Quick Links: | accountadmins group | Known Limitations | Updating accountadmins membership |
ITSS Manages accounts in Active Directory & Exchange that currently fall outside the scope of our Identity and Access Management solution. This article describes the access and security controls surrounding account administration in Active Directory.
accountadmins group
accountadmins provides access to 3 places in Active Directory:
- Full Control of users in CN=Users,dc=csuchico,dc=edu
- Full Control of users in OU=Service Accounts,dc=csuchico,dc=edu
- Full Control of groups in OU=Groups,dc=csuchico,dc=edu
Members of this group can create users and groups outside the purview of Account Center, such as:
- Service Accounts
- Admin Accounts
- Calendar/Room Mailboxes
- Distribution List
- Security Groups
This group can also be used to help troubleshoot and resolve issues on user accounts, such as unlocking locked accounts.
Known Limitations
Moving objects between OU's not mentioned, and creating objects in other locations is not supported as configured. Should a use case arise that requires additional access, a ticket will be submitted to update access. ISEC will either approve/disapprove the change, and ESYS will make the changes as needed. A known potential issue is moving accounts for labs.
Updating accountadmins membership
To add/remove a accountadmin, a TDX ticket should be submitted to ISEC for review. Pending review, ISEC will add or remove users from this group.