This site requires JavaScript to be enabled
Welcome Guest|
Recent searches

Managing AD Accounts and Groups for Managed Host Authentication and Authorization

Number of views : 0
Article Number : KB0017326
Published on : 2020-04-15
Last modified : 2020-04-15 22:44:40
Knowledge Base : ESM External

Service owners should identify individuals within their CSU with permissions to manage AD user accounts and service groups via the Active Directory Departmental Administration Tools web console (  This is typically the CSU head or any manager to whom permission has been delegated.  You may contact the Active Directory team ( for a list of persons with this privilege. All staff that need to login to service hosts should be assigned an account.  In addition, each service that will use AD for access and authorization should have a service group assigned.

 Membership Management

  • To create AD user accounts.
  1. Login to the web console, ( NOTES: Use your regular EID to log in. Access requires DUO. If you are connecting from off campus, you must be connected through VPN. 
  2. Click on the "Department Admin Tools" button and then navigate to the "Create a User" window.
  3. Users are created with the name "<dept-code>-<eid>". Be sure to select "No" for self-claim this account and assign the EID of the user you are creating the account for in the Assignee EID box.
  4. Once setup, the user to whom the account is assigned should receive email requesting he or she login to the web console and claim the AD user account and set a password.
  • To manage service group membership
  1. Designated group managers should login to the web console, (
  2. Click on the "Department Group Tools" button and then navigate to the "Managed Group Members" window.
  3. *Enter the <dept-code>-<eid> in the "Enter the EID or Security Group Name to Add:" field that you wish to add and click on "Check Names".
  4. The account should show up in the "Search Results" box below. Click on "Add Member" to add the account to the group.

Group Creation

  • To create AD service groups
  1. Login to the web console, (
  2. Click on the "Department Group Tools" button and navigate to the "Create / Delete Group" window.
  3. Create a group with the name <dept-code>-<unit acronym>-<service name>.
  4. *Add AD user accounts as members using the steps listed above.
  5. Designate service owners as group managers.

When requesting new hosts for new services (includes service refreshes), service admins provide the AD service group that contains AD user accounts that should have access (RDP or SSH login) and authorization (admin or sudo) permissions.  The group should not contain EID accounts (only <dept-code>-<eid> accounts). Once the new hosts are provisioned, service admins should login to confirm access and authorization.

NB. New hosts for existing services will inherit the service's access and authorization method. 

 *Only add "<dept-code>-<eid>" based accounts



Permalink: utss/

Thank You! Your feedback has been submitted.