Review AD groups

Ideally, you want one AD group for each PI group and PI identity on your Data Archive server. When you determined the needed sets of access permissions, you also compiled a list of PI users and PI groups that required those access permissions.

Hopefully, your AD configuration includes groups that somewhat match these required sets of access permissions. If not, work with your domain administrator to create or reconfigure AD groups for the Data Archive server. You need an AD group for each set of access permissions.

Each set of access permissions are associated with a PI identity, PI group, or PI user on the server. The ideal configuration is a one-to-one mapping between an AD group and a PI identity or a PI group.

The goal is for all of your users to get the same access permissions that they had before the upgrade. In most cases this should not be difficult. However, if you have a large number of users with different access permissions, then you are probably going to have some gaps on your first pass.

During this configuration period, you can rely on the access permissions for piadmin and the built-in PIWorld identity. You can create a mapping between an AD group representing your administrators and the PI user piadmin. All authenticated users get the access permissions defined for PIWorld. By default, PIWorld has read-only access to most Data Archive resources.

Note: If your domain administrator is unwilling to reconfigure AD, you can nest existing AD groups inside local Windows groups. See Understand local Windows security with AD.