Centralized Active Directory Services
Cal Poly’s ITS department is pleased to provide campus-wide availability of a centralized Active Directory (AD) service.
- Automated Account Management (Creation and Deletion)
- Accounts created and removed based off of HR and Student Records Data
- Account Passwords integrated with Cal Poly portal passwords
- Groups created for every academic section
- Consistent experience provided across campus
- Same home drive available to faculty & students in every Central AD joined lab.
- Single Sign On experience to all services connected to Central AD.
- Administrative tasks delegated to the college/department technical staff.
- Central AD maintenance handled by ITS
- Departmental resources are managed and controlled by the department’s technical staff.
- Standard security settings implemented such as password management, workstation administrative controls, etc., provide out of the box compliance but can be overwritten by department technical staff.
- Fully funded by ITS, no costs to college/department
- How are accounts for faculty, staff, and students populated into Active Directory?
- Every night our identity system retrieves account information from various data feeds such as Human Resources, Student Administration and Affiliate Associations. This information is used to create new accounts, disable old accounts, and update accounts as users move to new departments, are given new phone numbers, etc.
- The following information is populated on the accounts when available: First Name, Last Name, Username, e-mail address, Account Status (enabled/disabled), Department, Office Location, and Phone Number.
- Can I create accounts myself?
- Each college/department is given an Organizational Unit (OU) in Active Directory which they are free to create any objects within. The only requirement is that any object you create (computer, group, account, etc) is prefixed with your department abbreviation.
- What settings are enforced via Group Policy that I cannot change?
- While the root of Central AD has basic group policy settings (e.g. DNS settings, Windows Firewall Settings, etc) none of them are enforced. You have the option of either blocking GPO inheritance at your department level, or the recommended option available is to override any settings you need to via a GPO at your department level.
- Any changes to the root level GPO’s will only happen after extensive communication to the OU Admins and a significant warning period to allow OU Admins to make any necessary plans around the changes.
- What is the disaster recovery plan for Central AD?
- Central AD is hosted by several domain controllers which are housed in the secure and power/network redundant ITS datacenter.
- Every night the Central AD Domain Controllers have their relevant information backed up to tape which are then taken off-site.
- What are the support hours of Central AD?
- Central AD is treated as a 24x7 service.
- Will anyone be able to logon to my workstation?
- By default ITS will create a GPO for your department that will limit logons to your workstations to only members of your department. OU Admins are free to change that setting to whatever they would like.
- What kinds of access will ITS have to my systems?
- Access to department computers and resources is defined by the department’s technical staff.
- Will joining Central AD make my systems less secure?
- Central AD is a completely delegated directory. Your systems and area of Active Directory are only manageable by you. The secure data center, automated identity system, and password synchronization allow you to leverage a secure and integrated directory.
1. CAS is the campus web based authentication source, information is located at: https://eforms.calpoly.edu/orbeon/fr/workflow/edit/edit/7bHKzIEy7U8vroU3IUkdd0vXwJijwMK0ZAid8mTF. Central AD should not be used for web based authentication.
2. Campus data stewards have defined the campus identity information that provisions Central AD. ITS Provisions account data based on that campus identity information. Changes to the campus identity information need to be reviewed and approved through the appropriate HR office or through Student Services.
3. Any group policy object (GPO) that is not linked to an OU will be automatically deleted.
4. All objects created manually must be prefixed with the assigned department abbreviation and a dash. (e.g. ITS-Name Of Object) Objects that do not meet this naming standard will be automatically deleted.
5. Any computer objects that are created in the default Computers container must be moved to an area owned by the department. Computers left in the default computers container for more than 7 days will be disabled.
6. A host firewall must be enabled for all member workstations, laptops and servers.
7. All computers joined to the Central AD need to have a working current version of anti-virus software performing real time scanning.
8. Handling of sensitive information in the Central AD (specifically FERPA accounts) must be in accordance with campus security policies at http://www.security.calpoly.edu/
a. Active Directory contains FERPA protected information. An OU Admin has access to read that FERPA information and must appropriately protect and work with that information.
1. Do not reset a user’s password unless absolutely necessary; have the user change their Cal Poly Portal password, my.calpoly.edu which changes their AD password. Admin provisioned accounts and manually created account passwords must be set manually by an OU Admin.
2. Redirect the “My Documents” folder to an appropriate network location.
3. Identity provisioned groups (Department groups, Class groups, etc) should not be used directly to assign access to resources. Place a group between the resource and the identity provisioned group. (e.g. To give access to a folder share create a group such as ITS-Shared Drive and assign identity provisioned groups to that, such as ITS – Staff)
4. It is your responsibility to appropriately populate the OU Admin group for your department. Be aware that being a member of that group gives rights to all objects in your OU as well as access to FERPA protected information.