Standard
advertisement
Standard Effective Date 01/27/2014 Chapter Name Networking Chapter Number 6.5.S.2 Last Review 01/27/2014 Last Revision 12/17/2015 Next Review FY18 Title Active Directory Delegation Standards And Administration 1.0 Purpose This standard describes the general structure of AD in regards to management delegation, and the requirements imposed upon Eastern Michigan University (EMU) Organization Unit Administrators (OUAs). OUAs have the responsibility and authority to manage the computers, groups, and Group Policy Objects (GPOs) for the University entity to which they are assigned. Because this responsibility and authority can disrupt the normal computing operations of the University entity, a level of knowledge of Active Directory is required. This standard defines those requirements. 2.0 Governing Policy Number/Document Name 6.5 Active directory Delegation Policy Effective Date November 13, 2012 3.0 Standard OU Design & Delegation OUs will be created as needed by the Active Directory Administrators (ADA) group for each unit (college or division) of the university. Each University entity may have its own OU. OUAs will be delegated access to the appropriate OU(s) based on their job function within the University. OUA Recommendation(s) Upon approval of the ADA group, an OUA will be granted the authority to manage an OU. Because this authority can significantly affect the computing resources of a unit, staff members must be recommended by the college or divisional head to be delegated as an OUA for a unit. This recommendation must be submitted to the ADA group in writing by the appropriate college or divisional authority. The ADA group will typically review submissions within 10 business days of submission, and will respond in writing. The response will include either approval of the requested OUA, or with specific reason(s) why the request was denied. Any denied requests can be appealed to the Director of Network and Systems Services in writing. OUA Qualifications OUA candidates should be fluent in AD technology. They should have, at minimum, a conceptual understanding of the major components of AD including forests, domains, OUs, sites, Group Policy Objects (GPOs), and domain local, global, and universal security groups. They should also have an understanding and some basic experience with the standard troubleshooting steps and tools available for handling Group Policy issues, such as the use of the Resultant Set of Policies (RSOP) tool. IT Standard Form Version 3.0 Page 1 of 3 Certifications held by the candidate relevant to Active Directory can be used as reasonable indicators that a staff member is appropriately qualified to become an OUA. Further qualifications for approval of an OUA may be required by the ADA group based on the university function(s) of the requesting unit and its specific AD management requirements. Any necessary qualifications specific to the unit will be reviewed with the requestor upon submission of the OUA delegation request. OUA Rights OUAs have the ability to create (add), modify, and delete computers, groups, and GPOs in their delegated OU(s). User objects will be added to an OU upon request of the OU’s OUA to the ADA group, and must only consist of the type of users necessary for service accounts. I.T. support for OUAs I.T. staff in the ADA group provides support to OUAs in local units. OUA support shall be provided in response to e-mails sent to ad-admins@emich.edu. AD Administrators are generally available to handle support requests from OUAs during normal business hours.
The ADA group will be expected to: • • • • Communicate and coordinate with (OUAs) to minimize disruption to end users. Notify OUAs about all scheduled maintenance. Work with OUAs to restore deleted AD objects. Meet response and resolution times associated with service-related incidents. For more information, please refer to EMU’s IT Policy web site. OUA Responsibilities 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. IT Standard Agree to the policies, procedures, standards, and guidelines for OUA Administrators. Work closely with the Active Directory Administrators (ADA) group to ensure the smooth functioning of AD relevant to their University entity. Adhere to the EMU AD naming standards 6.5.S.1. Add, delete, and modify computer and group objects within their assigned OU(s). Add, delete, modify, and troubleshoot GPOs within their assigned OU(s). Maintain proper security groups and authorization policies within their assigned OU(s). Provide contact information for OUAs to the IT Help Desk in case of emergency. Maintain security of all objects within their OU(s). Report problems to the ADA group immediately via phone call or text message. Follow industry standard security best practices (e.g. least privilege). Immediately follow the incident response procedure and email it-security@list2.emich.edu if a security vulnerability or compromise is discovered. Provide I.T. with contact information for OU administrators and notify I.T. of changes. Subscribe to the AD list (ad-admins@emich.edu). This is the primary means that I.T. communicates changes to department administrative personnel. Test changes announced by the Campus Active Directory service administration and any local or OU specific changes. Complete all testing in the appropriate test environment. Provide critical information to I.T. in a timely manner when requested for purposes of resolving user issues. Respond to data validation and audit requests from the University Auditor or IT Security. Provide Tier 1 support for users in the supported departments. Page 2 of 3 Unless other arrangements are made with I.T., OUAs must also: 1. Manage and support local resources and services. Examples include servers, laptops, desktops, and printers, creation of file shares and groups, and access management. 2. Keep member server licensing current. 3. Maintain member server OS & hardware maintenance. 4. Keep workstations and member servers within their OU(s) secure. 5. Monitor member servers regularly. 6. Keep server and workstation operating systems within the boundaries of Microsoft’s Mainstream Lifecycle Support (http://support.microsoft.com/gp/lifeselect). 7. Provide feedback on the quality and timeliness of service that I.T. provides relative to Active Directory. ADAs reserve the right to remove any workstation or member server from the domain that has not been properly secured and poses a threat to the safety of the network. 4.0 Responsibility for Implementation The Director of Network and System Services is responsible for implementation of this standard. 5.0 Definitions Term Active Directory (AD) Organizational Unit Administrators (OUAs) AD Objects Group Policy Object (GPO) AD Administrators (ADAs) Organizational Unit (OU) 6.0 Revision History Description Policy Committee Approved by CIO IT Policy Committee 1st review IT Policy Committee 2nd review Approved by CIO IT Standard Definition A centralized directory service for networked computers that enables central management of authentication, user accounts, applications, and policy enforcement. Local / college technical staff members who have been delegated rights that enable them to manage AD objects for a unit. Computers, groups, users, and group policy objects. A GPO is a collection of Group Policy settings, stored at the domain level as a virtual object consisting of a Group Policy container (GPC) and a Group Policy template (GPT). The GPC, which contains information on the properties of a GPO, is stored in Active Directory on each domain controller in the comain. The GPT contains the data in a GPO and is stored in the Sysvol in the /Policies subdirectory. GPOs affect users and computers that are contained in sites, domains, and OUs. I.T. staff members who have responsibility for administering the AD forest, domain, and services. A container for holding computers, groups, and applying group policies. Approval Date January 23, 2014 January 27, 2014 August 6, 2015 December 10, 2015 December 17, 2015 Page 3 of 3
