Adding Authorization Controlled Domain Groups

From Pumping Station: One Wiki
Jump to: navigation, search

(This page is a work in progress)


This page details how to replicate the process of adding authorized user groups to Member Management and the domain. This is how access is controlled to the ShopBot and laser cutters.

How It Works

An Organizational Unit exists in the domain that contains an Authorized security group, an Authorizer security group, and the computer account for the device in question. A group policy is applied to this OU that specifies who can log on and who has elevated privileges.

The Authorized security group is what Member Management adds authorized users to automatically.

The group policy on the domain grants Authorized and Authorizer users the ability to log on, and grants Authorizers administrative privileges.


1) Domain Steps

  • Create an OU on the domain with a descriptive title
    • For example: Boss Laser, Epilog Laser, ShopBot
  • Create an Authorized security group
    • For example: Boss Laser Authorized
  • Create an Authorizer security group
    • For example: Boss Laser Authorizer
    • NOTE: Now is a good time to add all Authorizer (likely danger committee users) to this group.

2) Django Steps

  • Enter the Member Management Django backend, and select "PS1 Groups" under "Accounts"
  • Select "Add PS1 Group"
  • Enter the distinguished name of the Authorized security group you created earlier
    • For example: "CN=BossAuthorized,OU=BossEngraver,DC=ad,DC=pumpingstationone,DC=org"
  • Be sure to save your changes

3) Group Policy Steps

  • Create a new group policy and place it in the OU you originally created
  • Edit new group policy with the following selection
    • Computer Configuration
      • Policies
        • Windows Settings
          • Security Settings
            • Local Policies / User Rights Assignment
              • (Policy) Allow Log On Locally
                • (Setting) PS1\Domain Admins, PS1\[Authorizer Security Group], PS1\[Authorized Security Group], BUILTIN\Administrators, BUILTIN\Administrators
            • Local Policies / Security Options
              • (Policy) Interactive Logon: Do not require CTRL+ALT+DELETE
                • (Setting) Disabled
            • Restricted Groups
              • (Group) PS1\[Authorizer Group]
                • (Member Of) BUILTIN\Administrators
    • User Configuration
      • NONE

Here is an example of how the GPO should look.

Example of group polciy

Final Notes

To finalize the changes, it is recommended you reboot the affected computer, or run "gpupdate /force" from a command prompt.