Portland State University Office of Information Technologies Active Directory Standards and Guidelines for Campus Administrators



Similar documents
Tool Tip. SyAM Management Utilities and Non-Admin Domain Users

How to monitor AD security with MOM

Chapter. Managing Group Policy MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER:

Installing, Configuring, and Managing a Microsoft Active Directory

User Document. Adobe Acrobat 7.0 for Microsoft Windows Group Policy Objects and Active Directory

Admin Report Kit for Active Directory

Group Policy 21/05/2013

Deployment of Keepit for Windows

Windows 2008 Server DIRECTIVAS DE GRUPO. Administración SSII

MailStore Outlook Add-in Deployment

MS 50255B: Managing Windows Environments with Group Policy (4 Days)

PLANNING AND DESIGNING GROUP POLICY, PART 1

MS-50255: Managing, Maintaining, and Securing Your Networks Through Group Policy. Course Objectives. Required Exam(s) Price.

Stellar Active Directory Manager

M6419 Configuring, Managing and Maintaining Windows Server 2008 Servers

Configuration Task 3: (Optional) As part of configuration, you can deploy rules. For more information, see "Deploy Inbox Rules" below.

Planning and Implementing an OU Structure

Configuring Managing and Maintaining Windows Server 2008 Servers (6419B)

Windows Logging Configuration: Audit Policy Configuration

INUVIKA OVD VIRTUAL DESKTOP ENTERPRISE

CHAPTER THREE. Managing Groups

6419: Configuring, Managing, and Maintaining Server 2008

Managing Windows Environments with Group Policy

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

These guidelines can dramatically improve logon and startup performance.

PC Power Down. MSI Deployment Guide

Password Manager Windows Desktop Client

Active Directory Integration

Active Directory Change Notifier Quick Start Guide

MOC 6419: Configuring, Managing, and Maintaining Windows Server 2008

Outline SSS Configuring and Troubleshooting Windows Server 2008 Active Directory

Course 6425C: Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Windows Firewall Configuration with Group Policy for SyAM System Client Installation

How To Write A Gpmc Script For A Gpc (Windows 2003) On A Windows 2000 (Windows 2000) On Your Computer Or Your Computer (Windows 3) On An Ipad Or Ipad (Windows 2) On The Macbook

How To - Implement Single Sign On Authentication with Active Directory

Implementing HIPAA Compliance with ScriptLogic

How to Audit the 5 Most Important Active Directory Changes

Office of Information Technologies (OIT) Network File Shares

Management Utilities Configuration for UAC Environments

Guide to deploy MyUSBOnly via Windows Logon Script Revision 1.1. Menu

Create, Link, or Edit a GPO with Active Directory Users and Computers

Configuring, Managing and Maintaining Windows Server 2008 Servers

Lesson Plans LabSim for Microsoft s Implementing a Server 2003 Active Directory Infrastructure

COMPLETE COMPUTING, INC.

User Management Tool 1.5

Configuring, Managing and Maintaining Windows Server 2008 Servers

How To Configure An Active Directory Domain Services

DigitalPersona Pro Server for Active Directory v4.x Quick Start Installation Guide

safend a w a v e s y s t e m s c o m p a n y

Administering Group Policy with Group Policy Management Console

MCTS Guide to Microsoft Windows 7. Chapter 13 Enterprise Computing

EventTracker: Support to Non English Systems

Active Directory Integration Guide

Outpost Network Security

Course 6419A: Configuring, Managing and Maintaining Windows Server 2008 Servers

Configuring, Managing and Maintaining Windows Server 2008 Servers

Configuring and Troubleshooting Windows 2008 Active Directory Domain Services

Role Based Access Control for Industrial Automation and Control Systems

Course: Configuring and Troubleshooting Windows Server 2008 Active Direct-ory Domain Services

Department of Information Technology Active Directory Audit Final Report. August promoting efficient & effective local government

M6425a Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Experiment No.5. Security Group Policies Management

Managing and Maintaining a Microsoft Windows Server 2003 Environment

Active Directory. Users & Computers. Group Policies

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain MOC 6425

Windows Clients and GoPrint Print Queues

Course 6425C: Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

System Area Management Software Tool Tip: Agent Deployment utilizing. the silent installation with Active Directory

Table Of Contents. - Microsoft Windows - WINDOWS XP - IMPLEMENTING & SUPPORTING MICROSOFT WINDOWS XP PROFESSIONAL...10

Test Note Phone Manager Deployment Windows Group Policy Sever 2003 and XP SPII Clients

Step-by-Step Guide for Microsoft Advanced Group Policy Management 4.0

NE-6425C Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

UNCLASSIFIED DISABLING USB STORAGE DEVICES THROUGH GROUP POLICY

Module 8: Implementing Group Policy

Table of Contents WELCOME TO ADAUDIT PLUS Release Notes... 4 Contact ZOHO Corp... 5 ADAUDIT PLUS TERMINOLOGIES... 7 GETTING STARTED...

ContentWatch Auto Deployment Tool

Manage, Extend, and Simplify Group Policy using Quest Group Policy Solutions

Managing Windows Environments with Group Policy 50255D; 5 Days, Instructor-led

Agency Pre Migration Tasks

Group Policy for Beginners

CC4 TEN: Pre-installation instructions for Windows Server networks

Keeping Tabs on the Top 5 Critical Changes in Active Directory with Netwrix Auditor

Active Directory Software Deployment

6425C: Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Xcalibur Global Version 1.2 Installation Guide Document Version 3.0

Outline SSC Configuring and Troubleshooting Windows Server 2008 Active Directory

Fundamentals, Security, and the Managed Desktop

VMware User Environment Manager

Top 10 Security Hardening Settings for Windows Servers and Active Directory

DriveLock Quick Start Guide

Course 6425C: Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

R4: Configuring Windows Server 2008 Active Directory

Transcription:

Portland State University Office of Information Technologies Active Directory Standards and Guidelines for Campus Administrators Introduced with Windows 2000 Server, Active Directory (AD) is Microsoft s implementation of a directory service. At its most basic level, a directory service can be defined as a customizable information store used to locate and access network resources. User accounts, computers, groups, etc. are easily managed in AD because they can be organized in meaningful ways. One of the primary benefits of AD is that it allows decentralized management of these network resources. Administrators from different departments can control and maintain their own network resources and also participate in a centralized directory service. While this is very useful for enterprise networks, care must be taken to ensure that differing policies, or lack thereof, do not impair the sustainability of the AD forest. The purpose of this document is to create a standard set of rules and guidelines for participating in PSU s AD forest. Adhering to this document s recommendations will create a more straightforward, stable, and secure AD environment. Organizational Units: Organization units (OUs) are the building blocks of AD. They work in a similar fashion to file system folders. OUs can be created and deleted with ease to delegate permissions and keep AD objects organized. PSU s OU structure looks something like this: PSU.DS.PDX.EDU People Resources MyDepartment Admins Groups Printers Servers Service Accounts Test Workstations People OU All standard user accounts are stored in the People OU. Administrative access to this OU is restricted to Office of Information Technologies (OIT) staff only. Resources OU The Resources OU contains most other AD objects such as computer, group, and printer objects. This is where special rights can be given to individual departments if they wish to manage their own Resources sub-ou. These rights include: 1. Creating/Modifying/Deleting computer, group, printer, and shared folder objects. 2. Application of Group Policy Objects (see below for explanation of GPOs). MyDepartment OU Departmental OUs reside inside the Resources OU and contain the AD objects managed by a particular department. As a best practice, each departmental OU should contain separate sub-ous for Admins, Page 1 of 5

Groups, Printers, Servers, Service Accounts, Testing, and Workstations. For most departments, few additional OUs are needed. In general, it is best to use security groups rather than additional OUs to apply group policy and organize AD objects. User Objects: Account Creation User accounts are centrally managed. All new AD user accounts are created through the OIT account creation system (https://www.account.pdx.edu/) or by OIT staff only. Elevated Privilege Accounts Administrators who have elevated privileges should request a second user account from the OIT-CNS Server Team. This elevated account should never be used to logon directly to a desktop workstation. Use the elevated account for server logon and running single instances of administrative utilities such as Active Directory Users and Computers on your desktop computer. Note: To run a single program with elevated privileges on your desktop use the Run as feature. To do this, hold down the shift key and right-click on the program you would like to run. Select Run as and enter your elevated account credentials. Service Accounts AD-only service accounts may be requested by OU administrators, and will be created at the discretion of the OIT-CNS Server Team. A service account should only be used by systems that need to perform a specific task requiring AD credentials. Service accounts should never be used by individuals. OU administrators are responsible for actions performed by their service accounts, for periodically changing service account passwords, and for disabling unused service accounts. Test Accounts AD-only test accounts may be requested by OU administrators, and will be created at the discretion of the OIT-CNS Server Team. OU administrators are responsible for actions performed by their test accounts, for periodically changing test account passwords, and for disabling unused test accounts. Computer Objects: Every AD member computer running Windows NT, Windows 2000, Windows XP, or Windows Server 2003 has an AD computer account. Similar to user accounts, computer accounts provide a means for authenticating and auditing computer access to the network and to domain resources. The PSU naming standard for computers is: -compid compid Computer s location/function OR primary user s name OR primary Ethernet card s MAC address OR some other unique identification For example, a receptionist machine in the Telecom department used primarily by John Doe and with a MAC address of 00-0C-F1-E5-5B-91 should be named: TELE-FRONTDESK or TELE-DOE or TELE-000CF1E55B91 Page 2 of 5

Joining Computers to the Domain When computers are added to the domain they first appear in the Computers OU. Objects in this OU should be immediately moved to the appropriate Resources OU. Objects that are left in the Computers OU will be moved to the Resources\General\Computers_unidentified OU. Each user account is allowed to join 10 computers to the domain by default. Administrators who need to join more computer objects or move objects out of the Computers OU should submit a request to the OIT- CNS Server Team. Group Objects: Setting up security groups is one of the most important aspects of AD administration. Improper group setup can cause serious security gaps in addition to an organizational nightmare. Types There are two types of groups in Active Directory: distribution groups and security groups. You can use distribution groups to create e-mail distribution lists and security groups to assign permissions to shared resources. Distribution groups are used with applications such as Microsoft Exchange and are not currently used at PSU. Scope There are three group scopes: universal, global, and domain local. UNVERSAL GROUPS Should NOT be used in the PSU domain. GLOBAL GROUPS Are logical groupings of people based on their location, job responsibilities, etc. Should be created when a logical grouping of users exists that may need to be referenced more than once Should never be granted access to a resource directly Should contain only user and other global group objects as members Should be named after the group of people it represents DOMAIN LOCAL GROUPS Are defined to grant an explicit set of permissions to a resource Should be created for each resource access will be granted to and never used except for that resource Should generally not be nested inside another domain local group Should contain user and global group objects only Should be named after the resource and level of access granted The PSU naming standard for AD groups is: _groupname_accesslevel_grouptype groupname Name that describes the global group member relationship, or the domain local group resource Page 3 of 5

accesslevel grouptype Domain local groups only, access level abbreviations are: FC = Full Control Mod = Modify RW = Read/Execute and Write Read = Read/Execute List = List Folder Contents Apply = Read and Apply (GPO s only) Adv = All other access levels, use the description field to explain Group type abbreviations: GG = Global Group LG = Domain Local Group Example Scenario Computing and Network Services (CNS) has a project folder that needs to be shared amongst its employees. Management and staff need to be given full control of this folder. Student employees need read and execute access. Solution Step 1 (create/verify global groups) The following three GLOBAL groups should be created if they don t already exist: CNS_Management_GG CNS_Staff_GG CNS_Students_GG Step 2 (create domain local groups) The following two DOMAIN LOCAL groups need to be created: CNS_ProjectShare_FC_LG CNS_ProjectShare_Read_LG Step 3 (give the domain local group(s) appropriate permissions on the network resource) Open the properties page for the project folder and click on the Sharing tab. Share the folder and change the share permissions to allow Full Control to the Everyone group. Click on the Security tab and add the two DOMAIN LOCAL groups to the list (be sure to remove groups such as Everyone if they exists here). Give the CNS_ProjectShare_FC_LG group Full Control of the folder and give the CNS_ProjectShare_Read_LG group Read & Execute permissions. Step 4 (make global groups and/or individual users members of the appropriate domain local group) Using Active Directory Users and Computers, check to ensure that the global groups have the correct membership. Make the CNS_Management_GG and CNS_Staff_GG groups members of the CNS_ProjectShare_FC_LG group. Make the CNS_Students_GG group a member of the CNS_ProjectShare_Read_LG. *Note: Whenever possible create global groups to define logical groupings of individuals, but do not create global groups for the sole purpose of populating a domain local group. Create global groups only if that grouping may eventually be used or referenced in some other context. Benefits Using the example above as a template for setting up access to network resources makes it extremely easy for administrators to see exactly who has access to what. Simply open a user or group object and trace the group memberships to reveal the precise access level and resource. Page 4 of 5

Group Policy Objects: Group policy objects (GPOs) are used to define default settings that will be automatically applied to user and computer objects in AD. Policy settings can be used to manage desktop appearance, assign scripts, redirect folders, set security options, deploy software, etc. New GPOs Requests for new GPOs should be directed to the OIT-CNS Server Team. The PSU naming standard for GPOs is: function function The GPOs function or purpose For example, if OIT User Support Services (USS) wanted to create a group policy to restrict access to desktop display settings, the GPO could be called USS Restrict Display Settings. Loopback Feature The group policy loopback setting (located at Computer Configuration\Administrative Templates\System\Group Policy\User Group Policy loopback processing mode ) is very useful in our environment. Because PSU s user objects are centrally managed, User Configuration settings cannot be directly applied to user objects by OU administrators. The loopback option gets around this issue by allowing User Configuration settings to be applied based on the workstation a user logs on to. See the User Group Policy loopback processing mode explanation tab for more details on this feature. Miscellaneous Tips 1. Add good descriptions to all AD objects whenever possible. 2. Use standard abbreviations carefully. Make them obvious enough to be recognized by the entire campus and be consistent in their use. 3. Consider creating a security group called DepartmentName_Workstations_FC_LG and add it to the local Administrators group on all your workstations. By populating\editing the members of this group, you ll be able to centrally control which users in your environment have administrative access to your workstations. OIT-CNS Server Team Contact Information E-Mail: cns-server@lists.pdx.edu Phone: x5-9566 Author Ryan Bass Active Directory Administrator Computing and Network Services Office of Information Technologies Portland State University Page 5 of 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information