The Austin Active Directory Department Group Tools are used to manage a Department's groups using a convenient and easy to use web interface. They allow for group management in scenarios where the native Active Directory tools are not installed or where they cannot even be installed such as on a computer running a non-Windows OS.
Roles
The following roles are defined in the Department Group Tools:
| Roles | Group Scope | Available Actions | How Someone Falls into Scope of the Role |
|---|
| Groups native to the Department Group Tools | Add Department Group Administrator Remove Department Group Administrator | When a Department OU is created, the requestor provides a list of the initial OU Owners. Department OU Owners can edit (add/remove) owners of the Department OU. If a Department falls in the scenario where there are no valid OU Owners (for example, all of the owners are former staff), the owners can be updated by one of the following processes: - The Head of the Department submits a request to the AD team, specifying the EIDs of the new OU Owners.
- IT staff member from the department contacts the ISO who will review it and then submit a request to the AD team, specifying the EIDs of the new OU Owners.
|
| Create Group Delete Group Rename Group Update Group Description Set Group Managers | Department OU Owners manage the Group Admins. |
| Add a Group Member Remove a Group Member |
|
| Groups existing within a Department OU | Add a Group Member Remove a Group Member | You (or a group you are a member of) is set on the ManagedBy of a group. |
Group Location in AD
All groups created by the Department Group Tools are stored in the Department's sub-OU located in austin.utexas.edu/Groups/Managed
Add Department Group Administrator 
Remove Department Group Administrator
Create Group 
Delete Group
Rename Group
Update Group Description
Set Group Managers
Add a Group Member 
Remove a Group Member
Add a Group Member 
Remove a Group Member
Logging
All actions taken in the Department Group Tools is logged and sent to Splunk.
Moving a Group from a Department OU to Managed Groups
A department (Owner | Administrator | either?) can request the movement of a group from their Department OU to the corresponding Managed Groups OU.
- Note if the group's Managed By attribute is set and whether the Manager can update membership list checkbox is checked (if checked, an ACE is present to allow the managed by entity to add/remove members.)
- Set the value of the group's utexasEduAustinSingle10 attribute to the EID of the requestor
(This attribute is populated with the user that created the group by the Department Group Tools.) - Move the group to the Department's OU in austin.utexas.edu/Groups/Managed.
- Reset permissions on the group to remove any permissions set on it while it was under the Department OU.
(Properties - Security tab, Advanced button, Restore Defaults button.) - Close out the request.
If the groups' Managed By was was filled out, and it has permissions to update the membership, provide this info and let the requestor know that it has been cleared out. They are responsible for adding it as the Group Manager if they want it still in place (this is so that the setting the Group Manager is logged by the Department Group Tools).