Active Directory

Just a few notes about the current state of our AD. 4/09/2009

Located on Ford.

Everything you might need to do on a daily basis can be accessed from Start-Administrative Tools, Active Directory Users and Computers or Group Policy Management.

Active Directory Users and Computers Notes

Most of the OU's (Organizational Units) are self explanatory as to what should be contained in them.

Ideally, computers should be in the correct OU, however, that hasn't really happened. All computers that are added to the domain are placed by default into the Computers OU. From there it would be nice to properly maintain OU's for servers, faculty workstations, labs, etc. To some degree this has been done but should the Directory be rebuilt, that would be a prime opportunity for this to be done.

Users for the most part are organized fairly well. -The Staff OU is obsolete (not to be confused with the Office->Staff container) -The Users OU contains some general user accounts, i.e. the Administrator account

Group Notes

• In order to make sure students are assigned the proper default permissions on lab workstations, they need to be in either the Grads or Ugrads group, we have a specific policy that applies to them.

• Office staff users require access to two groups in order to access necessary files: they need to be a member of the Office Staff group and then office_users group, that group is located in Security Groups-Unix-PrimaryGidGroups. The first group allows them to map the drive in windows, the second gives them access to the unix file system.

• When I configured Steam in the N022 lab, I created a group in order to limit the users that could run Steam. The group is named Steam Users and located in the Users folder
• The group policy for Grads/Ugrads prohibits them from locking a workstation. I created a policy that overrides that if a student needed to be able to lock their station. They need be a part of the Lock Workstation group, located in the Students OU.

Group Policy Management

def: GPO (Group Policy Object)

My knowledge of Active Directory was fairly limited so I apologize for anything that seems inefficient. I've created/edited several policies, here are some notes on them:

• Windows Time Service: Simply adjusts workstation clocks to ksu's atomic clock service
• Environment Variables: An overly complicated means of adding environment variables to all Windows workstations in the domain. This imported a customized administrative template so that the variables could be edited. JDeveloper, SML, and Java JDK environment variables are all added this way. In order to edit the settings on this GPO, right click the GPO, click edit, click on the Administrative Templates menu item from the User Configuration section. In the right side of the window (the view pane) right click, View-Filtering, uncheck "Only show policy settings that can be fully managed", ok. Now you should have a menu item under the Administrative Templates section called "Userspecific Environment Variables", click on it, you'll see a setting on the right side, double-click it, then you'll be able to change the variables. Make sure you keep the %PATH% on the path variable so that you're appending whatever new variables to the existing one.
• Desktop Wallpaper: Sets the desktop wallpaper for the N022 and N126 labs. The image used must be stored locally on every machine in the lab -Disconnect Options: Sets options on Madison that prohibits disconnecting your session, also sets timeout conditions for sessions that may have unintentionally disconnected.

• LastUserName: Removes the username of the last user to logon to a lab machine

• Restrict Login: Gurdip has research lab machines in the N022 lab along the wall. These machines have been locked down so that only his students may login to them. The policy uses the gurdip_research_users group to accomplish this === Logon Scripts ===

Our login scripts are located on Ford at C:\WINDOWS\SYSVOL\sysvol\w2k.cis.ksu.edu\Scripts

login.bat calls a series of VB scripts, which also use a python script. Each of the scripts is aptly named. I've fixed the logon_maps.vbs script so that it works correctly now, however, the other scripts may need to be revamped in order for them to work properly i.e. the printer mapping script.