Georgia Tech Active Directory Policy



Similar documents
Windows Enterprise Design Enterprise Design Summary

Introduction to Active Directory Services

W2K migration and consolidation issues and answers

State of Wisconsin. Active Directory (AD) Service Offering Definition (SOD)

Active Directory. By: Kishor Datar 10/25/2007

Windows Server 2003 Active Directory: Perspective

Creating the Conceptual Design by Gathering and Analyzing Business and Technical Requirements

Windows Server 2008 Active Directory Resource Kit

Windows Server 2003 Active Directory MST 887. Course Outline

LearnKey's Windows Server 2003 Active Directory Infrastructure with Dale Brice-Nash

Created By: 2009 Windows Server Security Best Practices Committee. Revised By: 2014 Windows Server Security Best Practices Committee

Active Directory User Management System (ADUMS)

Department of Information Technology Active Directory Audit Final Report. August promoting efficient & effective local government

COMPLETE COMPUTING, INC.

Course 6425C: Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Group Policy 21/05/2013

Windows 2000 Deployment Technical Challenges at the University of Colorado at Boulder

Attachment E. RFP Requirements: Mandatory Requirements: Vendor must respond with Yes or No. A No response will render the vendor nonresponsive.

Designing Windows Server 2008 Active Directory Infrastructure and Services Course 6436B; 5 Days, Instructor-led

MOC 6436A: Designing Active Directory Infrastructure and Services in Windows Server 2008

Designing a Windows Server 2008 Active Directory Infrastructure and Services

VNLINFOTECH JOIN US & MAKE YOUR FUTURE BRIGHT. mcsa (70-413) Microsoft certified system administrator. (designing & implementing server infrasturcure)

Managed Security Services SLA Document. Response and Resolution Times

Outline SSS Configuring and Troubleshooting Windows Server 2008 Active Directory

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Administering Active Directory. Administering Active Directory. Reading. Review: Organizational Units. Review: Domains. Review: Domain Trees

Role Based Access Control for Industrial Automation and Control Systems

6436: Designing a Windows Server 2008 Active Directory Infrastructure and Services (5 Days)

2. Scope This policy addresses all web sites hosted by the central web hosting service.

Designing a Windows Server 2008 Active Directory Infrastructure and Services

Course: Configuring and Troubleshooting Windows Server 2008 Active Direct-ory Domain Services

M6425a Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Virginia Tech Active Directory Child Domain Usage Requirements

MCTS Guide to Microsoft Windows 7. Chapter 13 Enterprise Computing

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Course Outline: 6436 _ Designing a Windows Server 2008 Active Directory Infrastructure and Services Learning Method: Instructor-led Classroom Learning

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

NE-6425C Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

REQUEST FOR PROPOSAL #4020 FOR: MICROSOFT WINDOWS ACTIVE DIRECTORY UPGRADE & EXCHANGE 2003 MIGRATION AND UPGRADE ADDENDUM 1

MOC 20413C: Designing and Implementing a Server Infrastructure

Configuring and Troubleshooting Windows 2008 Active Directory Domain Services

Configuring Managing and Maintaining Windows Server 2008 Servers (6419B)

Managing and Maintaining a Windows Server 2003 Network Environment

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Network System Management. Creating an Active Directory Domain

Nevepoint Access Manager 1.2 BETA Documentation

Course 6425C: Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Designing a Windows Server 2008 Active Directory Infrastructure and Services

Service Desk R11.2 Upgrade Procedure - Resetting USD passwords and unlocking accounts in etrust Web Admin

6419: Configuring, Managing, and Maintaining Server 2008

Dell InTrust 11.0 Best Practices Report Pack

Documentation. CloudAnywhere. Page 1

Designing and Implementing a Server Infrastructure

IT Sr. Systems Administrator

Course 6425C: Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

TSM Backup Service. Standard Service Level Agreement

Active Directory Project Charter. Document Revision #: 1.05 Date of Issue: June 20, 2003 Project Lead: George Bryan

Windows Server 2008 Active Directory Configuration (Exam )

Service Definition. ADNS Domain V0.4. Signoff. Name Role Signature & Date. Jim Leeper. Windows Platform. Page 1

M6419 Configuring, Managing and Maintaining Windows Server 2008 Servers

6425C - Windows Server 2008 R2 Active Directory Domain Services

User Management Tool 1.5

Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure

Select IT Consulting Services RFP Technical and Network Support Specialist Services (Lot Group C)

Table Of Contents. - Microsoft Windows - WINDOWS XP - IMPLEMENTING & SUPPORTING MICROSOFT WINDOWS XP PROFESSIONAL...10

Ultimus and Microsoft Active Directory

Forests, trees, and domains

Table of Contents. Page 1 of 6 (Last updated 30 July 2015)

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Introduction to Auditing Active Directory

Windows 2000 Planning at the University of Michigan

PREPARED BY: AUDIT PROGRAM Author: Lance M. Turcato. APPROVED BY: Logical Security Operating Systems - Generic. Audit Date:

ensure compliance with applicable statutes, regulations, and rules regarding data retention and management;

SAAS MADE EASY: SERVICE LEVEL AGREEMENT

Websense Support Webinar: Questions and Answers

6425C: Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

MCSE Objectives. Exam : TS:Exchange Server 2007, Configuring

How To Configure An Active Directory Domain Services

MCSE: server infrastructure Syllabus

MS-6425C - Configuring Windows Server 2008 Active Directory Domain Services

Application Note 116: Gauntlet System High Availability Using Replication

Embedded Web Server Security

THIS SERVICE LEVEL AGREEMENT DEFINES THE SERVICE LEVELS PROVIDED TO YOU BY THE COMPANY.

Admin Report Kit for Active Directory

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Restructuring Active Directory Domains Within a Forest

Computer Classroom Security Standard

Implementing Microsoft Azure Infrastructure Solutions

Preliminary Course Syllabus

ExecuTrain Course Outline Configuring & Troubleshooting Windows Server 2008 Active Directory Domain Services MOC 6425C 5 Days

Active Directory and Cisco CallManager Integration Troubleshooting Guide

Designing and Implementing a Server Infrastructure MOC 20413

SINGLE COURSE. 136 Total Hours. After completing this course, students will be able to:

Configuring, Managing and Maintaining Windows Server 2008 Servers

Presenter s name here Date of presentation (optional) Windows Security and Domains for Experion

Implementing Domain Name Service (DNS)

INUVIKA OVD VIRTUAL DESKTOP ENTERPRISE

College of Agriculture and Life Sciences Guidelines

Transcription:

Georgia Tech Active Directory Policy Policy No: None Rev 1.1 Last Revised: April 18, 2005 Effective Date: 02/27/2004 Last Review Date: April 2005 Next Review Date: April 2006 Status Draft Under Review Approved Obsolete The following are responsible for the accuracy of the information contained in this document: Responsible University Officers Campus Platform and OS Technology Manager Responsible Coordinating Office Office of Information Technology (OIT) - Information Technology Services 1. Executive Summary The purpose of this policy is to provide requirements and specific recommendations for the successful operation of the Georgia Tech Active Directory. 2. Scope This policy applies to all computer support personnel participating in Georgia Tech's Active Directory. It covers information regarding the design and naming conventions for GTAD, responsibilities for computer support personnel and compliance guidelines. 3. Statement of Policy 3.1 General 3.1.1 AD Forest The AD.GATECH.EDU domain will house all windows user accounts for the Institute. Additionally, all accounts that are centrally maintained will be mapped to their respective GT Kerberos principals. AD user accounts are tied directly to the account & password policies enforced by Kerberos. Organizational Units (OUs) will be created for departments participating in AD and their employees' accounts will be migrated therein. OU administrators will be delegated full control over any child objects created within their OUs. Domains are created in cases where OUs are not a feasible solution or for departments wishing to provide enterprise services (Exchange, SMS etc.). Child domains should not house any accounts or objects maintained by OIT. Child domain administrators have full control over all objects within their domain. AD.GATECH.EDU will be monitored by OIT administrators on a 24x7 basis. AD hardware and software is maintained by certified Windows administrators. 3.1.2 Forest Schema & Data Visibility The schema is a definition of all object classes and their attributes contained within active directory. The schema may be dynamically extended through the approval of the AD steering committee and acknowledgment by the AD working group. Any proposed schema modification will Page 1 of 6

committee and acknowledgment by the AD working group. Any proposed schema modification will be evaluated based on potential conflicts; Data Ownership, Privacy, Security etc. Once the steering committee has approved changes to the schema the working group will be notified via mailing list. Schema testing in a staged environment will occur before and during the request for modifications. Changes will only be implemented after two weeks of successful testing with no major issues identified. The data populated in AD reflects a view of Banner and PeopleSoft data in the GT data warehouse. The data warehouse is updated by PeopleSoft and Banner on a 2-hour and 4-hour refresh cycle, respectively. New accounts are updated nightly. Data update requests should be directed to OHR by emailing directory.updates@ohr.gatech.edu. 3.1.3 Account Synchronization AD.GATECH.EDU will be regularly populated by a directory synchronization process involving a tool that extracts data from the GT data warehouse and populates the objects in AD. The GT data warehouse has direct feeds from the PeopleSoft, Banner and Mage(Magic) databases which provides public employee and student information found in AD. Accounts will be automatically disabled when employees or students become inactive. 3.1.4 Account Creation & Password Accounts within AD.GATECH.EDU are maintained centrally through the use of an automated account management system. When a person becomes affiliated with Georgia Tech and is entered in the Banner, PeopleSoft and/or Mage(Magic) databases, an account will be automatically created for them in Active Directory. Similarly, when a person is no longer affiliated with the Institute, their accounts will be disabled within Active Directory when the appropriate paperwork is filed with OHR or SIS. Centrally maintained accounts follow the current xx123 naming standard. In the near future, the naming standard may be modified to represent FLastname123 or some close derivative thereof. Only centralized AD accounts are allowed to use the Institute's naming standard (i.e. Windows departmental accounts should follow the recommended OU naming convention for AD defined below). In the cases where departmental accounts must be created (visitors, guests, transient professors etc.), OUADMINs are empowered to create accounts in their respective OUs. It is very important that the departmental accounts follow the OUNAME-username GTAD naming standard. Also, admins are required to maintain tight control of unit level accounts and ensure that those accounts are expired when the user becomes inactive. When departmental accounts are created, OUADMINs are fully responsible for those accounts and must ensure that the accounts are used in compliance with the Institute's usage policy (http://security.gatech.edu/policy/usage/). All centrally created accounts have password policies that are enforced by the GT Kerberos service. Additionally those accounts have randomized AD passwords that are 17 characters in length and contain a mix of complex elements. Departmental accounts created in AD will not have associated kerberos passwords and will automatically adhere to the AD.GATECH.EDU domain password policy: The password policy for unit level accounts in AD is the following: Passwords expire after 90 days; Must be at least seven (7) characters in length, Must not be the same as your 3 most recently used passwords, and Must contain at least 3 of the following 4 elements; UPPERCASE letters (A-Z), lowercase letters (a-z), numerals (0-9), and special characters (!@#$%^&*()_+) 3.1.5 Forest Security Page 2 of 6

The resources within AD.GATECH.EDU are only accessible by domain members who have been specifically granted access to the resource by their administrators. By default, all enabled domain members have user access to resources when initially created. Administrators are encouraged to apply the appropriate ACLs and group permissions to objects they wish to secure from other users in AD. All domain controllers and servers maintained by OIT are routinely monitored for security vulnerabilities and critical patches are immediately applied. OIT requires all OU & Domain AD administrators routinely evaluate their systems (both workstations & servers) for vulnerabilities and patch them in a timely fashion. 3.1.6 AD DNS AD DNS services are centrally maintained by OIT. All computers participating in active directory should utilize the AD DNS servers: 130.207.165.170, 130.207.165.171 as their primary DNS servers. As secondary or tertiary servers, the campus bind servers may be used: 130.207.244.251, 130.207.244.244. Domains providing their own DNS services will have their zones delegated to them. 3.1.7 Site - GTAD The forest currently spans a single site. Any requests for changing the site configuration will be brought before the AD steering committee. 3.1.8 Support for Domain/OU Admins There will be several resources available to administrators for problem resolution. Administrators are required to attend a GT Active Directory course provided by OIT. Administrators will be provided a mailing list which will be monitored by Enterprise Administrators and responded to by a member of the ITS Campus Platform & OS Technology Support Team. Additionally, Remedy has been modified to handle GTAD specific issues such as login issues using a kerberized account or being unable to locate a user account in AD. Employees and students should continue to use their local CSR or the OIT helpdesk for desktop support. 3.1.9 Exchange (Foundation & GAL) The root exchange service only provides a means for departments to utilize and administer their own exchange environments. OIT continues to provide the global address list for the entire forest, but does not participate in the administration of Exchange for departments. 3.1.10 AD Communication Most communication will occur via the appropriate mailing list. 3.1.11 Root Backup & Disaster Recovery Solution AD is currently on a nightly backup schedule. 3.1.12 OU Design & Delegation Top-Level OUs will be automatically created for each department when they join AD. Administration will be delegated to an administrative security group which will hold access controls for administrators of the department identified by appropriate management. OU administrators have the ability to create child objects within their OUs. It is required that everyone adheres to the Page 3 of 6

the ability to create child objects within their OUs. It is required that everyone adheres to the naming standard described below when creating object within AD. 3.1.13 Software License Compliance It is the responsibility of the department to ensure that all of their desktops and servers are properly licensed. Although some CALs may be offered by OIT for specific MS products, Administrators are strongly encouraged to stay abreast of all licensing needs within their environments. 3.2 Domain Administrator Responsibilities Support staff required to have working knowledge of Active Directory. Maintain a well documented infrastructure diagram of their respective environments, including descriptions of all services provided by servers participating in AD. Maintain only the recommended list of services on the DCs (KDC,LDAP,DNS) nothing more. Abide by Forest naming standards set forth by the steering committee. Maintain the appropriate level of security and patch revisions on their domain controllers as specified by the ITS Campus Platform & OS Technology Support Team. Keep current with proposed changes to the Forest that is communicated by the ITS Campus Platform & OS Technology Support Team and other domain administrators. Manage and maintain all local services, account creation and OU structures. Keep a current contact list available for the ITS Campus Platform & OS Technology Support Team. Maintain internal change management procedures. Keep highly available DCs, notifying the ITS Campus Platform & OS Technology Support Team when the server may become unavailable. Must have a minimum of two (2) DCs. DCs must be physically secured. DCs should have a current hardware agreement with vendor. Adhere to secure account management process (Disable/Delete old accounts, automate process if applicable). Must be on-call to resolve issues with your DCs after normal business hours. Must have onsite support to resolve issues within your domain during business hours. Must have disaster recovery & backup/recovery solution for your DCs. Must participate in Schema update discussions & decisions. Contact OIT AD administrators when making DC updates or changes. Coordinate with other domain administrators for unscheduled outages or major upgrades. Must coordinate any maintenance that may affect Forest (i.e. replication, adding services to the DCs, etc.). Utilize DC diagnostic tools such as DCDIAG. Implement department domain naming standards. Perform authoritative restore for AD objects in their domain. Work closely with the Enterprise Administrators of the ITS Campus Platform & OS Technology Support Team. Follow all OU administrator responsibilities below. 3.3 Organizational Unit Administrator Responsibilities Work closely with the ITS Campus Platform & OS Technology Support Team. Page 4 of 6

Adhere to the GTAD naming standards. Provide their own local desktop, application & internal services support. Administer the writable attributes of the accounts within their OU. Add, Delete & Maintain objects within their OU. Add, Delete, Maintain & Troubleshoot GPOs. Delegate administrative functions to authorized accounts & ensure policy compliance. Maintain proper security groups and authorization policies. Publishing of resources in AD if applicable. Windows Client CALs (Currently under site license see: https://software.oit.gatech.edu/request.php?package=mscal). Server licensing required to be current. Member server OS & hardware maintenance. Keep workstations and member servers within their OUs secure. Service packs & hotfixes should be kept up to date where applicable. Servers should never be more than 1 service pack behind the current (except where required for business need). Monitor member servers regularly. Backup member servers & Test restore procedure. 3.4 Naming Conventions 3.4.1 Purpose Provide a naming convention for all units within Georgia Tech's Active Directory that uniquely identifies workstations, servers, users, groups, OUs, GPOs and distribution lists in the NetBIOS, DNS, and LDAP name-spaces. GTAD currently has well over 40,000 objects that provide information and act as resources to many departments. The only possible way to ensure AD can be used effectively is to enforce naming standards. Aside from avoiding name collisions, naming standards will allow users and administrators to efficiently search through thousands of objects and locate their resources and data. 3.4.2 User Account Names AD user objects have account names and distinguished names that identify them within Active Directory. Most user accounts within the forest will be centrally managed and will have unique names. The user account name shall be identical to the GT Kerberos ID already assigned to the person. For users that are not in PeopleSoft or Banner, an AD account must be created by the local administrator. The account must be named using the following convention: (GT OU Name)-username EXAMPLE: EIS-joebloe 3.4.3 Computer Names AD computer objects may have names that are longer than the previous character limitations imposed by down-level OS versions. It is recommended that when naming a computer object in a down-level or AD OS environment that you follow the guidelines below. xxxx-computername Page 5 of 6

computername = the convention used by department EXAMPLE: EIS-wks01.ad.gatech.edu 3.4.4 Printer Names: AD printer objects may have names that are longer than the previous character limitations imposed by down-level OS versions. It is recommended that when naming a printer object in a down-level or AD OS environment that you follow the guidelines below. xxxx-printer printername = the convention used by the department (we recommend it identifies location & printer type) EXAMPLE: EIS-811HPCOLOR.ad.gatech.edu 3.4.5 Groups: Active Directory has two basic group types, security and distribution groups. These two group types have sub-categories that define as being domain local, global or universal. Follow the guidelines below when creating groups: xxxx-name name = the name that identifies the purpose of the group 3.4.6 Group Policy Objects: When naming Active Directory GPOs please use the following guidelines: xxxx-name name = the name that identifies the purpose of the policy Note: Pre-Windows2K operating systems using Netbios are restricted to a 15 character maximum account name length. 3.5 Compliance It is the responsibility of each AD administrator to maintain their AD environment as per the above specifications and guidelines. Department heads will be notified upon repeated violations by an AD administrator and explained the impact it has on the entire campus AD infrastructure. In cases of gross negligence or refusal to adhere to the agreed policy, OIT will recommend to the AD Steering committee that a department is immediately removed from the Forest. Page 6 of 6

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information