Active Directory General Operating Policies

Overview

Active Directory control is delegated to Unit Administrators, who must; 1) use a prefix when adding objects to Active Directory, 2) not create user accounts for students or employees. If you are not familiar with directory technology, review the 0. Active Directory Terms and Technology

Delegation of Authority

The directory is divided into folders, one folder for each planning unit. Control and responsibility for these folders are delegated to the individual planning units, who may operate it as they see fit, as long as they abide by the general operating policies below.

Central IT assumes responsibility for the physical equipment and the administrative overhead necessary for running the directory infrastructure, and will not make changes to the directory or apply policies that affect the operation of the delegated folders. Any non-emergency proposed change that will affect the general operation of the directory will be reviewed in advance by the Organizational Unit Administrators.

Naming Conventions

When creating certain types of objects in the directory, you must apply a prefix that corresponds to your planning unit or organization. This will make them unique and prevent naming conflicts with other organizations. The prefix for your Org is the three or four letter abbreviation traditionally associated with your unit. For AD purposes, it is definitively defined in the Active Directory Unit Administrators and Abbreviations.

This is required whenever you create or join any of the following types of objects;

  • Computer
  • User
  • Group
  • Policies

If you are joining the computer "room101" and you are in OIT, you must first rename it to "OIT-serial_number", then join it. If you are creating a group or policy, you must name it "OIT-SomePolicy"

Creation of Accounts

One must create 'service' accounts in AD to integrate with LDAP applications, for scripting and automation purposes, for services that run in their own user context, or for lab use where there is no user log in desired. This is perfectly acceptable as long as you follow these rules;

  • Use complex passwords
  • Join service accounts to the "OHIO\Service-Accounts" group
  • Do not distribute these accounts or passwords to end-users
  • Do not create additional accounts for end users

In all cases use a complex password (3 of the following 4 characters must be included (Uppercase, Lowercase, Symbol, Number) Eight Characters in length minimum). We audit accounts nightly and using test/test or the equivalent will trigger an alert.

Join any account you create to the Service-Accounts group. This is a top-level group that helps us identify service accounts so that during audits we treat them with greater care.

Do not give end users the credentials to your service accounts. This prevents them from being put to creative uses and from being in conflict with OHIO's attributable access policies and know who is using a given account.

Do not create additional accounts to users. This makes it difficult to control access administratively and make changes to access when needed.

Comments