Delegated OU role group changes

March 29, 2017

The role groups for delegated OUs will be changing. Delegated OU role groups are those groups which Microsoft Infrastructure provides to delegate permissions in your delegated OU.

 

What and When:

Later today March 29th, 2017, there will be two changes to the delegated OU role groups.

 

First, all delegated OU role groups will be moving to a new stem. They will move from the u_windowsinfrastructure stem to the u_msinf_delou stem. This is being done to reflect the service name change, as well as to shorten the overall length. For example, u_windowsinfrastructure_pottery_ouadmins will move to u_msinf_delou_pottery_ouadmins. This change will also move the _computers OU computers group.

 

Second, we’re making an adjustment related to the _computerjoiners role group. Existing _computerjoiners role groups will be renamed to _computermanagers to better reflect the permissions granted. A brand new _computerjoiners role group will be added for each delegated OU. This new role group will only have the permisissions necessary to create a computer account.

 

This change (by itself) will result in no one gaining additional permissions in your delegated OU.

 

What you need to do:

This announcement is advisory, but you may have follow-up actions to take. Actions you may want to consider:

 

  • There is a very small chance you have services dependent on the existing group names. If you have group policies or code which statically references the name of your delegated OU role groups, you should adjust those references to the new name. See the note below for important context.
  • You may want to adjust the membership of your role groups to better reflect what permissions individuals have. If so, request a change or use the self-service capabilities provided via UW NetID Computing Support Org to be able to manage those delegated OU role group memberships. Note: _computermanagers is not yet available in this tool, so you’ll need to contact us for changes to it.

 

Important note: Group moves/renames are generally a non-event for Microsoft technologies because most Microsoft technologies do not store the group name, but instead the objectSID of the group. NTFS and share permissions and many other Microsoft ACL capabilities have this dynamic reference which is not tied to the group name. Some group policy settings do store group names. So in almost all cases, you need do nothing.

 

More info:

When we released delegated OUs, the _computerjoiner role group only had permissions to create a computer account. Over time, some customers asked for this role to have more permissions—particularly when we started asking customers to provide valid dnsHostname values. So we grew the permissions of this role to be full control on computer objects. We now recognize that this choice was a mistake on our part—we should have added a new _computermanagers role, and left the _computerjoiners role as named & designed.

 

Two things brought this mistake to the forefront:

-In reviewing supportability for LAPS, we didn’t feel that the _computerjoiners role should have the ability to get the local admin password (more details about future LAPS support and changes related to that will be forthcoming)

-To support the Managed Workstation service’s adoption of delegated OUs, we recognized their broad need to delegate only the ability to create a computer account

 

We welcome comments, questions, requests, or issues related to these planned changes. Please send those to help@uw.edu with ‘Delegated OU role group changes’.

 

Brian Arkills

Microsoft Infrastructure service manager

UW-IT