Georgia Tech Active Directory Policy Policy No: None Rev 1.1 Last Revised: April 18, 2005 Effective Date: 02/27/2004 Last Review Date: April 2005 Next Review Date: April 2006 Status Draft Under Review Approved Obsolete The following are responsible for the accuracy of the information contained in this document: Responsible University Officers Campus Platform and OS Technology Manager Responsible Coordinating Office Office of Information Technology (OIT) - Information Technology Services 1. Executive Summary The purpose of this policy is to provide requirements and specific recommendations for the successful operation of the Georgia Tech Active Directory. 2. Scope This policy applies to all computer support personnel participating in Georgia Tech's Active Directory. It covers information regarding the design and naming conventions for GTAD, responsibilities for computer support personnel and compliance guidelines. 3. Statement of Policy 3.1 General 3.1.1 AD Forest The AD.GATECH.EDU domain will house all windows user accounts for the Institute. Additionally, all accounts that are centrally maintained will be mapped to their respective GT Kerberos principals. AD user accounts are tied directly to the account & password policies enforced by Kerberos. Organizational Units (OUs) will be created for departments participating in AD and their employees' accounts will be migrated therein. OU administrators will be delegated full control over any child objects created within their OUs. Domains are created in cases where OUs are not a feasible solution or for departments wishing to provide enterprise services (Exchange, SMS etc.). Child domains should not house any accounts or objects maintained by OIT. Child domain administrators have full control over all objects within their domain. AD.GATECH.EDU will be monitored by OIT administrators on a 24x7 basis. AD hardware and software is maintained by certified Windows administrators. 3.1.2 Forest Schema & Data Visibility The schema is a definition of all object classes and their attributes contained within active directory. The schema may be dynamically extended through the approval of the AD steering committee and acknowledgment by the AD working group. Any proposed schema modification will Page 1 of 6
committee and acknowledgment by the AD working group. Any proposed schema modification will be evaluated based on potential conflicts; Data Ownership, Privacy, Security etc. Once the steering committee has approved changes to the schema the working group will be notified via mailing list. Schema testing in a staged environment will occur before and during the request for modifications. Changes will only be implemented after two weeks of successful testing with no major issues identified. The data populated in AD reflects a view of Banner and PeopleSoft data in the GT data warehouse. The data warehouse is updated by PeopleSoft and Banner on a 2-hour and 4-hour refresh cycle, respectively. New accounts are updated nightly. Data update requests should be directed to OHR by emailing directory.updates@ohr.gatech.edu. 3.1.3 Account Synchronization AD.GATECH.EDU will be regularly populated by a directory synchronization process involving a tool that extracts data from the GT data warehouse and populates the objects in AD. The GT data warehouse has direct feeds from the PeopleSoft, Banner and Mage(Magic) databases which provides public employee and student information found in AD. Accounts will be automatically disabled when employees or students become inactive. 3.1.4 Account Creation & Password Accounts within AD.GATECH.EDU are maintained centrally through the use of an automated account management system. When a person becomes affiliated with Georgia Tech and is entered in the Banner, PeopleSoft and/or Mage(Magic) databases, an account will be automatically created for them in Active Directory. Similarly, when a person is no longer affiliated with the Institute, their accounts will be disabled within Active Directory when the appropriate paperwork is filed with OHR or SIS. Centrally maintained accounts follow the current xx123 naming standard. In the near future, the naming standard may be modified to represent FLastname123 or some close derivative thereof. Only centralized AD accounts are allowed to use the Institute's naming standard (i.e. Windows departmental accounts should follow the recommended OU naming convention for AD defined below). In the cases where departmental accounts must be created (visitors, guests, transient professors etc.), OUADMINs are empowered to create accounts in their respective OUs. It is very important that the departmental accounts follow the OUNAME-username GTAD naming standard. Also, admins are required to maintain tight control of unit level accounts and ensure that those accounts are expired when the user becomes inactive. When departmental accounts are created, OUADMINs are fully responsible for those accounts and must ensure that the accounts are used in compliance with the Institute's usage policy (http://security.gatech.edu/policy/usage/). All centrally created accounts have password policies that are enforced by the GT Kerberos service. Additionally those accounts have randomized AD passwords that are 17 characters in length and contain a mix of complex elements. Departmental accounts created in AD will not have associated kerberos passwords and will automatically adhere to the AD.GATECH.EDU domain password policy: The password policy for unit level accounts in AD is the following: Passwords expire after 90 days; Must be at least seven (7) characters in length, Must not be the same as your 3 most recently used passwords, and Must contain at least 3 of the following 4 elements; UPPERCASE letters (A-Z), lowercase letters (a-z), numerals (0-9), and special characters (!@#$%^&*()_+) 3.1.5 Forest Security Page 2 of 6
The resources within AD.GATECH.EDU are only accessible by domain members who have been specifically granted access to the resource by their administrators. By default, all enabled domain members have user access to resources when initially created. Administrators are encouraged to apply the appropriate ACLs and group permissions to objects they wish to secure from other users in AD. All domain controllers and servers maintained by OIT are routinely monitored for security vulnerabilities and critical patches are immediately applied. OIT requires all OU & Domain AD administrators routinely evaluate their systems (both workstations & servers) for vulnerabilities and patch them in a timely fashion. 3.1.6 AD DNS AD DNS services are centrally maintained by OIT. All computers participating in active directory should utilize the AD DNS servers: 130.207.165.170, 130.207.165.171 as their primary DNS servers. As secondary or tertiary servers, the campus bind servers may be used: 130.207.244.251, 130.207.244.244. Domains providing their own DNS services will have their zones delegated to them. 3.1.7 Site - GTAD The forest currently spans a single site. Any requests for changing the site configuration will be brought before the AD steering committee. 3.1.8 Support for Domain/OU Admins There will be several resources available to administrators for problem resolution. Administrators are required to attend a GT Active Directory course provided by OIT. Administrators will be provided a mailing list which will be monitored by Enterprise Administrators and responded to by a member of the ITS Campus Platform & OS Technology Support Team. Additionally, Remedy has been modified to handle GTAD specific issues such as login issues using a kerberized account or being unable to locate a user account in AD. Employees and students should continue to use their local CSR or the OIT helpdesk for desktop support. 3.1.9 Exchange (Foundation & GAL) The root exchange service only provides a means for departments to utilize and administer their own exchange environments. OIT continues to provide the global address list for the entire forest, but does not participate in the administration of Exchange for departments. 3.1.10 AD Communication Most communication will occur via the appropriate mailing list. 3.1.11 Root Backup & Disaster Recovery Solution AD is currently on a nightly backup schedule. 3.1.12 OU Design & Delegation Top-Level OUs will be automatically created for each department when they join AD. Administration will be delegated to an administrative security group which will hold access controls for administrators of the department identified by appropriate management. OU administrators have the ability to create child objects within their OUs. It is required that everyone adheres to the Page 3 of 6
the ability to create child objects within their OUs. It is required that everyone adheres to the naming standard described below when creating object within AD. 3.1.13 Software License Compliance It is the responsibility of the department to ensure that all of their desktops and servers are properly licensed. Although some CALs may be offered by OIT for specific MS products, Administrators are strongly encouraged to stay abreast of all licensing needs within their environments. 3.2 Domain Administrator Responsibilities Support staff required to have working knowledge of Active Directory. Maintain a well documented infrastructure diagram of their respective environments, including descriptions of all services provided by servers participating in AD. Maintain only the recommended list of services on the DCs (KDC,LDAP,DNS) nothing more. Abide by Forest naming standards set forth by the steering committee. Maintain the appropriate level of security and patch revisions on their domain controllers as specified by the ITS Campus Platform & OS Technology Support Team. Keep current with proposed changes to the Forest that is communicated by the ITS Campus Platform & OS Technology Support Team and other domain administrators. Manage and maintain all local services, account creation and OU structures. Keep a current contact list available for the ITS Campus Platform & OS Technology Support Team. Maintain internal change management procedures. Keep highly available DCs, notifying the ITS Campus Platform & OS Technology Support Team when the server may become unavailable. Must have a minimum of two (2) DCs. DCs must be physically secured. DCs should have a current hardware agreement with vendor. Adhere to secure account management process (Disable/Delete old accounts, automate process if applicable). Must be on-call to resolve issues with your DCs after normal business hours. Must have onsite support to resolve issues within your domain during business hours. Must have disaster recovery & backup/recovery solution for your DCs. Must participate in Schema update discussions & decisions. Contact OIT AD administrators when making DC updates or changes. Coordinate with other domain administrators for unscheduled outages or major upgrades. Must coordinate any maintenance that may affect Forest (i.e. replication, adding services to the DCs, etc.). Utilize DC diagnostic tools such as DCDIAG. Implement department domain naming standards. Perform authoritative restore for AD objects in their domain. Work closely with the Enterprise Administrators of the ITS Campus Platform & OS Technology Support Team. Follow all OU administrator responsibilities below. 3.3 Organizational Unit Administrator Responsibilities Work closely with the ITS Campus Platform & OS Technology Support Team. Page 4 of 6
Adhere to the GTAD naming standards. Provide their own local desktop, application & internal services support. Administer the writable attributes of the accounts within their OU. Add, Delete & Maintain objects within their OU. Add, Delete, Maintain & Troubleshoot GPOs. Delegate administrative functions to authorized accounts & ensure policy compliance. Maintain proper security groups and authorization policies. Publishing of resources in AD if applicable. Windows Client CALs (Currently under site license see: https://software.oit.gatech.edu/request.php?package=mscal). Server licensing required to be current. Member server OS & hardware maintenance. Keep workstations and member servers within their OUs secure. Service packs & hotfixes should be kept up to date where applicable. Servers should never be more than 1 service pack behind the current (except where required for business need). Monitor member servers regularly. Backup member servers & Test restore procedure. 3.4 Naming Conventions 3.4.1 Purpose Provide a naming convention for all units within Georgia Tech's Active Directory that uniquely identifies workstations, servers, users, groups, OUs, GPOs and distribution lists in the NetBIOS, DNS, and LDAP name-spaces. GTAD currently has well over 40,000 objects that provide information and act as resources to many departments. The only possible way to ensure AD can be used effectively is to enforce naming standards. Aside from avoiding name collisions, naming standards will allow users and administrators to efficiently search through thousands of objects and locate their resources and data. 3.4.2 User Account Names AD user objects have account names and distinguished names that identify them within Active Directory. Most user accounts within the forest will be centrally managed and will have unique names. The user account name shall be identical to the GT Kerberos ID already assigned to the person. For users that are not in PeopleSoft or Banner, an AD account must be created by the local administrator. The account must be named using the following convention: (GT OU Name)-username EXAMPLE: EIS-joebloe 3.4.3 Computer Names AD computer objects may have names that are longer than the previous character limitations imposed by down-level OS versions. It is recommended that when naming a computer object in a down-level or AD OS environment that you follow the guidelines below. xxxx-computername Page 5 of 6
computername = the convention used by department EXAMPLE: EIS-wks01.ad.gatech.edu 3.4.4 Printer Names: AD printer objects may have names that are longer than the previous character limitations imposed by down-level OS versions. It is recommended that when naming a printer object in a down-level or AD OS environment that you follow the guidelines below. xxxx-printer printername = the convention used by the department (we recommend it identifies location & printer type) EXAMPLE: EIS-811HPCOLOR.ad.gatech.edu 3.4.5 Groups: Active Directory has two basic group types, security and distribution groups. These two group types have sub-categories that define as being domain local, global or universal. Follow the guidelines below when creating groups: xxxx-name name = the name that identifies the purpose of the group 3.4.6 Group Policy Objects: When naming Active Directory GPOs please use the following guidelines: xxxx-name name = the name that identifies the purpose of the policy Note: Pre-Windows2K operating systems using Netbios are restricted to a 15 character maximum account name length. 3.5 Compliance It is the responsibility of each AD administrator to maintain their AD environment as per the above specifications and guidelines. Department heads will be notified upon repeated violations by an AD administrator and explained the impact it has on the entire campus AD infrastructure. In cases of gross negligence or refusal to adhere to the agreed policy, OIT will recommend to the AD Steering committee that a department is immediately removed from the Forest. Page 6 of 6