Function | Roles & Responsibilities |
| AD advisory committee | ADAC serves as an advisory committee to the Information Technology Division by providing critical user input regarding the operation of Berkeley Lab’s Microsoft Active Directory service. ADAC members are specifically chartered by the Information Technology Division to provide advice and feedback on plans regarding the operation and configuration of MS Active Directory. Specific Responsibilities: Frequency of Meetings Membership ADAC will be composed of seven members - A chair appointed by the Berkeley Lab CIO.
- Three members from the IT division representing staff that manage AD and set cyber security policy
- Three members representing scientific and operations organizations at LBNL.
|
| Domain Administrators | Domain Administrators at LBL on occasion have to perform duties associated with Schema and Enterprise administrators as identified below. Schema Administrator Enterprise Administrator Domain Administrator Creation and management of directory infrastructure
- Includes FSMO roles, trusts, Kerberos KDCs, replication topology, etc.
- Creation of all top-level OU hierarchies with subOUs, groups, and appropriate security permissions. This includes adding the OU Admins to the AddComputers group, Group Policy Creator Owners group, and OU Admins mail list. It also includes setting appropriate permissions on the created objects
Monitor and reporting associated with the reliability and security of the domain
- Use the domain admin account only for actions that require the privilege level of this account
- Monitoring changes to domain root and domain controllers OU to ensure unauthorized changes do not occur
- Day-to-day management of domain controllers
- Monitoring connectivity, synchronization, replication, netlogon, time services, FSMO roles, schema, NTDS database partitions, DNS settings, SRV records, and trust relationships
- Review DC event and security logs and take corrective actions
- Monitor and resolve security situations at all levels of domain to ensure stable and secure domain
Domain Controller Management
- Physical security of the domain controllers in IT Division space and oversite for all domain controllers
- Backups and restores on domain controllers
- Full disaster recovery plan and practice of DCs and core Directory objects
Policy monitoring and compliance
- Apply and enforce LBL standard naming conventions for objects in the domain
- Comply with LBL AD Change and Configuration Management (CCM) requirements
- Comply with LBL AD policies and standards as defined on the AD Web Site
- Monitor compliance with LBL AD policies and standards as defined on the AD Web Site, including change management
- Verify LBL AD Change and Configuration Management (CCM) requirements are implemented by OU Administrators
Communication and coordination
- Arbitrate disputes between OU Admins
- Provide OU Admins assistance when requested
- Participate in ADAC
- Coordination with CPP to ensure the LBL domain is secure
- Comply with all CPPM orders regarding emergency conditions
- Coordinate with Institutional Services to help them implement SSO, metadirectory, and other IS initiatives
- Coordinate the use of the test domain by OU admins and others that need to model processes before they are deployed to the production LBL domain
- Participate in OU Admin meetings as needed
- Work collectively with the OU administrators
Secure remote administration of the DCs and member servers managed by the Infrastructure Group
Manage group policy at root of domain and for Domain Controllers OU
Creation, testing, and management of GPOs intended to be used by multiple OU Admins
Manage the Users and Computers Containers
Install and manage security reporting tools used to monitor changes to the Active Directory
Delegate monitored data and elevated privileges to others as needed
Create and maintain the test domain as a reasonable approximation of the production domain
Coordinate and configure alarm distribution to OU Admins for OU-related events
Plan and manage all migrations and upgrades related to the AD or the DCs
Verify new software deployments and GPO policies work by testing them in the Primus test domain as appropriate |
| OU Administrators | Ensure overall security and integrity of their managed OU hierarchy
- Use the OU admin account only for actions that require the privilege level of this account
- Monitoring changes to OU hierarchy to ensure unauthorized changes do not occur
- Delegation of authority to others for appropriate object administration in their OU hierarchy
Account management
- Creation/deletion/management of objects, i.e. local user accounts, groups, workstations, servers, printers, etc. in their OU hierarchy
- Regularly perform housekeeping duties to keep OU hierarchy clear of stale, unused, expired, and objects no longer needed
- Process requests for access control authorized by data owner
- Process requests for group drive mappings via login script
- Create new computer accounts and join to directory services
The OU administrator will designate which administrators have "account operator" access to the Windows user accounts for users in their department.
- These account operators will have privileges that let them make changes to a subset of attributes for the accounts in their OU
- This subset of attributes includes Windows-centric information like home directory location, profile location, terminal server settings and other kinds of user data that isn’t replicated from the root of the LBL domain
Group Policy Object (GPO) administration, troubleshooting, and management
Publishing resource objects from their OU hierarchy in the Active Directory as applicable
Manage Group Policy Object (GPO) links in OU hierarchy
Coordinate activities of Member Server owners
- Monitor department/member server(s) performance and event logs for all member servers in their OU hierarchy not maintained by Computing Infrastructure Group (CIG)
- Work with server and/or data owners to set up permissions
Policy Compliance
- Comply with LBL AD policies and standards as defined on the AD Web Site
- Comply with LBL AD Change and Configuration Management (CCM) requirements
- Apply LBL standard naming conventions to objects in their OU hierarchy
Contact information.
- Each top-level OU must contain contact information for the department to facilitate contacting OU administrators
- When OU manager changes, notify the Enterprise Administrator
Verify new software deployments and GPO policies work by testing them in the Primus test domain as appropriate.
Communication and coordination
- Work collectively with the domain admins and with other OU administrators
- Keep informed about domain-wide changes (e.g. attend periodic meetings of the OU administrators or participate in mail lists)
- Provide the following to the domain admins, when suspecting a desktop related problem stems from a change to the Active Directory or DC configuration
- event description
- logon name of affected user
- name of affected computer
- time of event
- relevant warnings and errors in event logs
- relevant warnings or errors displayed on screen
|
| Server Owners (maybe dual role with OU administrator) | Host and maintain server (i.e., IIS, business specific service, etc.)
Patching/software upgrades
Volume/partition space management
Hardware migration
Software licenses for all member server(s) added to their OU hierarchy
hardware maintenance for all non-Infrastructure-managed member servers
Operating system maintenance for all non-Infrastructure-managed member servers
Maintain level of member server system security by applying Service Packs and security patches
Department application, file service, workstation and printer support
Create printer objects and access control lists.
Backup/recovery
Full disaster recovery plan and practice |
| Desktop Support | Request drive mapping via login script when needed from OU manager
Add user domain account to workstation
Assist data owners with archiving to offline storage (dvd/cd)
Provide the following (if possible) to the domain admins, when suspecting a desktop related problem stems from a change to the Active Directory or DC configuration
- event description
- logon name of affected user
- name of affected computer
- time of event
- relevant warnings and errors in event logs
- relevant warnings or errors displayed on screen
|
| Data Owners | Request workspace from OU manager
Setup data access control lists with OU manager
Provide space usage projections to OU manager
Maintain house keeping & periodic data cleanup
Request drive mapping via login script when needed from OU manager |
| Help Desk | Create new user accounts
Disable user accounts for xstaff (Remove Password)
Password reset service
Creating and routing of tickets related to Active Directory issues |
| End user | Users who experience problems with a particular service should contact the IT Help desk for general questions.
If the issue can’t be resolved, then the Help Desk (or the End user) can contact the OU administrator |
