Difference between revisions of "Adding Authorization Controlled Domain Groups"
| Line 51: | Line 51: | ||
** User Configuration | ** User Configuration | ||
*** NONE | *** NONE | ||
| + | |||
| + | Here is an example of how the GPO should look. | ||
| + | |||
| + | [[File:BossGroupPolicy.png|Example of group polciy]] | ||
Revision as of 01:43, 8 May 2017
(This page is a work in progress)
About
This page details how to replicate the process of adding authorized user groups to Member Management and the domain. This is how access is controlled to the ShopBot and laser cutters.
How It Works
An Organizational Unit exists in the domain that contains an Authorized security group, an Authorizer security group, and the computer account for the device in question. A group policy is applied to this OU that specifies who can log on and who has elevated privileges.
The Authorized security group is what Member Management adds authorized users to automatically.
The group policy on the domain grants Authorized and Authorizer users the ability to log on, and grants Authorizers administrative privileges.
Steps
1) Domain Steps
- Create an OU on the domain with a descriptive title
- For example: Boss Laser, Epilog Laser, ShopBot
- Create an Authorized security group
- For example: Boss Laser Authorized
- Create an Authorizer security group
- For example: Boss Laser Authorizer
2) Django Steps
- Enter the Member Management Django backend, and select "PS1 Groups" under "Accounts"
- Select "Add PS1 Group"
- Enter the distinguished name of the Authorized security group you created earlier
- For example: "CN=BossAuthorized,OU=BossEngraver,DC=ad,DC=pumpingstationone,DC=org"
- Be sure to save your changes
3) Group Policy Steps
- Create a new group policy and place it in the OU you originally created
- Edit new group policy with the following selection
- Computer Configuration
- Policies
- Windows Settings
- Security Settings
- Local Policies / User Rights Assignment
- (Policy) Allow Log On Locally
- (Setting) PS1\Domain Admins, PS1\[Authorizer Security Group], PS1\[Authorized Security Group], BUILTIN\Administrators, BUILTIN\Administrators
- Local Policies / Security Options
- (Policy) Interactive Logon: Do not require CTRL+ALT+DELETE
- (Setting) Disabled
- (Policy) Interactive Logon: Do not require CTRL+ALT+DELETE
- Restricted Groups
- (Group) PS1\[Authorizer Group]
- (Member Of) BUILTIN\Administrators
- (Group) PS1\[Authorizer Group]
- (Policy) Allow Log On Locally
- Local Policies / User Rights Assignment
- Security Settings
- Windows Settings
- Policies
- User Configuration
- NONE
- Computer Configuration
Here is an example of how the GPO should look.
