OUs and Groups for User System Types

Standard Active Directory Locations and Group Memberships for Various User Systems

The following locations in Active Directory and Group Memberships should be used for user workstations, laptops and tablets.

 

System Type

AD Location

Group Memberships1

Description

JLab Workstations

/Workstations

OS-specific group3, "SmartCardWorkstations" if required4

Most "normal" user systems go here. This is currently the default location for systems newly joined to the domain.

JLab Laptops/Tablets

/Laptops

"Laptops" or "Tablets", OS-specific group3, "SmartCardWorkstations" if required4

Since laptops and tablets require different configuration and management policies, a separate OU is used. Further differentiation between the two is provided by groups. 

CNI Helpdesk Workstations

/CNIWORK/Workstations

OS-Specific Group3

Same as the global workstations OU, but especially for Helpdesk systems since they need a special configuration for enhanced security.

CNI Helpdesk Laptops/Tablets

/CNIWORK/Laptops

"Laptops" or "Tablets", OS-specific group3

Same as the global laptops OU, but especially for Helpdesk systems since they need a special configuration for enhanced security.

CNI Server Admin Workstations

/CNIADM/Workstations

OS-Specific Group3

Same as the global workstations OU, but with a special configuration for enhanced security. 

CNI Server Admin Laptops/Tablets

/CNIADM/Laptops

"Laptops" or "Tablets"

Same as the global Laptops OU, but with a special configuration for enhanced security. 

Conference Room Workstations

/Workstations/Conference Room

OS-specific group3, "SmartCardWorkstations" if required4

Similar to global Workstations, but policies tailored to public, conference systems.

MIS Group Workstations

/MISWORK/Workstations

OS-specific group3

Same as the global workstations OU, but with a special configuration for enhanced security. 

MIS Group Laptops/Tablets

/MISWORK/Laptops

"Laptops" or "Tablets"

Same as the global Laptops OU, but with a special configuration for enhanced security. 

Domain Joined Macs2

/Macs

"Smart Card Required Macs" if appropriate

Remnants of the previous attempt to manage Macs with Centrify. Still used for computer objects associated with domain joined macs. Work under way now to better define this. 

CAD Workstations

/CC/CUE/CAD

OS-specific group3, "SmartCardWorkstations" if required4

Same as the global workstations OU, but with a special configuration needed by CAD workstations.. 

BSN Workstations

/ADMIN/Workstations

OS-specific group3

Same as the global workstations OU, but with a special configuration for enhanced security. 

BSN Laptops

/ADMIN/Laptops

"Laptops" or "Tablets", OS-specific group3

Same as the global laptops OU, but with a special configuration for enhanced security 

ACE Standard Workstations

/ACE/Workstations

OS-specific group3

Same as the global workstations OU, but with a special configuration managed for/by ACE 

ACE Standard Laptops/Tablets

/ACE/Laptops

"Laptops" or "Tablets", OS-specific group3

Same as the global Laptops OU, but with a special configuration managed for/by ACE 

ACE Admin Workstations

/ACE/Admin Workstations

OS-specific group3

Same as ACE Workstations OU, but with additional security configuration 

ACE Admin Laptops

 /ACE/Admin Laptops

"Laptops" or "Tablets", OS-specific group3

 Same as ACE Laptops, but with additional security configuration

Notes:
  1. Group memberships listed above are those needed to insure application of the correct baseline policies for the machine category listed.
  2. "Domain Joined Macs" refers to Mac OS X systems that use domain login and so need a Computer object in Active directory. In addition, it is possible for some Macs to receive group policy (those that were configured using Centrify). Management of Macs is currently under development and better definition of the scope and functionality of Mac management is expected soon.
  3. OS-specific groups include "WinVistaGroup", "Win7Group", "Win8Group" and the server versions like "Win2K12Group", "Win2K8R2Group", etc. These groups are populated automatically by a nightly script, but systems can be added explicitly during build to make them effective immediately.
  4. Many systems that must be smartcard-required receive a policy via OU-membership that configures them appropriately. However, if systems in the large, general purpose OUs like jlab.org/Workstations, etc. need to be smartcard required, the system must be made a member of the SmartCardWorkstations group. 
Groups: