Many IT services in the department make use of groups in the Admitto system for access control. Group computer reps have the ability to add and remove people from access groups within their own research group. The following things can be managed in this way:
- (Usually) Managed fileservers
- Old-style group webservers
- Most compute servers
- Membership of certain Unix groups
It works by delegating rights in Active Directory (the software behind Admitto) to the appropriate group computer reps group. Any tool that can edit Active Directory (for example, the standard Windows tool "Active Directory Users and Computers", also known as "ADUC") can be used by group reps to change the membership of groups they control. We also provide a set of scripts on our managed Linux workstations and compute machines which can do this. All the scripts have builtin help which can be seen by running them with the -h flag. The scripts that are most likely to be useful are
- add-user-to-group
- remove-user-from-group
- get-dms-groups (shows you what groups you can edit)
To see the current membership of a group on Linux, use the standard Linux 'getent group <groupname>' command. NB compute cluster systems only contain a subset of the available groups, so this is best done on a managed Linux workstation.