Users constantly need to access various areas within the network and systems. One of the big challenges for the Helpdesk is to determine who can approve such access requests, who is managing an application, system etc.
The responsibility matrix comes from this background and is able to help you with this task. Not only can you create entries, but you can also categorize them in a primary and secondary category, e.g., APPLICATIONS and SAP or DFS and DEPARTMENTS etc.
Once the entry is created, you can assign owners / employees and put notes next to them like primary approver, secondary approver or whatever you want to mention.
Further can LDAP groups be referenced here. Most if not all IT departments struggle with LDAP groups as per why they exist, what is their purpose, where are they used etc. – documentation and structure is so incredibly important when it comes to LDAP groups. The references in the responsibility matrix allow you to at least reference groups that are in relation to this entry and leave some additional notes as well.
You can eventually even create whole workflows for checklists that e.g., semi automatically create DFS namespaces and auto-reference the groups you specified in the entry.
To automate the LDAP / Active Directory group creation, the folder creation and the rights assignment, down to automatically add them to your DFS namespaces see the checklist script examples below, you of course need to create a checklist template that will provide the correct parameters to the scripts and adjust them to your specific needs.
This eventually does a great deal of automation and avoids possible mistakes in the whole configuration. Folders constantly come and go. It is essential to standardize groups names and right assignments as well as making sure they follow the same name schema and NTFS rights. I wrote an DFS structure blog article about a nice example as well.
Keep in mind, you need to necessary PowerShell modules (RSAT) and DOS tools need to be installed on the system where you execute the checklist / script(s).
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 | Param( [string]$foldername, [string]$shortdesc, [string]$notes ) Import-Module ActiveDirectory Write-Host "Script starting..." Write-Host "" Write-Host "Parameters submitted to script:" Write-Host "===============================" Write-Host "Foldername: $foldername" -ForegroundColor DarkYellow Write-Host "Description: $shortdesc" -ForegroundColor DarkYellow Write-Host "Notes: $notes" -ForegroundColor DarkYellow Write-Host "===============================" Write-Host "" Pause New-ADGroup "DFS_$foldername RO" 1 -path "OU=Groups,DC=domain,DC=local" -OtherAttributes @{'info'="$notes"} -Description "$shortdesc Read Only" New-ADGroup "DFS_$foldername RW" 1 -path "OU=Groups,DC=domain,DC=local" -OtherAttributes @{'info'="$notes"} -Description "$shortdesc Read Write" md "\\servername\d$\shared folders\$foldername" $sharename = $foldername.replace(' ' , '') New-SMBShare -CimSession SERVERNAME -Name "$sharename$" -Path "d:\shared folders\$foldername" -ChangeAccess everyone -FolderEnumerationMode AccessBased -CachingMode None New-DfsnFolder -Path "\\domain.local\n\$foldername" -TargetPath "\\servername.domain.local\$sharename$" -EnableTargetFailback $True -ReferralPriorityClass globalhigh -ReferralPriorityRank 0 |
1 2 3 4 5 6 7 | echo "\\SERVER\D$\shared folders\%~1" pause icacls "\\SERVER\d$\shared folders\%~1" /grant:r "SYSTEM":(OI)(CI)F /inheritance:r /grant:r "DOMAIN\DOMAIN\Domain Admins":(OI)(CI)F /inheritance:r /grant:r "DOMAIN\DOMAIN\%~1 RW":(OI)(CI)(S,X,RD,RA,REA,WD,AD,WA,WEA,DC,RC) /inheritance:r /grant:r "DOMAIN\DOMAIN\%~1 RO":(OI)(CI)RX /inheritance:r dfsutil property sd grant "\\domain.local\q\%~1" "DOMAIN\DOMAIN\Domain Admins":RX protect dfsutil property sd grant "\\domain.local\q\%~1" "DOMAIN\DOMAIN\%~1 RW":RX protect dfsutil property sd grant "\\domain.local\q\%~1" "DOMAIN\DOMAIN\%~1 RO":RX protect pause |
Available fields and references
- Active
- In-Active date – when was this deactivated / retired
- Deployment Status – you can adjust this in settings
- Category
- Sub-Category
- Title
- Description
- Employee / Owner
- related LDAP groups
- Checklists
- TAGs
- Notes
- Created on and by
- Last edited on and by
- Record history