Category Archives: All Groups

Service Desk Digest – 6/16/2022


Welcome to Summer!

We are starting to (finally) get caught up on the ticket queue. Huge thanks to Max for hiring a record number of student techs this year, and thanks to our student techs for being here! Every day the OSU community fill out surveys saying how consistently helpful, kind, efficient, and courteous you all are. Thank you for everything you do.

I haven’t done a blog post in a while. This time, I’m focusing on some items that tend to come up a lot at the end of the school year. Let me know if you have questions! It’s smart to ask questions. If there are items you would like to see in a future blog post, let me know.

Extend VPN Access

VPN access is lost when a person is no longer a current employee or student. VPN access can be extended temporarily by request of another employee who is still current. There is a specific form to use. Service Desk can then grant the access in that case. Details here: VPN – Extend Access for Non-Current ONID User (Internal)

Extend Library Access

Library access is also lost when someone is no longer a current student or employee. Library access can be extended by request. The form creates a ticket for Library staff to process. For details, see: Library – Access Denied to OSU Online Library or Interlibrary Loan

Extend ONID Account Access

Students who have recently left but whose ONID accounts are still around can request temporary access to ONID. Often this is done to give the person time to grab their files, or to allow them to sign in to Online Services and retrieve pay stubs or tax forms. We escalate these requests to IAM. IAM cannot extend access to allow a former employee to get to their Exchange email. See “Former Employees” below.

This is also a good time to review one of our most requested knowledge articles, very popular at this time of year: ONID – Account Eligibility and Duration

Former Employees and Email Access

Former employees – people who have no current job and have been “terminated” in Banner – are not allowed to access their former Exchange email (this control does not apply to Gmail at the moment).

If someone has retired and needs access to some personal items in their mailbox, or if their department needs access to work items in their account, we can grant their former supervisor or other department contact temporary access to the mailbox in order to retrieve the items. See: Exchange Online – Former Employee Can’t Access Outlook; Error “You cannot access this right now” or “Error Code: 53003”

If the former employee is still doing some work for the department, or will be again soon, the department can sponsor their ONID account. Sponsoring the account restores access to Exchange email.

Special cases:

  • Retirees who show with “retiree” affiliation in RefTool are eligible for a special retiree mailbox. Before they can sign up for that, their original ONID account has to be deleted and recreated. It is recommended that all former employees, including retirees, grab any items they need before their job ends.
  • Emeritus have a special status with their department and will show with “emeritus” affiliation in RefTool. They are treated basically like employees and maintain access to their ONID account and all typical services.

Pro tip: sometimes people claim they have a status but they actually don’t. Check RefTool. If what they say doesn’t match what you see, they should talk to their department to get the right paperwork processed.

P: or S: Drive Keep Disappearing

If we have re-mapped a drive for a customer but it keeps disappearing for them, ask if they have changed jobs recently.

When a person moves from one department to another, we need to move their account to the right OU in Active Directory to ensure they get the right drive mappings. If we miss that step, group policy will not be able to auto-map their drives for them. The symptom to look for is: it’s not mapping automatically, or it keeps disappearing, but we are able to manually map just fine.

Escalating to CX Tier 2 Desktop Support

If you haven’t heard, we are splitting up our workload into tier 1 (Service Desk) and tier 2 (CX desktop support). For CX-supported customers/computers we now have the option to escalate to a dedicated tier 2 team who can handle more advanced troubleshoots and in-office appointments.

The Service Desk will continue to be the first point-of-contact for customers.

The CX Tier 2 Desktop Support team are housed in the basement of Strand Ag. The members of the team are documented here: https://oregonstate.teamdynamix.com/TDClient/1935/Portal/KB/ArticleDet?ID=27764#tier2ds

In TeamDynamix, they are: CX Tier 2 Desktop Support

In the Customer Experience team in Teams, you can notify the Desktop Support team by using the @tier2ds tag.

Please read the following KB for escalation instructions: https://oregonstate.teamdynamix.com/TDClient/1935/Portal/KB/ArticleDet?ID=77269#tier2ds

When escalating, please use the TeamDynamix template called “CX Tier 2 Desktop Support Escalation” and record the following information:

  • Who is the end-user?
  • What computer (or add the asset)?
  • Where are they located?
  • What symptoms/errors were seen?
  • What steps were tried?
  • Wireless or wired?

Please record as much information as you can during the first contact with the customer. This saves time and frustration for everyone later!

Q and A:

  • Q: Can I escalate questions about personal devices?
  • A: If the customer is a CX-supported customer using a personal device for work, this may be appropriate. If you’re not sure, ask in Teams.
  • Q: The customer is not a CX-supported customer; can I escalate their ticket to tier 2?
  • A: No. The tier 2 team is a premium service for CX-supported customers. (CX-supported customers are labeled as such in RefTool, usually. For a list, see: https://oregonstate.teamdynamix.com/TDClient/1935/Portal/KB/ArticleDet?ID=53440)
  • Q: Can we still schedule in-office appointments as before?
  • A: Yes. Make sure to assign the ticket to the technician who has the appointment and use the “CX Tier 2 Desktop Support Escalation” template to capture the information the technician will need.
  • Q: I’ve been on the phone with the customer for a while and can’t think of anything to try – can I just escalate the ticket to tier 2?
  • A: Please try to exhaust all tier 1 resources first, including searching our knowledge base and asking for help on Teams. Please don’t “punt” customers to tier 2.
  • Q: Is there a phone number I can transfer calls to for tier 2?
  • A: No. Let the customer know you are making a ticket and escalating it, and that someone will get back to them shortly. Or, schedule an in-office appointment as appropriate.
  • Q: When should I schedule an in-office appointment versus assigning a ticket to tier 2 and letting them follow up to schedule?
  • A: Use good judgment. If the problem is pretty well-understood but requires on-site work (example: setting up a computer in someone’s office) scheduling an appointment makes sense. If the problem is “weird” and may require some research, let the customer know someone will get back to them about scheduling and reassign the ticket to tier 2. If the customer is calling in to make an appointment, of course make an appointment!
  • Q: Normally I would escalate this issue to IAM or Canvas or Office 365 teams. Should I still do that?
  • A: Yes. If there was already an established escalation path for that issue, please continue to use that. CX Tier 2 Desktop Support is more for general desktop support troubleshooting and questions, like software issues, network issues, printing issues, etc., and is for CX-supported customers only.
  • Q: Should I assign accounts issues to CX Tier 2?
  • A: No. Those still go to the CN Accounts team.
  • Q: Can we still dispatch a technician to someone’s office if they need urgent in-person help?
  • A: Yes! If you are working on-site in Milne, you can still go to a customer’s office if needed. You can also ask on Teams (use tag @tier2ds) if anyone from the tier 2 team is available.
  • Q: I have other questions.
  • A: Please ask Kirsten or Lori on Teams. Thanks!

Reftool Groups Update – 11/16

Reftool will be updated today, 11/16, with a new Azure Groups feature.

Azure Groups Overview

Previously, RefTool would query the local domain controller for user groups. This would return many groups, but would often miss groups that were only in Azure or on a different domain controller. Querying Azure instead solves this issue and gives more information on each group, such as the specific on-premise domain it’s from, the description, and the type of group it is. Some examples of groups only in Azure are Microsoft Teams teams and some administrative groups.

User Interface Changes

The previous group display, located in the “Account Details” block, has been removed. A users groups will now display at the bottom of their user page. A “Jump to User Groups” button has been added to the “Account Details” block to allow you to quickly jump to the new groups display.

This screenshot shows the new “Jump to User Groups” button and shows how the old groups display is no longer there

The Azure Groups block itself is a simple table of information for all of a users groups. The following are some specifics about the table:

  • You can sort the “Group Name” and “Group Source” columns by clocking their headers
  • “Group Source” shows you which on-premise domain controller the user group was synced from or if it is a group only in Azure
  • The copy button will only copy the group name. Copying the DN is not possible
  • There is a “Get Nested Groups” button below the table that allows you to see groups that a user’s groups are members of. This feature is only recommended for advanced users
  • Groups are not instantly synced to Azure. The bottom left of RefTool shows the last sync time. Additionally, there are some cases where certain groups are not synced to Azure
Screenshot of the new groups display

Please contact OSU TeamDynamix Support with any questions or feedback.

Service Desk Digest

ONID Password Changes Due 10/27/2021

At about 9:00am on Wednesday, 10/27/2021, the first round of ONID password resets are due. There are 16,000 accounts in this first round, and several thousand still need to change their password. IAM are monitoring these numbers as we get closer to the deadline. Past ticket counts indicate that about 2-3% of customers need assistance with password change, so we are currently estimating about 80 additional calls on Wednesday. Several of our full-time staff have their schedules blocked that morning to help with tickets, and IAM will be helping with tickets as needed that day, too.

Parent ticket: Parent: Password Changes, August-November 2021

Please use the ticket form called “ONID Password Assistance” when helping customers.

Note that Service Desk has the ability to do reset PINs for students now – we do not need to refer to Registrar. Please verify identity as usual.

Athletics Firewall Migration 10/28/2021

On Thursday, 10/28/2021 at 6:30am-7:30am, the Athletics workstation firewall will be migrated to new equipment. Customers may notice a very brief outage, but most should not be impacted. If there are any issues after the change that appear to be firewall related, please contact Andre Farque or Tyler Pruitt on Teams.

Parent ticket: https://oregonstate.teamdynamix.com/TDNext/Apps/425/Tickets/TicketDet?TicketID=18365483

“Defend the Macs” – Upcoming Apple Management Changes

On Monday, 10/4/2021, an announcement will be sent to all CN and Cosine customers about changes coming for management of OSU-owned Apple devices.

The announcement notifies customers of the following upcoming changes:

  • All Apple devices will be enrolled in Microsoft Defender for Endpoint (MDE) for antivirus/antimalware.
  • All Apple devices will be enrolled in JAMF for OS and software updates and inventory. (Note: most CN Macs are already in JAMF, but most Cosine and Hatfield computers are not.)
  • New Apple devices will be domain-joined and users will login with their ONID account.
  • On New Apple devices, users will no longer have local admin, except in specific cases.
  • The use of Apple IDs and applications that require Apple IDs will be minimized.

The announcement is going out as a heads up to customers. However, at this time we are not quite ready to join all Macs to Active Directory. In particular, there are some issues with domain joining Big Sur computers. The Infrastructure and Endpoint teams are working on this issue and hope to have it resolved soon.

As we setup new Macs (or “rebuild” existing Macs) we should make sure they have MDE installed, but do not need to domain join them yet. I hope to have an update on that by the end of next week.

I have started an internal FAQ for questions about the “Defend the Macs” project and upcoming changes to Apple device management – let me know what additional questions you have: https://oregonstate.teamdynamix.com/TDClient/1935/Portal/KB/ArticleDet?ID=134596