Active Directory (AD) Standards

11/21/19

  • It is required that all campus Windows computers be connected to Active Directory to receive the widest range of services and functionality. The purpose of these standards is to keep the Active Directory as current and healthy as possible.
  • Machines not physically on campus should either be brought to campus and connected to the wired network, or connected to the campus network via VPN monthly. Doing so will allow machines to receive operating system and application updates, and will prevent many of the problems associated with computers being removed from the network for a long period of time including:
    • Expired computer authenication to the domain (will prevent the object from becoming "stale").
    • Delayed OS updates.
    • Expired Microsoft licensing (KMS).
    • Password updates for those that have changed their UVID password.
    • Missing Group Policies.
    • Expired FortiNAC agent registration & updates. 

AD Computer Object Naming Conventions:

This standard is for the "Compter Name" or "Hostname" of a device connected to AD. 

  • Faculty/staff machines: 15 total characters; first 6 characters must contain device type prefix and inventory tag number without leading zeros; last 9 characters are optional at area technician's discretion. 
    • Prefixes: 
      • D- Windows Desktop
      • L- Windows Laptop
      • M- macOS Desktop/Laptop
      • T- Tablet
    • Examples: 
      • Windows Laptop: L2623
      • macOS Desktop: M12733-BA002MIKE
      • iPad: T2623-SCUP
  • Lab machines: the same as above but with the optional characters first. 
    • Example: BEHS12-D12345
  • The device name can be less than 15 characters long as the prefix and inventory tag number are included as described above.
  • The "Description" field in AD should be filled in with the owner's name, compter model and purchase date. 
  • Computer objects for decommissioned and surplus computers should be deleted. 

Group Policy Objects (GPO) Standards

  • Campus wide mandatory GPOs (applied to the "DEPT" or "IDM>USERS" OUs) are named beginning with "Default" and are general settings required in all areas, such as DNS settings, firewall settings, and management settings. 
  • Campus-wide optional/limited scope GPOs are named beginning with "Generic" and are general settings either available to areas or mandatory for multiple specific areas, such as email configuration, allowed user logons and security settings. 
  • Area specific GPO's have settings that are specific to a particular area, such as printers, and should be named to identify the area that owns the GPO.
    • Naming convention: "[DEPT. CODE] [short description]"
    • Examples: "ET CMInstall" or "CSH Admins Biology". 
  • All GPO's will be documented in the comment field of the object.
    • Must include: Creator, Purpose, Used By, and Department.
    • Example: 

                                          Creator: Jane Smith

                                          Purpose: Deploy Specific Printers to Math

                                          Used by: Math

                                          Department: COS

OUs (Organizational Units) Standards

  • "New Computers"
    • Staging area for computers newly added to the domain.
    • Computers should not stay in this OU after they are imaged and delivered.
    • Computers will be moved from this container to the "TO BE DELETED" OU on the first working Monday of each month before 8:00 am. 
  • "Computers"
    • Staging area for computers newly added to the domain that cannot have group policies applied to them i.e. macOS and other non-Windows computers. 
    • Computers should not stay in this OU after they are imaged and delivered. 
    • Computers will be moved from this container to the "TO BE DELETED" OU on the first working Monday of each month before 8:00 am. 
  • "LABS" 
    • Contains computers in student-facing lab environments. 
    • Area technicians are assigned rights to manage objects within departmental OUs. 
  • "SERVERS"
    • Contains core infrastructure servers. 
  • "DEPT"
    • Contains computers that are used by individual faculty/staff members or that are in faculty/staff-facing lab environments.
    • Area technicians are assigned rights to manage objects within departmental OUs. 
  • "DEPT_Servers" 
    • Contains departmental or end-user servers.
    • Area technicians are assigned rights to manage objects within departmental OUs. 
  • "TO BE DELETED" 
    • Staging area for computer objects within the "Stale Computer Object" removal process described below. 
    • A special GPO is applied to this container which places a startup message on Windows computers which warns the user of pending action and recommends they contact their area technician. There are no other GPOs acting on this container. 

Stale Computer Object Removal Process.

Computer objects should be removed from AD when the machines are decommissioned and sent to surplus. As a back-up the following scripts will be run:

  • Script to be run monthly (first working Monday each month) to identify and move objects which have not authenticated to the domain for 17 weeks into "TO BE DELETED" OU.
    • A spreadsheet report of object names and locations will be created containing objects affected by this process (MoveToTBD-yymmdd-17weeks.xlsx).
  • Script to be run monthly on "TO BE DELETED" OU to identify and disable objects which have not authenticated to the domain for 21 weeks.
    • A spreadsheet report of object names will be created containing objects affected by this process (TBD_disabled-yymmdd-21weeks.xlsx).
  • Report/Script to be run monthly on "TO BE DELETED" OU to identify and delete objects which have not authenticated to the domain for 25 weeks.
    • A spreadsheet report of object names will be created containing objects affected by this process (TBD_deleted-yymmdd-25weeks.xlsx).

The 3 spreadsheet reports for this process will be sent out via email and Slack to the TSC and Sysadmins groups.