OU>-Faculty.Desktops –> <Root OU>-Faculty.Computers |
<Root OU>-Faculty.Laptops –> <Root OU>-Laptops |
<Root OU>-Faculty.Laptops –> <Root OU>-Faculty.Computers |
<Root OU>-Research Labs.Users –> <Root OU>-Users |
<Root OU>-Research Labs.Desktops –> <Root OU>-Desktops |
<Root OU>-Research Labs.Desktops –> <Root OU>-Research Labs.Computers |
<Root OU>-Research Labs.Laptops –> <Root OU>-Laptops |
<Root OU>-Research Labs.Laptops –> <Root OU>-Research Labs.Computers |
<Root OU>-Sample Rlab.Administrators –> <Root OU>-Sample Rlab.Users |
<Root OU>-Sample Rlab.Desktops –> <Root OU>-Research Labs.Desktops |
<Root OU>-Sample Rlab.Desktops –> <Root OU>-Sample Rlab.Computers |
<Root OU>-Sample Rlab.Laptops –> <Root OU>-Research Labs.Laptops |
<Root OU>-Sample Rlab.Laptops –> <Root OU>-Sample Rlab.Computers |
<Root OU>-Sample Rlab.Users –> <Root OU>-Research Labs.Users |
<Root OU>-Staff –> <Root OU>-Users |
<Root OU>-Staff.Desktops –> <Root OU>-Desktops |
<Root OU>-Staff.Desktops –> <Root OU>-Staff.Computers |
<Root OU>-Staff.Laptops –> <Root OU>-Laptops |
<Root OU>-Staff.Laptops –> <Root OU>-Staff.Computers |
<Root OU>-Teaching Labs.Users –> <Root OU>-Users |
<Root OU>-Teaching Labs.Desktops –> <Root OU>-Desktops |
<Root OU>-Teaching Labs.Desktops –> <Root OU>-Teaching Labs.Computers |
<Root OU>-Teaching Labs.Laptops –> <Root OU>-Laptops |
<Root OU>-Teaching Labs.Laptops –> <Root OU>-Teaching Labs.Computers |
<Root OU>-Sample Tlab.Administrators –> <Root OU>-Sample Tlab.Users |
<Root OU>-Sample Tlab.Desktops –> <Root OU>-Teaching Labs.Desktops |
<Root OU>-Sample Tlab.Desktops –> <Root OU>-Sample Tlab.Computers |
<Root OU>-Sample Tlab.Laptops –> <Root OU>-Teaching Labs.Laptops |
<Root OU>-Sample Tlab.Laptops –> <Root OU>-Sample Tlab.Computers |
<Root OU>-Sample Tlab.Users –> <Root OU>-Teaching Labs.Users |
Group Policies
Group Policy | Description |
---|---|
<Root OU>-OU Policy | This Group Policy by default sets the Primary DNS suffix, DNS Search Path, WSUS Targeting, and the Restricted groups setting for <Root OU>-Computer Admins to be a member of the local Administrators group. Filtered on Authenticated Users. |
<Root OU>-Enable Remote Assistance | This Group Policy enables unsolicited Remote Assistance offers from the <Root OU>- Remote Assistants group. Filtered on the <Root OU>-Enable Remote Assistance group. |
<Root OU>-Enable Remote Desktop | This Group Policy enables Remote Desktop and adds an allow inbound on 3389 firewall rule. Filtered on the <Root OU>-Enable Remote Desktop group. |