Contact Us

Kevin Vaccaro
Phone: 773-702-6198
vac1@uchicago.edu

Home > Documentation > UCAD > UCAD Policies

University of Chicago Active Directory

UCAD Home | Glossary | Policies | Diagram | Support for Administrators | Governance

UCAD Policies

Service Accounts

Service Accounts will reside in ad.uchicago.edu only. All Service Accounts should be prefixed with a number. Possible prefixes are:
  • IIS
  • Exchange
  • SQL
  • SMS
  • Oracle
  • Miscellaneous (Including Temp/Intern)

Organizational Units Administrative Accounts

Organizational Units (OU) administrative accounts will reside in ad.uchicago.edu. All OU administrative accounts should be prefixed with an underscore. For example, _cmf for Chris Flesher administrative account would meet the aforementioned criteria. No other user accounts should be created within ad.uchicago.edu.

Group Policy

All Groups will reside in ad.uchicago.edu. All Groups should be created as a domain local group. It is imperative that Domain Admins group is part of the Administrators local group on EVERY machine in ad.uchicago.edu. This is the case by default.

All Group Policy Objects (GPOs) will be set to allow for loopback processing. This is necessary to allow GPOs to apply to User Settings when they log in.

GPO creation will be by NSIT/DCS. GPOs will be linked to an OU and editing privileges will be delegated to an OU administrator. NSIT/DCS will also determine, with help of the OU administrator, to whom the GPO will apply within any OU.

Machine Accounts

Machine Accounts will be created in an OU prior to adding the machine to ad.uchicago.edu. This keeps computer objects out of the computer's container. NSIT/DCS will do the best job possible in order to find the right OU if this isn't done, but we cannot make any guarantees. However, a computer object will be moved to an OU in order to have some GPO processing done at the machine level. Each machine should have the following settings:

  • The "Managed By" attribute will contain the contact person for its OU. This will facilitate troubleshooting within the domain. Please try to keep this information up to date.
  • The "Location" attribute will contain the building name where the machine resides. Please try to keep this information up to date.
  • The "Description" attribute should contain the CNetID of the primary user of the machine. 

Domain Controllers

Domain Controllers for ad.local and ad.uchicago.edu will have an IPSEC filter policy that prohibits access from off-campus and blocks student subnets (we currently block off-campus access and prohibit some access from student subnets).

Network Settings

The following network settings need to be put in place on all machines in ad.uchicago.edu. To find these settings, right-click My Computer and select Properties, click the Computer Name tab, click the Change button, and click the More button.

1. Set the "Primary DNS suffix of this computer" to whatever the A record is for each machine. For NSIT, the A record would be xxx.uchicago.edu. For the library, the A record may be xxx.library.uchicago.edu.

2. The "Change primary DNS suffix should be changed when domain membership changes" checkbox should be deselected.

Network settings for all machines in ad.uchicago.edu

WINS Settings

WINS servers should be set to 128.135.23.44 (Skratchy.uchicago.edu) as the first WINS server and 128.1335.23.43 (Itchy.uchicago.edu) as the second WINS server.

DNS Settings
DNS servers for all machines in ad.uchicago.edu should be using BIND servers 128.135.4.2 and 128.135.228.2.

Last updated: 6/6/07