Active Directory service policies at UD

The UD Active Directory service is offered in accordance with the following policies, which are initial policies. As such, these policies may change as needed.

Client accounts

The UDelNet ID information for all active students, faculty, and staff of units on campus are synchronized with the University’s ‘WIN’ domain. Account information is synchronized every night. Passwords are synchronized in real time via the University’s network page. Users will not be able to change their UDelNet ID passwords in UD Active Directory.

Unit or department accounts

An Organization Unit Administrator (OU Admin) can create, delete, and modify non-UDelNet ID accounts within their OUs. All non-UDelNet ID accounts must follow the naming conventions outlined in these policies. OU Admins are responsible for all accounts and devices within their organizational units. Central IT will address any requests or questions of OU Admins. However, all end user requests or questions should be addressed to the appropriate OU Admins.

AD domain recovery

IT-NSS maintains nightly backups of the domain and domain controllers. However, due to the complexity, impact to service, and time required to make any restoration, these backups will only be used in the event of a domain-wide catastrophic failure. Each OU Admin is required to maintain records of their OUs, GPOs, groups, computers, and user accounts.

In Windows 2008 R2, Microsoft implemented an Active Directory Recycle Bin. This feature has been implemented on the WIN domain. Deleted items will be retained for 60 days. To recover an Active Directory item within that time frame, you can submit a help ticket request to the IT Help Center. We will need the exact name and location of the item you want recovered. Your request must be specific. The following request would not be honored:

"I deleted a user from my folder called srvc-something. I can't remember, exactly."

Schema updates/extensions

Schema updates and extensions are serious considerations as they cannot be reversed. Updates to the directory will first be tested in the development domain to ensure no issues or problems exist. Any adjustments to the directory will be planned accordingly. Any proposed extension to the directory will be fully reviewed and must be shown to provide improvements for the domain as a whole, or at the very least, not negatively impact the rest of the domain before installation will be considered. Thorough examination and testing must occur to ensure the stability of the domain.

Trusts with other active directory forests

Only one-way, non-transitive trusts will be permitted between the ‘WIN’ forest and other directory forests on campus. The intention of any one-way trust will be to assist in migration from unit domains to the central domain. Once completed, the one-way trust will be removed. The trusts will be limited to a 60 day window.

Permanent one-way trusts and two-way trusts between the ‘WIN’ domain and other unit forests will not be established unless a strong technical need is shown. The establishment of such trusts will be determined by the ‘WIN’ enterprise administrators. Note that the WIN domain operates on a 2008 R2 functional level. Therefore, all domains in a trust relationship must operate on that level.