deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-29 05:37:22 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Update admin-group-management-for-surface-hub.md (#207)

Browse Source 
* Update admin-group-management-for-surface-hub.md

* Update admin-group-management-for-surface-hub.md

* Update admin-group-management-for-surface-hub.md
This commit is contained in:
isaiahng 2016-09-21 15:05:25 -07:00 committed by Trudy Hakala
parent a74b65e311
commit edd1af919e
1 changed files with 21 additions and 65 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

86
devices/surface-hub/admin-group-management-for-surface-hub.md
View File

@ -14,96 +14,52 @@ localizationpriority: medium
# Admin group management (Surface Hub)
Every Microsoft Surface Hub can be configured individually by opening the Settings app on the device. However, to prevent people who are not administrators from changing the settings, the Settings app requires administrator credentials to open the app and change settings.
Every Surface Hub can be configured locally using the Settings app on the device. To prevent unauthorized users from changing settings, the Settings app requires admin credentials to open the app.
## Admin Group Management
You can set up administrator accounts for the device in one of three ways:
You can set up administrator accounts for the device in any of three ways:
- Create a local admin account
- Domain join the device to Active Directory (AD)
- Azure Active Directory (Azure AD) join the device
- Create a local admin account.
- Domain join the device to Active Directory (AD).
- Azure Active Directory (Azure AD) join the device.
### Create a local admin account
To create a local admin, choose to use a local admin during first run. This will create a single local admin account on the Surface Hub with the username and password of your choice. These same credentials will need to be provided to open the Settings app.
To create a local admin, [choose to use a local admin during first run](first-run-program-surface-hub.md#use-a-local-admin). This will create a single local admin account on the Surface Hub with the username and password of your choice. Use these credentials to open the Settings app.
Note that the local admin account information is not backed by any directory service. We recommend you only choose a local admin if the device does not have access to Active Directory (AD) or Azure Active Directory (Azure AD). If you decide to change the local admins password, you can do so in Settings. However, if you want to change from using the local admin account to using a group from your domain or Azure AD tenant, then youll need to [reset the device](device-reset-surface-hub.md) and go through the first-time program again.
Note that the local admin account information is not backed by any directory service. We recommend you only choose a local admin if the device does not have access to Active Directory (AD) or Azure Active Directory (Azure AD). If you decide to change the local admins password, you can do so in Settings. However, if you want to change from using the local admin account to using a group from your domain or Azure AD organization, then youll need to reset the device and go through first-time setup again.
### Domain join the device to Active Directory (AD)
You can set a security group from your domain as local administrators on the Surface Hub after you domain join the device to AD. You will need to provide credentials that are capable of joining the domain of your choice. After you domain join successfully, you will be asked to pick an existing security group to be set as the local admins. Anyone who is a member of that security group can enter their credentials and unlock Settings.
You can domain join the Surface Hub to your AD domain to allow users from a specified security group to configure settings. During first run, choose to use [Active Directory Domain Services](first-run-program-surface-hub.md#a-href-iduse-active-directoryause-active-directory-domain-services). You'll need to provide credentials that are capable of joining the domain of your choice, and the name of an existing security group. Anyone who is a member of that security group can enter their credentials and unlock Settings.
>**Note**  Surface Hubs domain join for the single purpose of using a security group as local admins. Group policies are not applied after the device is domain joined.
>**Note**  Surface Hubs use domain join only to set up an admin group for the device. Group policies are not applied after the device is domain joined
 
>**Note**  If your Surface Hub loses trust with the domain (for example, if you remove the Surface Hub from the domain after it is domain joined), you won't be able to authenticate into the device and open up Settings. If you decide to remove the trust relationship of the Surface Hub with your domain, [reset the device](device-reset-surface-hub.md) first.
>**Note**  If your Surface Hub loses trust with the domain (for example, if you remove the Surface Hub from the domain after it is domain joined), you won't be able to authenticate into the device and open up Settings. If you decide to remove the trust relationship of the Surface Hub with your domain, reset the device first.
 
### Azure Active Directory (Azure AD) join the device
You can set up IT pros from your Azure AD organization as local administrators on the Surface Hub after you join the device. The people that are provisioned as local admins on your device depend on what Azure AD subscription you have. You will need to provide credentials that are capable of joining the Azure AD organization of your choice. After you successfully join Azure AD, the appropriate people will be set as local admins on the device. Any user who was set up as a local admin as a result of this process can enter their credentials and unlock the Settings app.
You can Azure AD join the Surface Hub to allow IT pros from your Azure AD tenant to configure settings. The people who are provisioned as admins on your device depend on your Azure AD subscription. During first run, choose to use [Microsoft Azure Active Directory](first-run-program-surface-hub.md#a-href-iduse-microsoft-azureause-microsoft-azure-active-directory). You will need to provide credentials that are capable of joining the Azure AD tenant of your choice. After you successfully Azure AD join, the appropriate people will be added as admins on the device.
>**Note**  If your Azure AD organization is configured to automaitwith mobile device management (MDM) enrollment, Surface Hubs will be enrolled into MDM as a result of joining Azure AD. Surface Hubs that have joined Azure AD are subject to receiving MDM policies, and can be managed using the MDM solution that your organization uses.
>**Note**  If your Azure AD organization is configured to automatically enroll devices into mobile device management (MDM), you will need to disable this for the Surface Hubs you plan to join to Azure AD, and manually enroll into MDM using Settings. A known issue prevents Surface Hubs from supporting this setting.
 
### Which should I choose?
If your organization is using AD or Azure AD, we recommend you either domain join or join Azure AD, primarily for security reasons. People will be able to authenticate and unlock Settings with their own credentials, and can be moved in or out of the security groups associated with you domain or organization.
If your organization is using AD or Azure AD, we recommend you either domain join or Azure AD join, primarily for security reasons. People will be able to authenticate and unlock Settings with their own credentials, and can be moved in or out of the security groups associated with your domain.
We recommend that a local admin be set up only if you do not have Active Directory or Azure AD, or if you cannot connect to your Active Directory or Azure AD during first run.
### Summary
<table>
<colgroup>
<col width="33%" />
<col width="33%" />
<col width="33%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Option</th>
<th align="left">Requirements</th>
<th align="left">Which credentials can be used for the Settings app?</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left">Use a local admin.</td>
<td align="left">None.</td>
<td align="left">The user name and password specified during first run.</td>
</tr>
<tr class="even">
<td align="left">Use Active Directory domain services.</td>
<td align="left">Your organization is using Active Directory (AD).</td>
<td align="left">Any Active Directory user from a specific security group in your domain. </td>
</tr>
<tr class="odd">
<td align="left">Use Microsoft Azure Active Directory</td>
<td align="left">Your organization is using Azure AD Basic.</td>
<td align="left">Global administators only.</td>
</tr>
<tr class="even">
<td align="left"></td>
<td align="left">Your organization is using Azure AD Premium.</td>
<td align="left">Global administrators and other specified users.</td>
<td align="left"></td>
</tr>
</tbody>
</table>
 
 
 
| Option | Requirements | Which credentials can be used to access the Settings app? |
|---------------------------------------------------|-----------------------------------------|-------|
| Create a local admin account | None | The user name and password specified during first run |
| Domain join to Active Directory (AD) | Your organization uses AD | Any AD user from a specific security group in your domain |
| Azure Active Directory (Azure AD) join the device | Your organization uses Azure AD Basic | Global administators only |
| | Your organization uses Azure AD Premium | Global administrators and other specified users |