Active Directory (AD) Standards

11/19/2013 

  • It is recommended that all campus computers be connected to Active Directory to receive the widest range of services and functionality. The purpose for these standards is to keep the Active Directory as current and healthy as possible.
  • It is recommended that all UVU computers be connected to the campus network and powered up at least quarterly.
  • Machines not physically on campus should either be brought to campus and connected to the wired network, or connected to the campus network via VPN. Doing so will allow machines to receive operating system and application updates, and will prevent many of the problems associated with computers being removed from the network for a long period of time including:
    • Computer authentication to the domain (will prevent the object from becoming "stale")
    • Microsoft updates
    • Microsoft licensing (KMS)
    • Password updates for those that have changed their UVID password.
    • Group policies.
    • Bradford agent registration & updates

AD Computer Object Naming Conventions:

  • It is the Area Tech's prerogative to use either of three standard names:
    • room number-Inventory number
    • room number-machine number
    • Inventory number
  • The Description field should be filled in with the person's name and room number that will be using the computer.
  • Computer objects for surplus or replaced computers should be deleted.

Group Policy Objects (GPO) Standards

  • Campus wide (OU=DEPT or OU=USERS) GPO's are named beginning with "Default" and are general setting needed in all areas, such as DNS settings, firewall settings, and management settings. Current approved and functioning Default GPO's are:
      • "Default Domain Policy"
      • "Default Set DNS Suffix"
      • "Default add Mailmarshal to Local Intranet"
      • "Default add UVShare to Local Intranet"
      • "Default set local administrative password" (New password set each January)
      • "Default Windows Firewall settings"
      • "Default deploy SCCM 2012 client"
      • "Default IDM SDrive CIFS"
      • "Default IDM USERS SDrive"
      • "Default PST Settings"
  • "Default" GPO's will only go live after approval by TSC & IPC.
  •  Area specific GPO's have settings that are specific to a particular area, such as printers, and should be named to identify the area that owns the GPO.
    • Should be named "DEPT. CODE" "short Description"
  • All GPO's will be documented in the notes field of the object.
    • Including: Owner, Purpose, Used By, and Department.

OUs (Organizational Units) Standards

  • "COMPUTERS" OUo
    • The "Computers OU" in AD is a staging area only, computers should not stay in this OU after they are loaded and delivered.
    • Computers will be moved from this container on the first working Monday of each month at 6:30 am.
  • "LABS" OU
    • Computers in Labs should be in this OU.
  • "SERVERS" OU
    • Contains Central IT Servers
  • "DEPT" OU
    • Contains all objects for desktop computers.
  • "TO BE DELETED" OU
    • This container is a holding place for those computer objects within the "Stale Computer Object" removal process described below.
    • A special GPO is applied to this container which places a startup message on Windows computers which warns the user of pending action and recommends they contact their area technician.
  • "DEPT_Servers" OU
    • This container is a place where departments can put server machines within departmental OU's to separate them from desktop machines so that they may be easily managed differently than desktop systems.
    • Area technicians are assigned rights to manage objects within departmental OU's.

Stale Computer Object Removal Process.

  • Computer objects should be removed from the AD OU they are in when the machines are sent to surplus, the scripts in this process are a backup for that process.
  • Report/Script to be run monthly (first working Monday each month) on "AD.UVU.EDU" to identify and move objects which have not authenticated to the domain for 17 weeks into TO BE DELETED OU.
    • A spreadsheet of object names and locations will be created containing objects affected by this process. (Date (mmddyy) 17 week.xlsx)
  • Report/Script to be run monthly on TO BE DELETED to identify and disable objects which have not authenticated to the domain for 23 weeks.
    • A spreadsheet of object names will be created containing objects affected by this process (Date (mmddyy) 23 week.xlsx)
  • Report/Script to be run monthly on TO BE DELETED to identify and delete objects which have not authenticated to the domain for 26 weeks.
    • A spreadsheet of object names will be created containing objects affected by this process (Date (mmddyy) 26 week.xlsx)
  • The spread sheets for this process can also be found at:

\\uvdlnew\downloadablesoftware\tools\stale_ad_computers