Software Support

Princeton Domain roles, abilities, and responsibilities:

Note:  Under Construction

Sections

• Windows 2003 Active Directory
• WSUS (Windows Software Update Services) administration
• Symantec Antivirus Corporation Edition Administration
• SMS 2003 Administration (coming soon)
• DeSC Keyserver Administration (coming soon)
• TSM monitoring and client adminstration (coming soon)
• Software Packaging (coming soon)

• Windows 2003 Active Directory

  • Role

    • To provide Active Directory support for DeSC, departmental, CIAB, and OIT Training room workstations

    • Note:  Windows Systems staff will operate as a backup for this service.

  • Abilities

    • Members of the "SWS-Restricted" group can do the following:

      • Move machines between OU's using Active Directory Users and Computers Snap-in

        • Note: This can only be done between DeSC and Departmental OU's.  All other OU's are restricted from doing so.

        • Example - A department requests to have a machine moved from DeSC to their Departmental OU

      • Run RSOP (Resultant Set of Policy) analysis tools to analyze machines for GPO status.  (Currently not working, but will be corrected)
         

    • Members of the "SWS GPO Admins" group can do the following:

      • Create new GPO's and WMI filters

      • Edit any GPO's/WMI filters they have created in the past. (ie.  the creator of the object is the owner)

      • Edit certain workstation GPO's that have been delegated to "SWS GPO Admins" by Windows Systems.

      • Link and unlink existing GPO's (including those not created by SWS GPO Admins), to DeSC and other Departmental OU's

      • Create Sub-OU's in DeSC OU for future support (only)

      • Note:  certain GPO's for overall domain, clusters or server administration are restricted from editing.

  • Responsibilities

    • To Create/edit/link/test GPO's and WMI filters as necessary for DeSC and Dept OU's

    • To move machine accounts between OU's

    • To create new machine accounts for departmental machines when requested to do so via webform request from support person who is not a SCAD/DCS member

      • Note:  Machine account creation/reset/deletion is still done utilizing the Windows Systems proxy scripts located here - https://antigone.princeton.edu/machine.shtml
         

• WSUS (Windows Software Update Services) administration

  • Role

    • To provide administration of WSUS updates/patches/service packs by utilizing the WSUS admin web console in collaboration with the OIT IT Security Officer.

    • Note:  Windows Systems staff will operate as a backup for this service.  OIT IT Security Officer also has console access.

  • Abilities

    • Members of the "SWS GPO Admins" group can do the following:

      • Authenticate to the WSUS Admin web console - https://windowsupdate.princeton.edu/WSUSAdmin/

      • Manually synchronize server for new updates from Microsoft  (Server is automatically synchronized nightly, manual is rarely used)

      • Specify which update classifications are to be obtained from Microsoft

      • Create and manage WSUS target groups.

      • Set any updates for Install, remove, decline, or detect

        • Install - Download and  Install the update

        • Remove - Remove a previously applied update (rarely used)

        • Decline - Decline an update for being applied

        • Detect - Detect if an update is needed (don't install, just report)

      • Run reports on patch propagation, errors, machine details, etc.

  • Responsibilities

    • Enable patches for install once approved by OIT IT Security Officer.

    • Periodically check for new updates, specifically application updates and approve for detection prior to releasing for install

    • Notify various constituencies when new updates for applications are released for install (Security update noticed will continue to come from OIT IT Security Officer)

    • Run reports and check for any patch failures as reported by WSUS.

• Symantec Antivirus Corporation Edition Administration

  • Role

    • To provide administration of the Symantec Antivirus Corporate edition managed client settings

    • Note:  Windows Systems staff will operate as a backup for this service. 

  • Abilities

    • Members of the "SWS GPO Admin" can do the following:

      • Use the Symantec System Center Console

      • Manage groups (create new groups as needed for future use)

      • Change Managed SAV client settings on the following groups:

        • DeSC

        • No-Scan

        • Others

        • NoGroup (machines not assigned to a group)

      • Move machines between groups

        • Example:  move a former DeSC machine from the DeSC group to the "NoGroup" group.

      • Export reporting data for offline analysis

        • Note:  There is no automated way to export reporting data from Symantec System Center Console, it has to be done manually.

  • Responsibilties

    • Manage SAV managed client settings as necessary for DeSC

    • Move machines between groups or ungroup them.

    • Provide reporting data and analysis

   

  Copyright © 2006 Trustees of Princeton University. All rights reserved.
  Last modified: 01/13/2006 12:04:07 PM