Network Account Management

New User Procedure

Summary

This document provides instructions for creating a new network/Windows account for [Redacted] staff.

Table of Contents

A) Important Details/FAQ

B) Authorized Users: Account Creations & Modifications

C) Authorized Users: MyUnity Specialized Access

D) Authorized Approvers: Email Distribution Groups

E) X: Drive File Procedure

F) Network Account Creation Procedure

G) Additional Application Setup

H) Procedure for Completing Ticket & Finishing Account 

A) Important Details/FAQ

Agency Staff

• Due to the nature of agency staffing, agency staff creation and termination tickets must be dispatched, created, and worked as a Severity 2 issue.

• Starting 11-01-21, agency staff are allowed two weeks of access to MyUnity/Windows.

[Redacted] Rehab Users

• At [Redacted], users only get a MyUnity account.

• They will access the domain using the [Redacted] shared network account.

• We must never change the [Redacted] shared network account password.

Request Forms

• Most user requests must include the user request form and come from a supervisor.

• As of 7/10/18, no accounts may be created without the request form, per the Director of IT.

• The form has two-factor authentication and cannot be submitted without clicking a link in the email.

• Whoever's email is listed in the form is the actual submitter of the form, so we need to confirm that the person is an official approver on the list below.

• If the user form doesn’t accompany any [Redacted] request, please let them know they can locate the form on the Intranet [Redacted] under Departments > Information Technology.

• The form is on the right side at the top. Completed forms should be emailed to [Redacted]

• We may perform immediate terminations and create/modify surveyor accounts without request forms.

• In these cases, the requester must submit a user request form within one business day.

• Keep your work order open so you can follow up until we have the form, and email the user’s name to [Redacted] so everyone’s aware the form goes to you when it arrives.

• Keep the work order open, and if the form does not arrive after one business day, follow up with your lead.

• All Corporate users must be added to the [Redacted] AD security group.

• All Nutrition Management email requests must be directly approved by [Redacted]. These include dieticians, kitchen and maintenance staff, etc.

• We should not make generic/shared local accounts such as “nursing”. We only make named accounts.

• At [Redacted], they have regular access (email, X: and H: Drives).

• They do not use MyUnity at [Redacted].

B) Authorized Users: Account Creations & Modifications

• Please refer to Appendix A: Master List of Authorized Approvers for Account Management Requests [Hyperlink Removed] for the list of approved users.

• These users are supervisors or management leaders who can request account creations for both network and MyUnity accounts.

• No one, aside from [Redacted], can reactivate or grant additional access to themselves, even if they are designated approvers.

• Only designated approvers can request changes and only when requesting it for someone other than themselves.

• [Redacted] can reactivate or grant access to themselves or anyone else.

C) Authorized Users: MyUnity Specialized Access

• Please refer to Appendix A: Master List of Authorized Approvers for Account Management Requests [Hyperlink Removed] for the list of approved users.

• Specialized access can entail:

• MyUnity Access – Clinical

• MyUnity Access – CRM

• MyUnity Access – Financials

• MyUnity Access – Citrix

D) Authorized Approvers: Email Distribution Groups

• Please refer to Appendix A: Master List of Authorized Approvers for Account Management Requests [Hyperlink Removed] for the list of approved users.

• If the needed distribution group is not listed here, please ask [Redacted] who should approve its access.

• [Redacted] must give approval for the creation of any distribution groups.

• Please contact them at [Redacted].

• Once approval has been confirmed, provide the requested Primary and Backup approver staff members' information to [Redacted].

E) X: Drive File Procedure

• Please refer to Appendix A: Master List of Authorized Approvers for Account Management Requests [Hyperlink Removed] for the list of approved users.

• [Redacted] must give final approval for all X: Drive Access.

• Please copy her when you email the Primary Approver and do not grant any access until she approves the request as well.

• If it’s a new folder, please follow up with [Redacted] to confirm X drive can be created. 

• Once approval has been confirmed, provide the requested Primary and Backup approver staff members' information to [Redacted].

• No one is allowed Read/Write access to the Admissions folder under [Redacted] without the explicit approval of [Redacted].

• If you do not hear back from approvers after requesting approval for groups/DFS access, inform [Redacted]. They will contact the approver directly.  

Steps to Add X Drive Access 

1) Open File Explorer and select Departments > [Redacted]. The example is the [Redacted] folder.

2) Right-click [Redacted] and choose the Security tab.

3) Look at the groups that grant access.

4) If the request doesn’t specify, you’ll need to follow up with the requestor if Read Only or Read Write access is needed.

5) Grant only the specific access requested.

F) Network Account Creation Procedure

Create User Account

1) Remotely access the domain controller associated with the user's location via Automate. Credentials can be found here [Hyperlink Removed].

[Information Table Redacted]

• For remote users needing a password reset, use the domain controller associated with their VPN profile or what their main location is.

• For Housing sites, use the [Redacted] DC.

2) Open Active Directory Users and Computers.

3) Search for the last name of the proposed new user to confirm that the user does not have an existing account.

• Ensure there isn't anyone using the naming scheme firstinitiallastname.

• For example, Jane Doe would be jdoe.

• If there is already a user with that username, add a 1 for the new user.

• If the first and last names match exactly, follow up with the requestor to confirm if the existing user is the same as the new user.

• The Full and Display Names need to be Lastname, Firstname.

• Please make hyphenated names for email the full last name, no hyphen. For the display name, use the hyphenated name.

• Example:  [Redacted] would be [Redacted] with Display being [Redacted].

4) Drill down to The Organization > Users and click on the facility name. See the list below for the appropriate facility. 

[Information Table Redacted]

5) Once you click the facility name, you’ll see a list of users in the right pane. 

• On the top bar, click the icon for New User and enter information.

• Do not set the password to never expire.

6) Double-click the new user and open the Member Of tab. 

• Add them to the appropriate distro/security groups in the User Request Form, but only after approval.

• If you are unsure, please ask the requester if there's another user's network account we can mirror for a better idea of what access is needed.

7) Go to the Profile tab and then choose Home Folder.

• Map H: to [Redacted].

• Paste this without changing the text.

• It should still read %username% when you paste it into AD.

• This will automatically create the folder with the correct username after selecting Apply.

8) Fill out as much information as possible under the Address, Telephones, and Organization tabs.

• You can copy most of it (not phone/fax) from someone else at the same location or use Site info in ConnectWise.

9) Right-click the new user in AD and choose Rename. Use Last Name, First Name format.

• Ensure you change both the Full Name and Display name to Last Name, First Name.

• Hit OK.

10) Add any approved AD network security groups.

• Do not assign security groups to AD objects not explicitly listed in the request without consulting with SD Management and/or [Redacted].

• Any user receiving an email mailbox should be added to the [Redacted] group.

• If the user requires an email account set up, please add them to the M365 E3 and M365 MFA security groups.

• Ensure that the email field for the AD account is filled out (use the following convention: [Redacted]).

• All Nutrition Management email requests must be directly approved by [Redacted].

• These include dieticians, kitchen, and maintenance staff- among others.

• For [Redacted] users only, we add the [Redacted] AD group, which controls access to calendars; this is for anyone actually working at Corporate, not all users requested from someone at Corporate.
  

Create Email Account

• In the tenth step of the user account creation process, if the user requires email, they should have been added to the M365 E3 security group.

• Once a user is added to this group, they will be licensed for email in 365, and an email account will automatically be created once AD syncs with 365.

• This can take up to 30 minutes.

• There should be no need to log into 365 for the account creation process.

• If you need to add changes to the mailbox or would like to verify that the mailbox is present, go to the Microsoft Partner Center and log in with your [Redacted] (admin) account.

• Once logged in, select [Redacted].

• If you do not have access to the Microsoft Partner Center, please follow up with your lead.
  

G) Additional Application Setup

[Information Table Redacted]

H) Procedure for Completing Ticket & Finishing Account 

1) For new full Windows user tickets that require hardware and additional software, move the ticket to the [Redacted].

• Make both [Redacted] resources to configure the workstations.

• Please note specifically what they must do, like "configure new user's Outlook and RFMS."

• [Redacted] also will be configured as resources for any WorxHub, RL6 or Silver Chair software; it's configured by the facility, and they'll ensure the accounts are created.

2) Within ConnectWise, email the contacts for any applications the contact needs.

• If you don't get a reply in a timely manner from the [Redacted] employee approving application access, i.e., within 48 hours, escalate the application user configuration to [Redacted].

• They will follow up with the necessary parties and get it configured.

3) Once access is configured, note credentials for any and all apps we configured into ConnectWise under an internal note.

4) [Redacted] requires that all user credentials be sent via encrypted email to ensure secure transmission of sensitive information. 

• Please follow the Outlook encryption process outlined in the How to Send an Encrypted Email into Ticket [Hyperlink Removed] article.

• Credentials should be sent to the requester and CC'ed to the user's supervisor, [Redacted], and any additional contacts provided on the new user request form.