TJ

Laptop Onboarding & User Provisioning Workflow

Asset Procurement & Tagging

  • Hardware ordered before any account work begins

    • Laptop, monitor, keyboard-mouse combo, phone, laptop stand as required

  • Asset-tag convention

    • Prefix indicates colour of label: R = red, B = black

    • Four-digit running number, no spaces

    • Pattern: [RB]\d{4}

    • Upper-case preferred but not technically enforced

Active Directory (AD) – User Account Creation

  • Work from the on-premises AD Users & Computers console (not Entra first!)

  • Steps

    1. Find an existing user with similar role (use org chart or ask line manager)

    2. Right-click → Copy to duplicate group memberships & basic template

    3. Enter new employee’s full name

    • Username scheme: firstname.lastname

    1. Set initial password

    • Default format: welcome + initials + year + ! (e.g. welcomeCT24!)

    • User must change at first log-in

  • Keeps inherited group memberships; adjust afterwards (see “Groups” section)

Microsoft 365 Licence Assignment

  • Wait for Azure sync (≈ 15–20 min; on-prem → cloud)

  • In M365 Admin Center → Users → Active Users

    • Locate new account once it appears

    • Assign standard Microsoft 365 licence

  • Ordering extra licences (e.g. new SKU) is done through Vodafone portal, but ordinary assignment is via Admin Center

Copilot & ChatGPT Policy

  • Not blanket-issued

  • Only department heads hold default seats

  • Team leads or staff must request through line manager → approved by IT budget holder → licence purchased/allocated

Group Membership Review

  • From copied template user inherits groups

  • Checklist

    • "All Managers" e-mail group → only if person manages staff

    • "Team Leads" group → only if appropriate

    • Remove any irrelevant inherited groups

Local Admin (“Bob”) Account Standard

  • Every laptop gets a local admin called Bob

    • Password: Medipharma369 (case-sensitive)

    • Provided so IT can log on when domain trust breaks

  • Create via lusrmgr.msc → Users → New User

  • Ensure Administrator (built-in) account remains disabled

Initial Out-of-Box Experience (OOBE) on Laptop

  1. Power-on → choose language & keyboard layout

  2. Privacy prompts

    • Allow location services (first prompt)

    • Diagnostics: Required only

    • Ink/typing, tailored experiences, etc. → Decline/No

  3. DO NOT sign-in with new employee yet; log on as Bob first

Removing Bloatware / Conflicting AV

  • Via Control Panel → Programs & Features

    • Uninstall McAfee & WebAdvisor immediately

    • Optional: remove pre-installed Microsoft 365 (Click-to-Run) if different language pack will be installed

    • Default available pack: English (US) only

Standard Windows UI Tweaks

  • Taskbar (Right-click → Taskbar settings)

    • Search: Icon only

    • Disable Tasks & Widgets

    • Taskbar alignment → Left

  • Set Control Panel icon view to Small icons for easier navigation

Joining Laptop to Domain (REN-labs)

  1. Connect Wi-Fi RENABS (internal network)

    • Guest Wi-Fi only allows Internet; cannot join domain or NetExtender

    • Guest password sample: fivefield369

  2. File Explorer → This PC → Properties → Advanced system settings → Computer Name

  3. Click Change → select Domain → enter renlabs.com

  4. Supply domain admin credentials when prompted

  5. Reboot → log on as domain user (not Bob) OR continue with Bob for configuration

  6. Device appears in AD under Computers; move to correct OU afterwards

Common Mistake Highlighted in Session

  • Joining via Entra/Azure AD instead of on-prem AD caused hybrid confusion → must first disconnect "Work or School" account if mis-joined

Post-Domain Configuration Checklist

  • Windows Update: bring OS fully current

  • Install core utilities

    • Adobe Reader

    • 7-Zip

    • Any department-specific apps

  • Verify Office activates with cloud licence

  • Confirm user profile generated under Domain Users, not Local

Wi-Fi & Network Security Notes

  • Inside perimeter → cannot use NetExtender VPN (different IP context)

  • Guest network is Internet-only; unsuitable for domain join

  • Device security IDs (S-1-5-21-x…) appearing in local groups indicates orphaned/deleted domain accounts

Troubleshooting & Cleanup

  • Deleting wrong local profiles

    • System Properties → User Profiles → select → Delete

  • Removing stray accounts from Administrators group via lusrmgr.msc

  • If user mistakenly logs in locally, profile lives under C:\Users\ and must be purged before domain join

Governance & Best-Practice Reminders

  • Always follow on-prem AD first, then cloud sync

  • Document every step in Basecamp task list; tick items only after completion

  • Take measured pace—avoid “jumping the gun” to cloud tools until fundamentals done

  • Licence costs tracked against departmental budget when outside IT allocation

Outstanding / Next Actions Mentioned

  • IT trainee to repeat full build on second laptop upstairs for practice

  • Prepare personal checklist/notes for next provisioning cycle

  • Schedule follow-up review with mentor after next device build