GPO Configuration for Atria
Overview
The default provisioning for Atria configures permissions within Active Directory to support the assignment of GPO’s against Atria restricted customer OU’s
GPOAccess Groups are assigned the
following permissions on the OU's:
| Permission | Definition | Active Directory Definition |
|---|---|---|
| Deny - List Contents | Prevents viewing of the contents of the OU and its descendant objects | This permission prevents users from seeing the contents of the folder. They will not be able to see any files or subfolders within the folder. |
| Allow - List Object | Allows viewing of the OU itself | This permission allows users to see the folder, but not its contents. They will be able to see the folder name and that it exists, but will not be able to access any of the files or subfolders within it. |
| Allow - Read all properties | Allows reading of all properties of the OU | This permission allows users to read the properties of the folder, such as its name, creation date, and other metadata. They will not be able to make any changes to the folder or its properties. |
Proxy ??? User groups are assigned the
following permissions against the respective Customer OU:
| Permission | Definition | Active Directory Definition |
|---|---|---|
| Allow - Read | Allows reading of the OU and its descendant objects | This permission allows users to read the contents of the folder and all subfolders within it. They will be able to see the names and properties of all files and folders, but will not be able to make any changes to them. |
The main point in this structure is that
the GPOAccess groups provide the traversal of “Read all properties” and “List
object” all the way through the “Broken inheritance” OU structure to the
customers objects. Above the Atria Customer OU’s this permission is provided by the “Authenticated Users”
group. This is needed in order for the
GPO to be applied to the user objects
With the change in security that Microsoft
applied with MS16-072, the Computer object needs to have:
· - “Read” access to the GPO
· - “Read” access to the user
object
Applying the Read access on the GPO needs
to be done manually
The simplest way to give the Computer
object read access on the user objects is to add the Computer object to the
“Proxy ??? Users” group for the customer
Related Articles
Atria Billing Setup User Guide
Objective This article describes how to configure Atria to utilize the latest billing features. This document outlines the billing setup attributes that should be configured. Applies to Introduced in Atria version 12.0.0 Billing Setup Overview To ...Atria Configuration - Self Service Password Reset
Background Information Forgotten passwords and associated reset processes cause frustration and lost productivity for end-users. For IT providers, it consumes time and increases costs. For Support staff, it’s a tedious task. Atria Self Password Reset ...Billing Rules Engine User Guide
Objective This article describes how to use the Atria billing rules engine to identify specific Atria entities as non-billable. Applies to Introduced in Atria version 12.0.0 Billing Rule Feature Overview Many entities - customers, services, users, ...Display Patterns for Billing Line Descriptions
Purpose: When generating billing data, two descriptions are generated for each billable item - Line description (detailed) and summary descriptions. The Summary Description serves two purpose: Used as a template for your invoice lines and reporting ...Service Billing Summary Report
Objective This article describes the information contained in the Billing Summary Report. Applies to Introduced in Atria version 12.0.0 Billing Summary Report Overview The service billing summary report is designed to highlight the billable ...