I've added significant rights to the OIT role for this site, which is fed from the "OIT People" application.  Basically, I'm granting everyone in OIT the same rights that we used to have only for ISO staff, meaning personal blogs, forum creation, book editing, and overall content creation rights.

Here's a long description of how the rights are established for the software groups in OIT's portion of the WolfTech active directory.  It's long and in narrative style, in hopes it will illustrate the thought processes that yielded this configuration.

Two facts one should know

• Computers objects can be members of AD groups
• Group objects can be members of AD groups

In WolfTech, to assign an application to be installed on a machine, you just add that machine to a specially named group. 

A 2004 article from SearchWindowsServer.com but still applies. by James Michael Stewart, Contributor

One or more group policies (GPOs) can be defined for each domain, site, and organizational unit (OUs) in a forest (that is, an entire Active Directory domain network). All of the GPOs can be managed from a Windows 2000 or Server 2003 domain controller system through the Active Directory Users and Computers utility as well as several others.

Kevin and I met with TSS to finalize our plans to create a better OU structure for OIT.

Workstations and other computers will be gathered up under an OU=Computers directly under OU=OIT

Kevin

Clients that TSS supports will get sub-containers under "Clients"

The "Test" OU will be used for application/gpo testing

Some settings are not explained in the Microsoft spreadsheets. However, there is an explanation of many of them, includng the security settings, here: http://technet.microsoft.com/en-us/library/cc785710(WS.10).aspx

See particularly the entries under "local policy".

Wonder what all those GPO settings mean? Microsoft has provided some guidance. They have produced spreadsheets that identify all of the settings for the .adms included with Win2k3, plus addendums for Win2k8 and Win2k8R2. They include short text explaining what the settings do.

For convenience, I've attached them. They came from:

Group Policy Settings References for Windows and Windows Server
(also referred to as "Group Policy XLS")
http://go.microsoft.com/fwlink/?LinkId=54020

Kevin and I did not attend the entire WolfTech policy meeting, as the group is concerned about meeting space and OIT already has Tom F. and Dan E. as representatives.  We attended to provide details of the iLO schema extension ISO had proposed, and left promptly afterwards.

I met with Bill Coker and we're going to try to get a software distribution share to deliver ISOs to on-campus administrators.  Products like SAS are up to 3 DVD's of install media, and with the double layer ISOs it's hard to deliver without a good old fashioned network share.

I'm clearing up space on the oitfs0 Celerra share, which we'll link in under the path

\\wolftech.ad.ncsu.edu\oit\Original_Media

I'm meeting with Bill again today or tomorrow to branstorm how he wants to manage rights -- I'll introduce hi to the automatically created groups in WT.

OIT-ISO-SHS and have made a change at the OU=OIT level that should make things less complicated for all our various OU admins.

I've packaged the 32 and 64 bit ActivePerl distributions for Windows, version 5.10.1.1006.

To have it installed via GPO from the WolfTech domain, add the computer or groups of computers to the group FW-OIT-ActivePerl-5.10.1.1006, which you'll find in OIT/Software Packages/OIT Software