Active Directory Services Administration Manual

Administrator Account Naming Rules

Field	Char Length	Example
Onyen	Up to 16	jqpublic
Separator	1
Suffix	3	dom

Example: jqpublic.dom 

d.    Departmental User Accounts

Special purpose user accounts may be created in the AD.UNC.EDU domain by departmental administrators. It is critical the departmental user accounts do not conflict with Onyen accounts or potential Onyen accounts--that is, usernames <= 8 characters. The Onyen system has priority over all usernames with <= 8 characters. Any departmental user account conflicting with the creation of an Onyen will be immediately deleted. Following the naming standards will ensure that no conflicts exist.

Departmental user accounts will be disabled if the following criteria are met:

• Account is at least 365 days old
• Account has not logged on in at least 365 days
• Account has not changed password in at least 365 days
• Additionally, departmental user accounts will be disabled if their maximum password age policy is less than 365 days, and the password is expired.

Departmental user accounts will be deleted if the following criteria are met:

• Account is disabled
• Account is at least 395 days old
• Account has not logged on in at least 395 days
• Account has not changed password in at least 395 days
• Account does not have a mailbox

The following types of accounts are permitted:

                 i.   OU Administrator Accounts

OU administrator accounts are special accounts which have been delegated special privileges on the domain that aren’t appropriate for general computer usage.  These accounts should only be used when elevated permissions are necessary. Note that OU administrator accounts should not be used for high-risk activities, including web browsing, email, and logging in to client computers, other than the administrator’s assigned workstation. LAPS is the preferred solution for administration of client computers.

All administrator accounts must correspond to an Onyen and must follow the Passwords, Pass-phrases, and Other Authentication Methods Standard.  Administrator accounts will be disabled if no active, matching Onyen is found. Administrator accounts never expire. Administrator accounts are subject to a special password policy. Administrator passwords must be 17 characters and expire after 91 days.  Administrator account passwords will be locked out for 5 minutes after 10 failed attempts in a 5 minute period. Administrator accounts must not set the “password never expires” flag or have servicePrincipalNames (SPN). Administrator accounts should not be mail-enabled or trusted for delegation.

An administrator account will be created for the requestor of each departmental OU. This user will have the ability to create additional administrator accounts for other departmental administrators. ITS does not typically make changes, including resetting passwords, for Administrator accounts. This task should be done by other departmental administrators.

By default, there are 3 privileged roles within each departmental OU:  OU Admin, Computer Admin, and Server Admin. Where possible, departments should consider assigning these roles to different people to achieve separation of duties. Accounts for these distinct roles can be distinguished using .adm for OU admins, .cadm for computer admins, and .sadm for server admins.

All OU administrators will receive a daily report, by email, showing the systems their admin account has logged in from and any changes to AD objects made by their admin account. OU administrators should review this report daily for signs of abuse. Managers may request rollup reports their subordinates’ admin account activity.

When OU administrators leave or change roles, their admin accounts should be deleted. When OU Administrators change departments, their admin account should be deleted, and a new admin account created for them. This will remove any permissions directly granted to the admin account.

Administrator Account Naming Rules

Field	Char Length	Example
Onyen	Up to 8	jqpublic
Separator	1
Suffix	3-4	adm, cadm, sadm

Example:         jqpublic.adm, jqpublic.cadm, jqpublic.sadm

 ii.    Service Accounts

Service accounts are special accounts that are used to run services or schedule tasks under their own credentials. This allows the service to be run using the minimum required credentials and allows for easier security monitoring.

Service accounts must follow the Passwords, Pass-phrases, and Other Authentication Methods Standard.  Service accounts must have complex passwords with at least 17 characters.  When supported, passwords should be much longer, e.g., 64-128 characters. Service account passwords do not expire but must be changed every 365 days. Service accounts are owned by the OU administrators for the OU where they are located. The service account owners are responsible for ensuring that the service account usage is secure and complies with all UNC-Chapel Hill policies. Service accounts should not be used to logon interactively in place of admin accounts.

Administrators are encouraged to use group managed service accounts (gMSA) where possible and to migrate existing service accounts to gMSAs where possible. This eliminates the need to manage passwords.

Service Account Naming Rules

Field	Char Length	Example
OU ID	Up to 5	ITS
Separator	1
Description	Up to 11	mssqldev
Separator	1
Suffix	3	svc

Examples:         ITS_mssqldev.svc and its_dis-mssqldev.svc

 

  iii.   Group Managed Service Accounts (gMSA)

Group managed service accounts (gMSA) are an alternative to standard service accounts which offer the advantage of having extremely complex, managed passwords, eliminating the need to manage and change passwords. While gMSAs are not compatible with all service account scenarios, they are recommended where supported.

For assistance with creating and implementing gMSAs, contact the domain admin team. gMSA names are limited to 16 characters, with the last character being a $. We’ve modified the naming standard to maximize the number of characters available for description. gMSAs cannot be synchronized to Azure AD.

Group Managed Service Account Naming Rules

Field	Char Length	Example
OU ID	Up to 5	ITS
Description	Up to 13	mssqldev
Suffix	1	$

 

             iv.   Test Accounts

Test accounts are special accounts used to temporarily test something.

Test accounts must follow the Onyen password policy. Test accounts must be set to expire 30 days after creation and be deleted within 15 days after they expire. Test accounts are owned by the OU administrators for the OU where they are located. The test account owners are responsible for ensuring that the test account usage is secure and complies with all UNC-Chapel Hill policies.

Test accounts are not synchronized to Azure AD.

Test Account Naming Rules

Field	Char Length	Example
OU ID	Up to 5	ITS
Separator	1
Description	Up to 11	sidhistory
Separator	1
Suffix	3	tst ​​​​

Example:         ITS_sidhistory.tst

 

v.    Common Accounts

Common accounts are domain users used to auto-logon a computer, for example a kiosk. The intention is the credentials are stored in the operating system and are not known by the end user.

Common accounts must follow the Passwords, Pass-phrases, and Other Authentication Methods Standard.  Common accounts must have complex passwords with at least 17 characters.  When supported, passwords should be much longer, e.g., 64-128 characters. Common account passwords do not expire but must be changed every 365 days. Common accounts are owned by the OU administrators for the OU where they are located. The common account owners are responsible for ensuring that the common account usage is secure and complies with all UNC-Chapel Hill policies. It is recommended that common accounts are configured with LogonWorkstations restrictions to avoid misuse.

Field	Char Length	Example
OU ID	Up to 5	ITS
Separator	1
Description	Up to 11	kiosk
Separator	1
Suffix	3	com

Example:         ITS_kiosk.com

   vi.   Guest Accounts

Guest accounts are special accounts created to give temporary access to a person who does not have an Onyen. In most cases, users should be given access by using unit HR processes to affiliate them in a way that would entitle them to an Onyen.  Guest accounts were primarily used to give external collaborators access in SharePoint. Since moving to Office 365 SharePoint, external collaborators should be given access via Microsoft accounts. CREATION OF NEW GUEST ACCOUNTS IS NO LONGER PERMITTED.

Guest accounts must follow the Onyen password policy. Guest accounts must be configured to expire 60 days after creation and must be deleted within 15 days after they expire. Guest accounts are owned by the OU administrators for the OU where they are located. The guest account owners are responsible for ensuring that the Guest account usage is secure and complies with all UNC-Chapel Hill policies.

Guest accounts are not synchronized to Azure AD.

Guest Account Naming Rules

Field	Char Length	Example
OU ID	Up to 5	ITS
Separator	1
Description	Up to 11	jqpublic
Separator	1
Suffix	3	gst

Example:  ITS_jqpublic.gst

 

vii.   Native Azure AD Global Administrator Accounts

Azure AD global administrator accounts are special accounts used for managing the Azure AD tenancies in the Azure cloud and only exist natively in those Azure AD tenancies. As a best practice, the number of Azure AD global administrator accounts should be kept to a minimum. Azure AD global administrator accounts will only be available to ITS staff with a primary responsibility for managing Azure AD and approval by the AVC for Infrastructure and Operations or ITS Azure service owner.

 AD global administrator accounts are special accounts used for managing the Azure AD tenancies in the Azure cloud and only exist natively in those Azure AD tenancies. As a best practice, the number of Azure AD global administrator accounts should be kept to a minimum. Azure AD global administrator accounts will only be available to ITS staff with a primary responsibility for managing Azure AD and approval by the AVC for Infrastructure and Operations or ITS Azure service owner.

All administrator accounts must correspond to an Onyen and must follow the Passwords, Pass-phrases, and Other Authentication Methods Standard.  Azure global administrator accounts never expire. Administrator accounts are subject to a special password policy and regular ITS Audit. Administrator passwords must be 17 characters and expire after 91 days.   Use of these accounts must follow the ITS Change Management Policy.

Activity Logs for these accounts will be delivered to the domain administrators Team for reference and audit.

             viii.    Other Accounts

The following account types are used for special services, such as Exchange, Office 365, and Qualys.

Type	Extension
Resource Mailboxes	.rmb
Shared Mailboxes	.smb
O365 Unified Groups	.ug
Qualys Scanner Account	.scn
VMWare Admin	.vmadmin

 

 II.       Departmental Organizational Units

Organizational units (OUs) are analogous to folders in a file system. In addition to being a container for Active Directory objects, OUs are used to create administrative boundaries for delegation and the application of Group Policy Objects. A well-organized OU architecture will simplify management by grouping objects that have common delegation and security policy needs.

a.    Naming

A departmental organization unit (OU) will be created by ITS Windows Enterprise Infrastructure for each eligible department participating in the AD.UNC.EDU domain. To be eligible, a department must have at least one permanent IT staff member who can serve as the OU administrator. The departmental OU is intended as an administrative boundary and departmental OUs will not necessarily represent the “org chart.” 

The departmental OU will contain all computers, groups, organizational units, and group policies that belong to the department. The departmental administrators will be delegated control over this OU. The departmental administrators are solely responsible for the administration of this OU and all the objects that it contains.

Each departmental OU will be given a name of 5 characters or less.  This name will be an abbreviation of the department that it represents. In most cases this name will be the official abbreviation used by the department, college, or unit. In the case of conflicts, the abbreviation will be awarded to the organization that has a more well-known use of the abbreviation. However, once a departmental OU name has been established, it cannot be changed.

Departmental Organization Unit Naming Rules

Departmental Organization Unit Naming Rules
Field	Char Name	Example
OU ID	5	ITS

Example:    ITS and SON

 

b.    Organization

All departmental OUs will be created under the UNC OU which exists in the root of the domain. Departmental OUs will be organized in a quasi-org chart design based on end-user desktop

support responsibilities. In short, departments that provide tech support to end-users using domain computers will have their own OU within the UNC OU. Organizations that receive their end-user support from a parent organization will be a part of the parent organization’s OU. Parent organizations are encouraged to create sub-OUs following the org chart, but this is at the parent organization’s discretion.

This organization and delegation scheme can be extended to as many levels necessary to fully capture the organization’s desktop support environment. Consider the following advanced example:

• A college provides desktop support to its departments.
• The college would create a sub-OU for its departments.
• Each department would then have sub-OUs for each of its departments, such as administration, and several research labs.
• Each research lab has its own desktop support staff that share duties with the college’s staff.
• The college would delegate control over each research lab to the research lab’s desktop support staff.

Because the design of a department’s organizational unit hierarchy is critical to the efficient usage of Active Directory, ITS Systems will provide consulting to departmental administrators to help ensure that their design will help promote efficiency and security.

    III.       Computer Accounts

When a computer is joined to a domain, a computer account is created in that domain. We recommend that the departmental computers be added to the AD.UNC.EDU domain by first adding the computer name into the departmental OU using the Active Directory Users and Computers MMC.  To keep the number of objects in Active Directory under control, the following procedure will be followed:

• For computer accounts inside the Computers container:  Any computer account in the Computers container will be disabled after 7 days. A disabled computer account in the Computers container that has been disabled for over 7 days will be deleted. An email will be sent daily to the creator of the computer requesting that it be moved to their departmental OU. To assist departmental administrators in retrieving computers from the Computers container, all departmental administrators will have permissions to move computers from the Computers container into their OU.
• For computer accounts outside the Computers container: A report will be generated each semester containing all computer accounts that have been inactive for over 365 days. This report will be published to the SysAdmins team. After 7 days, any computer remaining inactive will be disabled.  After 30 days, any computer remaining inactive and disabled will be deleted.
• Computers will show up as inactive if they are unable to contact the domain controllers. Computers that are off-campus are unable to contact the domain controllers unless they are connected to the UNC-Chapel Hill VPN or configured to use the Always On VPN.  All users who take computers off-campus should be encouraged to use the VPN whenever possible.

Computer names must be unique, but there is no required naming scheme. It is suggested that computer names start with the OU name.

   IV.       Groups

a.    Security Groups

Security groups are general purpose groups used for grouping users and computers for easier management. It is important that security groups have descriptive names and descriptions that further explain their purpose, membership, and resource permissions.

In cases where groups are used to filter the application of Group Policy, the group and Group Policy should have identical names.

We encourage following the AGDLP group design practice.

Security Group Naming Rules

Field	Char Length	Example
OU ID	Up to 5	ITS
Separator	1
Description	Up to 59	DIS-Staff

Example:   ITS_DIS-Staff

b.    Software Groups

Software groups are special groups created to distribute software to computers via Group Policy. These are not widely used in ad.unc.edu. SCCM is the preferred tool for software deployment.

Software Group Policy Naming Rules

Field	Char Length	Example
Prefix	2	SW
Separator	1
OU ID	Up to 5	ITS
Vendor
Separator	Up to 56	Symantec
Product
Separator		Antivirus
Version		10.1.6.6010

Example:    SW_ITS_Symantec_Antivirus_10.1.6.6010

c.    Managed Groups

Managed groups are special groups that are managed by the Identity Management System. The purpose of these groups is to provide pre-populated groupings of users based on their identity management information, such as: departmental affiliations, class, course enrollments, major, etc.

Managed groups are named based on the naming standards in Grouper and are prefixed with MSG for security groups and MDG for distribution groups.

d.    Group Cleanup

To promote cleanup, ITS Systems maintains a report of groups that have been empty for 30 consecutive days. Departmental admins should review this report periodically and delete groups if they are no longer needed.

Active Directory Group Cleanup | Splunk 9.1.2 (unc.edu)

   V.       Group Policies

 

 

a.    Security Policies

Security Group Policies are general purpose GPOs used for applying security policies and settings to users and computers. It is important that security GPOs have descriptive names and descriptions that further explain their purpose and effects.

In cases where groups are used to filter the application of Group Policy, the group and Group Policy should have identical names.

Security Group Policy Naming Rules

Field	Char Length	Example
OU ID	Up to 5	ITS
Separator	1
Description	Up to 59	DIS-Staff

Example:   ITS_DIS-Staff

b.    Software Installation Policies

Software installation Group Policies are special Group Policies created to distribute software to computers. Group Polices are not widely used to distribute software in ad.unc.edu. SCCM is the preferred tool for software deployment.

Software Group Policy Naming Rules

Field	Char Length	Example
Prefix	2	SW
Separator	1
OU ID	Up to 5	ITS
Separator	1
Vendor	Up to 56	Symantec
Separator		____
Product		Antivirus
Separator		____
Version		10.1.6.6010

Example:   SW_ITS_Symantec_Antivirus_10.1.6.6010

 

c.    Group Policy Cleanup

Group policies will be deleted after they have been unlinked, empty, or had all settings disabled for 30 consecutive days, as tracked by this Splunk report:

Active Directory Group Policy | Splunk 9.1.2 (unc.edu)

GPOs can be restored upon request indefinitely, given the name of the GPO and the requested date.

d.    Domain-Wide Group Policy Change Procedure

The following procedures will be used for making changes to campus-wide security policies. This process relies on departmental participation for vetting new policies. Note:  policy changes may follow an abbreviated schedule when designated as time-sensitive by the CISO.

1. Approval

Proposed new group policies will be evaluated for approval by the domain administrators with input from the Technical Advisory Committee (TAC) and the SysAdmins team

2. Testing

• The new policy will be made available for opt-in testing for at least 2 weeks
• Communication and discussion will be made via the SysAdmins team Active Directory channel
• Departments who participate will provide feedback via the SysAdmins team Active Directory channel and that feedback will be used to adjust the policies as appropriate

3. Pilot

• The new policy will be deployed to a pilot group for at least 2 weeks
• This group will consist of all or part of more than one campus departments
• Typically, pilot departments will volunteer, but in the event of insufficient participation, departments will be chosen by the domain administrators 
• Departments who participate will provide feedback via the SysAdmins team Active Directory channel and that feedback will be used to adjust the policies as appropriate 
• The pilot should include at least 10% of target systems

4. General Deployment

• Changes will be planned with the ITS Change Management System
• Detailed information about the new policies will be provided in the SysAdmins team Active Directory channel

  VI.       Naming Conventions

All Active Directory objects noted in this document must abide by the described naming convention for that object. A naming convention is necessary to ensure the ability to locate, utilize, and troubleshoot resources, and to avoid name collisions. Within the AD.UNC.EDU Active Directory structure, this naming convention has been established for Users, Computers, Groups, Organizational Units (OUs), Printers, and Group Policy Objects (GPOs) to reduce the difficulty in searching for resources. A naming convention for Exchange objects, such as distribution lists, public folders and resource names, is also in place.  Before adding any objects to the AD.UNC.EDU domain, please carefully read the naming conventions in this document.

Any requests for exceptions to the naming conventions must be submitted in writing to ITS Systems.

  VII.       BitLocker Key Escrow

By default, all systems in AD are configured to escrow their BitLocker key in Active Directory and Azure Active Directory. An SCCM baseline ensures that systems have escrowed their BitLocker keys.

SCCM is used to monitor systems encryption status. It is important that all BitLocker protected systems be managed by SCCM to ensure reporting is available in the event a system is lost.

An OU administrator can obtain the BitLocker recovery password via AD Users & Computers.

Method 1 – Using password ID

1. Open AD Users & Computers
2. Right-click ad.unc.edu at the top of the domain and click Find BitLocker recovery password
3. Enter the first 8 characters of the password ID and click Search

Method 2 – Using computer object

1. Open AD Users & Computers
2. Navigate to the computer object for the computer
3. Open its Properties
4. In the BitLocker Recovery tab, choose the most recent entry
5. The recovery password is available in the Details panel

Domain admins have access to additional BitLocker key backups and escrows. If you are unable to locate a BitLocker key, contact the domain admins for assistance.

VIII.       Local Administrator Password Solution (LAPS)

By default, all systems in AD are configured to use the Local Administrator Password Solution (LAPS). This system automatically changes the local Administrator account password every 30 days and escrows that password securely in Active Directory. LAPS can assist in the following scenarios:

• Obtaining local administrator access when the domain is unavailable.
• Temporarily granting a user local administrator access.
• Granting computer administrators access to a client computer without risking privileged administrator accounts or creating a lateral movement risk.

An OU administrator can obtain this password via AD Users & Computers.

More information is available about LAPS here:

Windows LAPS overview | Microsoft Learn

  IX.       Schema Extensions

The AD.UNC.EDU domain schema will only be extended when the proposed extension will demonstrably benefit the University, is supportable and scalable for the enterprise, and will have minimal impact on service delivery. Because schema extensions are not reversible, extensive testing and review of schema extensions must occur. Requests to extend the AD.UNC.EDU schema require the approval of the domain administrators.

Any custom schema extensions must be prefixed with a unique identifier to prevent naming collisions with existing and future products and must have a registered OID.

     X.       Domain Naming System (DNS)

The domain controllers also serve as DNS servers to enable dynamic DNS. Dynamic DNS allows AD member systems to automatically create DNS records. The AD DNS servers are configured to transfer DNS to the campus InfoBlox IPAM. Clients should be configured to point to the campus DNS servers for DNS resolution.

Dynamic DNS records in AD are configured to be scavenged once per week. Dynamic DNS records will be automatically deleted if they haven’t been updated within 14 days.

    XI.       Distributed File System (DFS)

Distributed File System namespace roots will be created upon request. Each department is limited to 1 root.  DFS namespaces will be delegated to the OU admins for the department, allowing the creation of targets under the root.

  XII.       Domain Restoration

ITS Systems can provide restoration of accidentally deleted or corrupted domain objects. Objects must have been deleted within 180 days to be restored. To request an object restoration, create a Help Request for the ITS-SYSTEMS group including the details of the deleted objects.

 XIII.       Disaster Recovery

Being a critical infrastructure system, considerable planning has gone into disaster recovery. AD.UNC.EDU Directory Services are hosted on at least three redundant domain controllers. These domain controllers are hosted in two geographically separate, secure datacenters with redundant power sources. Additional domain controllers are hosted in the public cloud.

Active Directory is backed up nightly.

XIV.       Sensitive Data

Active Directory is not an approved system to store regulated sensitive data, such as HIPAA, PCI, or FERPA protected data. Most data stored in Active Directory is visible to everyone with an Onyen. Passwords and other sensitive data should not be stored in plain text in any attribute.

Directory information is not synchronized into Active Directory for students who have requested, under FERPA, that their directory information not be disclosed.

  XV.       Logs

Active Directory creates extensive logs about login events and changes to objects in AD. These logs are available in Splunk for 90 days. Additional logs are maintained for audit purposes, up to 365 days, however these logs are not available for routine requests. Request for logs or reports should be made by ticket to ITS-SYSTEMS-ADMINISTRATION. Requests must include a valid business reason for the log request. Log requests will be granted at the discretion of the ITS Active Directory Service Owner and in accordance with university policies.

XVI.       Domain Support Model

Departmental administrators are responsible for managing all aspects of their departmental OU. ITS Systems will provide consulting to departmental administrators to assist them in effectively and efficiently using the AD.UNC.EDU domain.

XVII.       Forests and Domains

The AD.UNC.EDU Active Directory domain uses the single forest, single domain model. Child domains will not be permitted in the AD.UNC.EDU forest. Other Windows forests will not be trusted by the AD.UNC.EDU forest, except temporarily to accommodate migration into the AD.UNC.EDU domain.

XVIII.       Communication

Departmental administrators (OU Admins) should subscribe to the SysAdmins Team in Microsoft Teams which is the primary communication method on matters concerning the AD.UNC.EDU domain service.

The ITS Change Management Process and the Active Directory channel in the SysAdmins Team will be used to communicate information impacting the service level of the AD.UNC.EDU domain and supporting systems.

---