Contact Us

Kevin Vaccaro
Phone: 773-702-6198
vac1@uchicago.edu

Home > Documentation > UCAD > UCAD Governance > UCAD Governance Policy

UCAD Governance Policy

UCAD Home | Glossary | Policies | Diagram | Support for Administrators | Governance

Click here for a printable version of this document.

University of Chicago Active Directory Policy

12 July 2004

1. Purpose

This policy is intended to promote a balance among security, value, and simplicity of the University's Active Directory managed Windows server infrastructure. To improve security and to avoid cost and complexity, the University should operate as few Windows domains as possible. Privileged operational roles should be assigned in a reproducible way. Baseline operational profiles for Windows servers should be adopted to cause a degree of policy implementation to obtain uniformly across this infrastructure. Processes that determine how operational authority is delegated should be used to educate potential designees as well as to assess their capability for meeting operational responsibilities. And a governance structure should be established that facilitates coordinated operation of this infrastructure, enforces this policy, and ensures that the University of Chicago Active Directory forest (UCAD) well serves the needs of the University as a whole.

2. Terminology

Microsoft's Active Directory is used to manage Windows infrastructure. Security and administrative boundaries within Active Directory are formed by hierarchies of organizational units (OUs) within domains which are collected into forests. Objects representing member computers (ordinary workstations), member servers (Windows servers that supply services to a domain), users, and other types are located within OUs. Operational policy bearing on an object and the authority to manage that operational policy are determined by the OU containing the object, that OU's location within its encompassing domain, and by the forest of which the domain is part.

"UCAD" (which stands for University of Chicago Active Directory) is a forest operated as a campus-wide infrastructure service.

3. Scope

All portions of this policy pertain to UCAD. Where noted, some portions pertain specifically to a domain named "ad.uchicago.edu" within that forest or apply to Windows infrastructure elements operated by or for the University regardless of their relationship with UCAD.

No part of the present policy should be construed as superceding either the Eligibility and Acceptable Use Policy or the Regulated Computers Policy.

4. Policy areas

4.1. Governance

Two groups will oversee UCAD: the AD Administrators Group, and the AD Steering Group.

The AD Administrators Group determines operational standards for UCAD in support of the interests of the University of Chicago as a whole. They ensure that upgrades and extensions to operational elements proceed in an orderly and thoughtful manner, determine best practice to be followed by all domain administrators, determine advisory operational guidelines for OU administrators, are responsible for ensuring the continued adherence to security and operational standards of all elements of the UCAD infrastructure, and are responsible for ensuring that functional requirements of OU administrators are known and addressed. The charter for this group is the subject of [2].

Members of the AD Administrators Group therefore have a great deal of responsibility for the operational integrity of substantial information technology assets of the University. This level of trust obliges its members to act in the best interest of the University as a whole. Failure to demonstrate this level of trust and perspective are grounds for removal from the group and, consequently, loss of domain or enterprise administration privileges.

The AD Steering Group consists of Information Technology Heads of the divisions, professional schools, and the College, together with identified persons from Networking Services and Information Technologies with authority over related operational or policy areas. They provide policy guidance for and strategic oversight of UCAD. They decide when new domains may be admitted to UCAD and when new trusts with security realms external to UCAD may be established, recommend changes to official policy bearing on Active Directory operation, and resolve obstacles that may impede the work of the AD Administrators Group.

The AD Steering Group has the authority to remove a member from the AD Administrators Group. At least one member of the AD Steering Group should attend each formal meeting of the AD Administrators Group to liaise, observe, and express any specific interests the AD Steering Group may have in the actions of the AD Administrators Group. The charter of this group is the subject of [3].

Both groups have certain additional roles and responsibilities in connection with specific policy areas as noted below.

4.2. User accounts

User account objects for persons with CNetIDs are automatically maintained in the root domain of the UCAD forest. Other user account objects for persons eligible for or assigned a CNetID must not be created for any purpose except as may be needed for an interim period to aid in migration of a previously existing domain into the UCAD forest. Domain local user account objects may be created for any other deserving purpose that does not violate the Eligibility and Acceptable Use Policy. However, for every domain local user account there must be some means identified to determine when that account should be removed. The AD Administrators Group maintains minimum operational standards for domain local user accounts.

4.3. Operational policy for member servers

Member servers provide domain services. Domain Controllers, Infrastructure Servers, Web Servers, File Servers, and Print Servers are examples of member servers. All member servers operated by or for the University of Chicago, whether related to UCAD or not, must be operated with baseline policy applied by Active Directory that addresses best practice for the University. Each server may have additional policy applied.

The AD Administrators Group maintains minimum operational standards for configuration and operation of any UCAD member server.

4.4. Access to member server log files

No access to security, audit, or event logs for any member server or member server hosted service is permitted except as required for normal operations or by request of identified persons representing the security or legal interests of the University of Chicago.

4.5. Domain creation guidelines

It is the intention of this policy to inhibit the proliferation of windows domains at the University. However, some functional requirements can only be met by operating a separate domain within UCAD. These include:

  • The need to manage a large number of domain local user objects for people not eligible for CNetIDs.
  • The need to limit a trust relationship to a circumscribed set of objects.

Requests to operate a domain within UCAD should be addressed to a member of the AD Steering Group and will be handled by a subgroup of the AD Steering Group supplemented by one or more members of the AD Administrators Group. This subgroup will engage in a dialog with the requestor to acquaint the requestor with their obligations as determined by this policy and to assess their capabilities with regard to at least these areas:

  • Ability to maintain continuity of domain services over time.
  • Availability of qualified IT staff, inclusive of suitability for membership in the AD Administrators Group and the level of trust and breadth of perspective that entails.
  • Availability of adequate hardware dedicated to support of the domain and adequate environmental circumstances for that hardware, including restrictive physical access to domain controllers.
  • Specific functional requirements that cannot be met by an OU.

The subgroup will present a synopsis of their dialog with the requestor to the AD Steering Group, who will make a determination of the request. Favorable requests are referred to the AD Administrators Group to plan and coordinate the execution of the change to UCAD.

4.6. OU creation

Any University organization may request that an OU be created for it. The requestor may specify a preference for the domain in which to locate the OU. By default OUs will be created within the ad.uchicago.edu domain. OU creation requests are directed to a Domain Administrator for the requested or defaulted domain. The request process proceeds with a dialog between a Domain Administrator and the requestor to educate the requestor with their obligations as determined by this policy and to assess their capabilities with regard to at least these areas:

  • Availability of technically qualified IT staff.
  • Ability to maintain continuity of service over time.

4.7. OU administrator role and responsibilities

Delegation of administrative privilege over an OU within UCAD is intended solely for the purpose of managing resources within the Windows infrastructure. OU administration privileges do not include the authority to create domain local user accounts. The AD Administrators Group determines advisory operational guidelines for OU administrators.

4.8. External trust relationships

Trusts between UCAD (the forest or any of its member domains) and external security realms must be approved by the AD Steering Group upon review and recommendation by the AD Administrators Group. An external trust may be immediately disabled at the request of persons representing the security interests of the University of Chicago if it is suspected that the trust is instrumental in a security compromise. External trusts may be re-evaluated at any time at the discretion of the AD Steering Group.

4.9. Schema extensions

Requests to extend the UCAD forest schema must be addressed to the AD Administrators Group, who will in turn make a recommendation to the AD Steering Group. Proposed extensions must be supportable and scalable, have negligible impact on existing services, and not obstruct UCAD's value as a campus-wide infrastructure. Proposals must address in detail the means by which the extended schema objects and attributes will be maintained.

4.10. Infrastructure services (DNS, DHCP)

These must be operated in conformance with the Next Steps for UChicago Active Directory document [1].

4.11. Conformance with accepted design

UCAD operational procedures must conform to the design as specified in the Next Steps for UChicago Active Directory document [1].

5. References

[1] Next Steps for UChicago Active Directory, Tom Barton, 2004.

http://nsit.uchicago.edu/docs/ucad/governance/draft-barton-ADNextSteps-04-final.pdf

[2] University of Chicago Active Directory AD Administrators Group Charter, 17 June 2004.

http://nsit.uchicago.edu/docs/ucad/governance/UCAD-AdminGrp-charter-12Jul2004.pdf

[3] University of Chicago Active Directory AD Steering Group Charter, 17 June 2004.

http://nsit.uchicago.edu/docs/ucad/governance/UCAD-SteeringGrp-charter-12Jul2004.pdf

 

Return to UCAD Governance

Last updated: 6/6/07