This Practice Directive sets forth the basic operational guidelines for current users and/or departments that volunteer to participate in the SF State central AD environment.
Purpose & Scope
Active Directory (AD) is a directory of people, computers, and groups that provides a way to manage security, software and other aspects of the computers. Through the central AD services, Division of Information Technology (DoIT) is able to provide authentication to the computers participating in the AD using SF State ID, eliminating the need for a separate local or other accounts.
AD also provides the ability to easily share and update standardized security policies with computers on our network, in compliance with University Practice Directives. AD services at SF State include:
- A single, consistent point of management for users, applications, and devices.
- Simplified management and use of file and print services making network resources easier to find, configure and use.
- A central control of authentication information to manage security services for internal desktop/laptop users and remote users.
- A single sign-on to AD integrated network resources for users.
This practice directive sets forth the basic operational policies, guidelines, rules and expectations for current users and/or departments that volunteer to participate in the SF State central AD environment.
Practice Directive & Appropriate Use
SF State AD environment is integrated into the University’s network infrastructure and must abide by these requirements:
- Central AD supports Enterprise Windows infrastructure for use by SF State Faculty, Staff and Students.
- DoIT is responsible for creating a delegated Organizational Unit (OU) with a structure according to the standard template for participating units. Any changes to the OU must be approved by the DoIT systems team.
- Administration of the delegated OU will be assigned by DoIT to the SF State employee(s) designated by the unit as the unit's delegated AD administrator(s). The OU administrative accounts are dedicated individual secondary accounts with the naming convention p"SF State ID". The delegated AD administrator privileges are limited to the assigned OU only. In the event accounts need to be created, deleted, reset and/or there are changes in the OU administration roles, DoIT systems team should be contacted.
- Administrators in delegated OU are not allowed to create AD user accounts including Guest accounts without prior written approval from DoIT. Guest accounts cannot be shared.
- Everything in the AD must have a unique name. Since all resources in the directory are shared, the names must be distinguishable as well as unique.
- Central AD infrastructure is limited to the campus network 220.127.116.11 and only available off campus via the VPN.
- By accessing the AD servers, users agree that they are aware of and adhere to all policies noted in the Network Practice Directive.
- Existing Information Security program requirements should be applied and maintained in an Active Directory both at the Enterprise level and at the OU level.
- AD environment must be in compliance with SF State Acceptable Use Practice Directive on Authorized Use Access.
- DoIT reserves the right to temporarily or permanently deny access to any computer account, computing lab or other network resource maintained by DoIT that has been misused. Misuse includes but is not limited to, account/password sharing, non-academic usage, false ownership or identification misrepresentation, malicious or unauthorized hacking and/or intrusion, electronic harassment, making unauthorized copies of any copyright protected software.
Active Directory Names Convention & Standards
Active Directory objects naming convention:
- All units must comply with the Active Directory (AD) objects naming convention. Each unit will be assigned a namespace(s). Any object created under the Organizational Unit (OU) should have the namespace as the prefix following by "-". For Example "at" for Academic Technology, so NetBIOS names, groups or GPOs (Group Policy Objects) should be at-"some_name_of_the_object". Division of Information Technology (DoIT) is responsible for maintaining the namespace/units assignments table.
Currently supported types of objects that can be created under the delegated OU:
- Security groups: Any resource/permissions access control should follow User > Domain Global > Domain Local > Resource best practice model, where users should be assigned to a Global group, access control (permissions) to the Domain Local and Domain Global nested into Domain Local.
- Accounts: "service" accounts created under the "Users/Service" sub OU. The naming convention for the service accounts is “namespace” svc_”service_description”, for example at-svc_backup1. The purpose of the service accounts is for use in the applications to be "Run As". If a service account needs local administrative or other elevated privileges on the computers, they should be managed through assignment of the account to the local computer Administrators group. The service accounts should be restricted with "Log On To" user account property.
- Computer objects should be moved into the appropriate sub OU's depending on the purpose.
DNS names, DNS domains/subdomains and static IP use:
- Central AD is purely DNS (Domain Name Systems) based and does not use the legacy WINS service. The campus DNS servers are 18.104.22.168 and 22.214.171.124. The campus DNS system only supports public IP's in the campus range 126.96.36.199/16. Private IP ranges are not supported. Any devices with Static IPs have to be registered in the central DNS by DoIT. Windows AD servers and other Windows systems under the delegated OU that are eligible for static IPs should use the DNS subdomain matching the assigned namespace. For example: at-"some_name".at.sfsu.edu. In general client devices such as Windows workstations/laptops are not eligible for static IPs and should be assigned to the dedicated "clients.sfsu.edu" DNS subdomain.
Responsibility for implementing this practice directive will rest with various departments within Information Technology that are responsible for maintaining the University AD environment. Submit any apparent violation of Active Directory Accounts Practice Directives to the appropriate administrative authority (vice president, dean, director, department, or program chair) or to firstname.lastname@example.org.
Noncompliance with applicable policies and/or practices may result in suspension of AD accounts privileges. In addition, disciplinary action may be applicable under other University policies, guidelines, implementing procedures, or collective bargaining agreements.