Campus Active Directory - Acceptable Use of Accounts
Person Accounts
A person account is a user object created for use by a single individual. Most person accounts are provisioned and managed through the campus Identity and Access Management systems.
There are two types of Person Accounts:
- NetID - Accounts created by the NetID system (students, faculty, and staff) or Manifest (university affiliates)
- Privileged - Accounts created to allow delegated administration of services such as Active Directory
NetID Accounts
NetID accounts are the most common person accounts in CAD. All NetID users are automatically provisioned to CAD.
NetID user objects have been secured in such a way that one NetID user cannot view information contained in another NetID. This allows for compliance with the Federal Education Rights and Privacy Act (FERPA) and Campus policy. Requests for additional access to NetID information are subject to approval.
The use of NetID accounts will be limited to non-privileged user activities such as using email clients, accessing file shares, office suites, and web browsers. NetID accounts will not be granted administrative privileges on hosts or used to authenticate services or applications to Active Directory.
Users are required to comply with all Campus and NetID policies regarding the use and security of NetID passwords.
Privileged Accounts
All Campus Active Directory administrators must have a separate account for performing Active Directory administration. This administrative account is to be used strictly for administrative purposes. This account is NOT to be used for day-to-day (normal) business, e.g. e-mail accounts are not to be tied to this account. All administrators will use their NetID account to logon to their workstations and use the RunAs command to connect to administrative applications, such as Active Directory Users and Computers.
There are two types of privileged accounts:
- Organizational Unit (OU) Administrator accounts
- System Administrator (SA) accounts
OU Admin Accounts
The Campus AD team creates OU Admin accounts for departmental administrators upon request. These privileged accounts are used by the designated administrators to create, delete, and manage Active Directory objects within their Organizational Unit.
The OU Admin accounts have been authorized access to specific NetID information for the purpose of managing Active Directory. Sharing the OU Admin account with another user, utilizing the account to bind applications to AD, or running services/daemons is a violation of the Campus Responsible Use and UDS Data Access Policies. Failure to comply with these policies may result in the loss of delegated privileges within the Campus Active Directory Service.
These accounts are identifiable by the “NetID-ou” naming convention.
System Administrator (SA) Accounts
Individuals with OU administrator accounts may create system administrator (SA) accounts within their OU.
Once an SA account is created, it is the department’s responsibility to assign administrator rights on hosts within the department’s OU. This can be accomplished manually, by script, or with Group Policy.
Historically, these accounts have been identifiable by the “NetID-sa” naming convention. Departments may have their own naming conventions for these accounts.
Service Accounts
A service account is a user object created to represent a service, a group of people, or anonymous access.
These accounts are created in Active Directory by delegated OU or system administrators for use within their department. Service accounts will not be used in place of person accounts for individual users.
A service account may be created in order to:
- Manage an application or service
- Test access for applications
- Allow guests to access department resources, such as shared workstations
- These accounts will be limited to non-privileged user activities such as using email clients, accessing file shares, office suites, and web browsers.
Service accounts will only be used for the documented purpose of that account and shall not be used for interactive logon at any time. Service accounts shall not be used for multiple services or in any way that provides access to NetID data to an undocumented service or application. Separate service accounts shall be created for each function of a service or application.
Service account user objects will comply with established naming conventions and will be assigned only the rights and permissions necessary. Service accounts will not be granted administrative privileges on hosts. If a department has an application or service that requires access to NetID data or FERPA-restricted data, data steward approval is required. Once the request has been approved, the service account will be granted access to the appropriate data.
References
All links open in a new window.