On this page:
The group is one area where win.mit.edu, or WIN, diverges from a typical Windows Domain. WIN users and groups are defined and maintained in the MIT system of record, Moira.
There are a variety of tools available to add an existing user to an existing group. These include the Moira list management web interface, moira commands like blanche , and the WIN machine Moira MMC snap-in.
On a WIN machine you may run moira or blanche from the command line or the run menu. You may also start the Moira MMC snap-in from the menu item Start-> Programs-> Administrative Tools-> Moira Account Management.
To add a user to a group using the Moira MMC:
- Select List Management from the left panel and right click on the selection.
- Select Find Lists.
- Click on Name, enter the list name and hit Search.
- Select the list name and hit Display.
- Right click on the list name and select Properties.
- Click on the Members tab.
- If you have the permission, the Add button will be sensitized, so click on it.
- Choose the type of object you wish to add and enter its name.
- Click OK.
In WIN each group of users and each group of machines is also defined in Moira. To create a security group of users, in this case to assign its members rights to a particular group of machines:
- Ask to create a group (Web Moira, certificates required) that contains the userids of users to be allowed access to the machines.
- Request a container, an organizational unit which contains the machines to be controlled. (This can be a sub-OU of an OU which already has other policies applied, e.g. an existing OU of machines installing Office XP.)
- Create or request a new group policy on the newly-created OU. Edit the policy as follows:
- Expand Computer configuration... Windows Settings > Security Settings > Local Policies > User Rights Assignment
- Double-click Access This Computer From the Network and click on Add - add the newly created user group
- Double-click Logon Locally and click on Add - add the user group created at Step 1.
By defining these two options, you automatically deny access to other users. You do not need to define deny options - doing so may have unintended results!
Requirements: Container Administrator rights, i.e., rights over an organizational unit
Create a security group which contains the user ids of the users who will be allowed local administrator access to the computers in the organizational unit.
Note: The name of the group cannot contain any spaces.
Create a .bat file containing the following simple script:
Where LocalAdministratorGroupName is the name of the group of local administrators previously created in the Active Directory.
Add the script to a group policy:
- Select the OU to which you want the policy to be applied.
- Right-click Properties... , click on the Group Policy tab, select New...
- Give the group policy a name (prefixed with the name of your departmental OU).
- Click Edit.
- Expand Computer Configuration > Windows Settings > Scripts...
- Double-click Startup... , select Add.
- Type the script name and location in the Script Parameters box,
For an existing group policy you will need to edit that policy using steps 4-7 above.
Note: You can edit only policies that you have created yourself, or for which you have been expressly granted editing permissions by the original policy creator.
Addadmin.exe is located on the path of each WIN machine. Type addadmin at a command-line prompt for usage information. This program can add (or remove) a domain account to (or from) the local Administrators group on the machine. The container admin may want to use this as a machine startup script to ensure that a container admin group always has local admin rights on each machine in the container.
A domain user or group can be added to local administrators group by invoking Addadmin.exe as a Startup Script ( Computer Configuration > Windows Settings > Scripts > Startup, choose Add...) For example, to add the MyUser and MyGroup to the local administators group, use the follow settings (as shown in the image):
Both /u and /g be used as shorthand for /user and /group. The example below has separated out the addition of users and groups into separate entries in the Startup script list for clarity. Note that the /remove switch will remove a domain user or group from the local administrators group if it is present.
Please see the document Managing Your User Profile for more information.