1. Active Directory
On-Prem on-boarding
1. Copy user account.
Add (adm) to end of full name.
Set User Logon name to new format (xxxx-adm).
Do not change User login name (pre-Windows 2000)
Add description as business - team - admin account
3. Create new np account,
Ensure '(np)' follows in the 'full name' field.
User logon name should be First.last.
Logon pre-Windows 2000 defined as xxxx
Add description as business - team - Non-Privileged Account
Remove (np) from display name
Add email address into empty email field in AD
Set password to not expire, and enable smartcard.
4. Add np acc Citrix Hosted Desktop access in on-prem AD and Team group (bt-team-xxxxx) | If there is no relevant team, follow this KB
5. Add admin acc to required admin group (bt-admins-xxxx)
6. Cross reference permissions in Azure and AD to ensure corrcet permissions - if unsure, give less permissions.
7. If the user is new, checked required permissions and add the user to serveradmins_xxxxxx AD groups
2. Password Safe Admin
1. Go to Password Safe > config > user management.
2. Sync the Team
group by selecting the group and hit sync - you will see team numbers
change if this has worked.
3. Sync BT-All-Non-Priv-User.
4. Select Smart Rules from left menu, select Managed Account in the drop-down menu > account smart rules, locate onboarding smartrule for recent adm account addition and sync.
5. Go to config > user management, locate the smart group (maddocks.com.au\BT-Team-XXXXX), select kebab menu and 'account details'. Go to smart groups tab, and find Map Accounts smart group.
6. Go to managed accounts locate account mapping category that’s relevant and process it.
7. Go to managed accounts, filter by smartrule which just had changes - you will see the recent adm account.
3. Azure
1. Find out what access exists for the user admin accounts (AD, AAD groups, …)
2. Create new admin account with new naming convention in Azure (xxxx)-az-adm, and display name: John User (az-adm))
3. Add user to BT-AZ-Amins
4. Go to Azure, locate sec-contrib groups that are defined within previous accounts and add user to them - all this information should be defined by an access spreadsheet.
5. Cross reference assigned roles in Azure and apply them to new az-adm acc
6. Cross reference groups in Azure and apply them to new az-adm acc
PRA Admin
Follow this process if it's a new team to onboard.
https://maddocks.beyondtrustcloud.com/
Log in as admin
Jump Tab
Jump Groups
- Add jump group
- Follow standardised naming convention
Configuration Tab
Teams
- +add team
- Follow standardised naming convention
Users and Security Tab
Security Providers
- Add team (BT-Team-***) to Authorisation settings in SAML - this is assuming the team is already on-boarded.
Group Policies
- Copy policy, change name, remove teams, remove jump group.
-Ad Team and jump group
- Set session policy to internal/vendors
4. Providing credentials to user
1. Locate User in Active Directory and ensure that their password is set to not expire, and smartcard enabled.
2. Provide user with magic links via their non-maddocks email alongside with set up instructions found in the below linked KBs
3. There are two different processes here to follow, one is for non-admins, and the other is for admins.