Princeton University
Princeton Domain/Active Directory
OIT OU Administrator Delegation
Please review this document and provide the following requested information and
signatures indicating agreement for OU Administrator Delegation.
Section I. General Contact Information
Name of Department:
Department Manager Contact Name, Phone Number(s), Email Address(es):
Hours of Department Operation:
Total number of people in Department:
Name(s) of Technical Staff Member(s) who will assume OU Administrator responsibilities,
Phone Number(s), Email Address(es):
Contact information for Department’s Help Desk, Phone Number(s), Email Address(es):
Hours of Department’s Help Desk Operation:
Section II. DepartmentOrganizational Unit (OU) Administrator Privileges
The following Active Directory Administrator privileges will be granted to the technical staff
enumerated in Section I above.
Create Temporary/Visitor Accounts: The University’s PeopleSoft Campus Community and
CARPROC systems form the authoritative source for University user accounts, also called
NetIDs, and password creation. For individuals that are affiliated with a department but not
known formally to the University’s Human Resources department, the Department can sponsor
the issuance of a University issued NetID by contacting OIT Accounts (609-258-4357 Option 2).
Departments may choose to issue departmental user accounts for visitors or other temporary uses
that do not require access to any centrally provided computing and networking services. For this
reason, OU Administrators will have the ability to create temporary/visitor user accounts within
the Department OU.
Temporary/Visitor accounts must begin with the prefix “tmp-“ or “nnn-“ where nnn is the 3letter departmental abbreviation. This prefix insures that user account names will not conflict
with names generated from the Campus Community/CARPROC processes. The Active
Directory will be monitored regularly and departmental user accounts that do not meet the
naming standard will be flagged and corrected. E-mail notification will be sent to the OU
Administrator regarding naming inconsistencies.
Please be advised that these accounts will not be supported on University systems (e.g., Mail,
Blackboard, Unix, PeopleSoft). If access to University systems is required, please contact OIT
Accounts for a University issued NetID.
The Department manager should be made aware of procedures followed for temporary account
creation, password policies, account deletion, access to resources, and related issues of protecting
departmental resources within the OU.
Create Groups: The Active Directory uses the concept of “groups” to facilitate management of
resources as well as access permissions. For example, software may be licensed for use by all
faculty and staff but not students. OIT maintains certain general group definitions in the Active
Directory (FACULTY/STAFF, Students, Graduates), with data about affiliation coming from the
University’s authoritative data source for people, PeopleSoft Campus Community. In the future
additional group designations will be created.
Departments may need more specific group designations for managing access to particular
departmental computing resources. For this reason, OU Administrators will have the ability to
create groups within the Department OU.
Departmental groups must begin with the prefix “grp-“ or “nnn-“ where nnn is the 3-letter
departmental abbreviation. Using a prefix insures that groups defined within departmental OUs
do not conflict with group names maintained by OIT. The Active Directory will be monitored
regularly and departmental group names that do not meet the naming standard will be flagged for
correction. E-mail notification will be sent to the OU Administrator regarding naming
inconsistencies.
The Department manager should be made aware of procedures followed for group names
including creation, deletion, access to resources, and related issues of protecting departmental
resources within the OU.
Create Additional OUs within the main Departmental OU: Departments may need more
additional organizational structure within their defined OU. For this reason, OU Administrators
will have the ability to create OUs within the main Departmental OU.
Link to Group Policy Objects: Active Directory uses the concept of “Group Policy Objects” to
allow specific actions based on login ID (the person who is logging in) or machine (the computer
from which a person is accessing the network). For example, access to a department’s licensed
software package can be granted to a group of users or to a group of machines. The GPO helps
the department better control access to resources.
OU Administrators will work with OIT PC Systems staff to define, create, and test any Group
Policy Object (GPO) in the University’s test Active Directory. After successful tests, the GPO
will be added to the production Active Directory GPO library. From there, OU Administrators
can link the GPO to groups as necessary. OIT will maintain a dictionary of GPOs in the Library.
General GPOs can be used by multiple departments.
Create/Delete Machine Accounts: Like “users,” machines must have accounts in the Active
Directory. Creation and deletion of machine accounts will be delegated through a web page so
that a script can insure congruence between NETBIOS name and HOSTNAME in the
Hostmaster Database.
Move Machine Accounts: At the discretion of the department, once a machine account has
been created, the machine account can be moved within the Department OU structure using the
native management tool. DeSC machines are required to be members of the DeSC OU.
Section III. Departmental Services/Servers in the Princeton Domain
Staff, faculty and students call the OIT Help Desk even when a question may be best handled by
a Department’s OU Administrator or other technical support staff. To help OIT best handle calls
from people trying to access servers and resources related to your Departmental OU, please list
departmental servers and resources that you provide or plan to provide. For each, please provide
the following detail:


Are the services or resources available 8x5, 24x7?
Are there any service level agreements for departmental users about the availability and
support of these services/servers in place?
Peak Times
 Are there peak usage times for the departmental services/server each day?
 Are there peak usage times during the academic year?
Planned and Unplanned Outage Times
 Are there scheduled down time for server/service maintenance?
 Are planned or unplanned outages communicated to departmental users?
 Are planned or unplanned outages communicated to the OIT Help Desk?
 If your OU Administrator or other support staff are unavailable, are there monitoring
tools the OIT Help Desk can use to determine if the service/server is unavailable?
 Please provide contact information (name, phone numbers and contact hours) for system
administrators that will be contacted by OIT staff when these servers/services are
unavailable and a departmental customer is seeking assistance from OIT.
Authentication
 Is authentication required to access the departmental service/server?
 If so, which authentication system is used by the departmental service/server? (e.g.
Princeton domain, LDAP, NIS, or separate departmental authentication system)
 If authentication system is provided via a separate departmental system, who manages
departmental authentication system, including account creation and password resets?
Section IV. OU Administrator Qualifications and Responsibilities:
Technical staff in the departments are eligible to be granted OU Administrator privilege if they





have taken a Microsoft approved course for Windows 200x/Active Directory
administration
are highly proficient Windows NT administrators, with at least 24 months proven
experience
continue to develop and maintain proficiency and expertise with Active Directory
attend Windows 200x technical meetings to share information and participate in the work
of testing, development, and planning changes for the Active Directory.
provide OIT with up-to-date contact information, including business hours and after
hours accessibility
The Office of Information Technology reserves the right to revoke any level of administrator
privilege from any staff member who is unable to meet those requirements or who interferes with
the proper operation, maintenance, or upgrade of the University’s Active Directory
infrastructure.
Section V. OIT Support
If OIT is called upon to provide assistance to troubleshoot and/or correct a problem within a
delegated Departmental OU or provide assistance to troubleshoot and/or correct a problem with a
departmental service or server in the Princeton Domain, the standard OIT hourly rates for nonDeSC system administration support will be charged.
Section VI. Delegation, Acceptance and Signatures
The following departmental staff will be delegated the Administrator privileges as defined in this
document for the OU of the department named in Section I.
1.
2.
The following people have read the guidelines set forth in this document. By signing below, all
parties agree to abide these guidelines.
Signature
Department Head
Dept. Info. Technology Head
Dept. Technical Staff (1)
Dept. Technical Staff (2)
__________________________________
Date
Printed Name