Active Directory service policies at UD

The UD Active Directory service is offered in accordance with the following policies, which are initial policies. As such, these policies may change as needed.

Client accounts

The UDelNet ID information for all active students, faculty, and staff of units on campus are synchronized with the University’s ‘WIN’ domain. Account information is synchronized every night. Passwords are synchronized in real time via the University’s network page. Users will not be able to change their UDelNet ID passwords in UD Active Directory.

Unit or department accounts

An Organization Unit Administrator (OU Admin) can create, delete, and modify non-UDelNet ID accounts within their OUs. All non-UDelNet ID accounts must follow the naming conventions outlined in these policies. OU Admins are responsible for all accounts and devices within their organizational units. Central IT will address any requests or questions of OU Admins. However, all end user requests or questions should be addressed to the appropriate OU Admins.

Naming Conventions

All domain-local user accounts, GPOs, group names, computer accounts, and other objects must begin with the OU Prefix and a dash (-).

  • Supplied blank GPOs will be named in this form and should be renamed retaining this format when put into use.
  • Groups and computers should adhere to this policy, i.e. for the OU “XYZ” the computers should be named XYZ-{Comptuername}, for example XYZ-Lab1 or XYY-Server3.
  • Domain local user accounts should have the prefix applied to the displayname, first name and account, i.e. XYZ-Marco and the account XYZ-MarcoPolo. This will ensure conflicts do not occur with LDAP accounts, e-mail addresses, or accounts in other OUs.

Sub-OUs, organizational units within your University-level OU, can be named in any format acceptable to Active Directory. OU Administrators may decide to prefix each with the OU name, however this is not required. Best practice is to have the name reflect the contents, i.e. computers, groups, users, etc.

AD domain recovery

IT-NSS maintains nightly backups of the domain and domain controllers. However, due to the complexity, impact to service, and time required to make any restoration, these backups will only be used in the event of a domain-wide catastrophic failure. Each OU Admin is required to maintain records of their OUs, GPOs, groups, computers, and user accounts.

In Windows 2008 R2, Microsoft implemented an Active Directory Recycle Bin. This feature has been implemented on the WIN domain. Deleted items will be retained for 60 days. To recover an Active Directory item within that time frame, you can submit a help ticket request to the IT Help Center. We will need the exact name and location of the item you want recovered. Your request must be specific. The following request would not be honored:

"I deleted a user from my folder called srvc-something. I can't remember, exactly."

Schema updates/extensions

Schema updates and extensions are serious considerations as they cannot be reversed. Updates to the directory will first be tested in the development domain to ensure no issues or problems exist. Any adjustments to the directory will be planned accordingly. Any proposed extension to the directory will be fully reviewed and must be shown to provide improvements for the domain as a whole, or at the very least, not negatively impact the rest of the domain before installation will be considered. Thorough examination and testing must occur to ensure the stability of the domain.

Time-based group membership, which allows for the adding of users to groups for only a limited amount of time, is available. This can be done through the powershell command as documented here: Add-ADGroupMember (ActiveDirectory) | Microsoft Docs.

Trusts with other active directory forests

Only one-way, non-transitive trusts will be permitted between the ‘WIN’ forest and other directory forests on campus. The establishment of such trusts will be determined by the ‘WIN’ enterprise administrators. Note that the WIN domain operates on a 2016 functional level. Therefore, all domains in a trust relationship must operate on that level.

Permanent two-way trusts between the ‘WIN’ domain and other unit forests will not be established.

Print Article

Details

Article ID: 89
Created
Mon 7/8/19 2:45 PM
Modified
Tue 10/26/21 4:28 PM

Related Articles (1)