T reguenIIy Asked uesIons (A) - 8erkeIey Lab Commons
02/08/2013 06:19:27 PM hIIps://commons.IbI.gov/dspIay/IIag/ADRoIesandResponsbIIes BerkeIey Lab Login BERKELEY LAB COMMONS D RoIes and ResponsibiIities RoIes and ResponsibiIities OveraII PoIicy and GuideIines Support LBL Dmain Administratrs are currently n duty Mnday-Friday, frm 8 a.m. t 5 p.m. Best effrts n ff hurs. The T Divisin will maintain a plicy and prcedures web site. t will als maintain an Active Directry management web site fr inventry, asset management, and reprting purpses. The LBL service includes nly licenses fr sftware (required t perate the LBL frest and Dmain Cntrllers and fr wrkstatins t cnnect t it (referred t as CALS). Departments shuld ensure that systems participating in the LBL frest are prperly licensed fr sftware running n their systems, including perating system r server sftware. RuIes of engagement Dmain Administratrs will assume a "hands-ff apprach t lcal OU administratin. The Dmain Administratrs grup is nt respnsible fr the administratin f lcal user accunts. Only when faced with an enterprise-wide emergency, where n adequate alternative exists and every attempt has been made t cntact apprpriate supprt persnnel and relevant OU managers first, will a Dmain Administratr take actin at the OU level. Dmain Administratrs manage the flw f infrmatin between the LBL AD Directry Services and any ther Directries. The Dmain Admins grup manages the replicatin f directry infrmatin within the Active Directry, and makes any enterprise level changes t the AD directry, such as schema mdificatins. Replicated user data such as accunt name , department, phne number and affiliatin -- and any future extensins f ther persnal data replicated t the Active Directry -- are subject t being ver-written in the future by the LBL Directry synchrnizatin prcess. The authritative Human Resurces directry is the nly place where these attributes can be changed, and then nly by the user. All administratrs (dmain and OU) in the LBL frest must read and agree t the Rles & Viewable by the world 2 AD RoIes and ResponsbIIes - !T reguenIIy Asked uesIons (A) - 8erkeIey Lab Commons 02/08/2013 06:19:27 PM hIIps://commons.IbI.gov/dspIay/IIag/ADRoIesandResponsbIIes authritative Human Resurces directry is the nly place where these attributes can be changed, and then nly by the user. All administratrs (dmain and OU) in the LBL frest must read and agree t the Rles & Respnsibilities. The OU administratr that requested the tp-level OU in the LBL dmain will be the persn respnsible fr designating which administratrs will be added t this lcal administrative grup accunt and fr cmmunicating back t the Dmain Admin when such actins have been taken. Specific responsibiIities Function RoIes & ResponsibiIities Dmain Administratrs Dmain Administratrs at LBL n ccasin have t perfrm duties assciated with Schema and Enterprise administratrs as identified belw. Schema Administratr Maintains security and integrity f schema Oversees mdificatins t schema Full disaster recvery plan and practice f schemaEnterprise Administratr Creatin and management f the frest Overall security and reliability f the frest Creatin and remval f dmains Management f trust relatinship with test and ALS dmains Full disaster recvery plan and practice f trustsDmain Administratr Creatin and management f directry infrastructure ncludes FSMO rles, trusts, Kerbers KDCs, replicatin tplgy, etc. Creatin f all tp-level OU hierarchies with subOUs, grups, and apprpriate security permissins. This includes adding the OU Admins t the AddCmputers grup, Grup Plicy Creatr Owners grup, and OU Admins mail list. t als includes setting apprpriate permissins n the created bjects Mnitr and reprting assciated with the reliability and security f the dmain Use the dmain admin accunt nly fr actins that require the privilege level f this accunt Mnitring changes t dmain rt and dmain cntrllers OU t ensure unauthrized changes d nt ccur Day-t-day management f dmain cntrllers Mnitring cnnectivity, synchrnizatin, replicatin, netlgn, time services, FSMO rles, schema, NTDS database partitins, 3 AD RoIes and ResponsbIIes - !T reguenIIy Asked uesIons (A) - 8erkeIey Lab Commons 02/08/2013 06:19:27 PM hIIps://commons.IbI.gov/dspIay/IIag/ADRoIesandResponsbIIes ensure stable and secure dmain Dmain Cntrller Management Physical security f the dmain cntrllers in T Divisin space and versite fr all dmain cntrllers Backups and restres n dmain cntrllers Full disaster recvery plan and practice f DCs and cre Directry bjects Plicy mnitring and cmpliance Apply and enfrce LBL standard naming cnventins fr bjects in the dmain Cmply with LBL AD Change and Cnfiguratin Management (CCM) requirements Cmply with LBL AD plicies and standards as defined n the AD Web Site Mnitr cmpliance with LBL AD plicies and standards as defined n the AD Web Site, including change management Verify LBL AD Change and Cnfiguratin Management (CCM) requirements are implemented by OU Administratrs Cmmunicatin and crdinatin Arbitrate disputes between OU Admins Prvide OU Admins assistance when requested Participate in ADAC Crdinatin with CPP t ensure the LBL dmain is secure Cmply with all CPPM rders regarding emergency cnditins Crdinate with nstitutinal Services t help them implement SSO, metadirectry, and ther S initiatives Crdinate the use f the test dmain by OU admins and thers that need t mdel prcesses befre they are deplyed t the prductin LBL dmain Participate in OU Admin meetings as needed Wrk cllectively with the OU administratrs Secure remte administratin f the DCs and member servers managed by the nfrastructure Grup Manage grup plicy at rt f dmain and fr Dmain Cntrllers OU Creatin, testing, and management f GPOs intended t be used by multiple OU Admins Manage the Users and Cmputers Cntainers nstall and manage security reprting tls used t mnitr changes t the Active Directry Delegate mnitred data and elevated privileges t thers as needed Create and maintain the test dmain as a reasnable apprximatin f the prductin dmain Crdinate and cnfigure alarm distributin t OU Admins fr OU- 4 AD RoIes and ResponsbIIes - !T reguenIIy Asked uesIons (A) - 8erkeIey Lab Commons 02/08/2013 06:19:27 PM hIIps://commons.IbI.gov/dspIay/IIag/ADRoIesandResponsbIIes nstall and manage security reprting tls used t mnitr changes t the Active Directry Delegate mnitred data and elevated privileges t thers as needed Create and maintain the test dmain as a reasnable apprximatin f the prductin dmain Crdinate and cnfigure alarm distributin t OU Admins fr OU- related events Plan and manage all migratins and upgrades related t the AD r the DCs Verify new sftware deplyments and GPOplicies wrk by testing them in the Primus test dmain as apprpriate OU Administratrs Ensure verall security and integrity f their managed OU hierarchy Use the OU admin accunt nly fr actins that require the privilege level f this accunt Mnitring changes t OU hierarchy t ensure unauthrized changes d nt ccur Delegatin f authrity t thers fr apprpriate bject administratin in their OU hierarchy Accunt management Creatin/deletin/management f bjects, i.e. lcal user accunts, grups, wrkstatins, servers, printers, etc. in their OU hierarchy Regularly perfrm husekeeping duties t keep OU hierarchy clear f stale, unused, expired, and bjects n lnger needed Prcess requests fr access cntrl authrized by data wner Prcess requests fr grup drive mappings via lgin script Create new cmputer accunts and jin t directry services The OU administratr will designate which administratrs have "accunt peratr" access t the Windws user accunts fr users in their department. These accunt peratrs will have privileges that let them make changes t a subset f attributes fr the accunts in their OU This subset f attributes includes Windws-centric infrmatin like hme directry lcatin, prfile lcatin, terminal server settings and ther kinds f user data that isn't replicated frm the rt f the LBL dmain Grup Plicy Object (GPO) administratin, trubleshting, and management Publishing resurce bjects frm their OU hierarchy in the Active Directry as applicable Manage Grup Plicy Object (GPO) links in OU hierarchy Crdinate activities f Member Server wners Mnitr department/member server(s) perfrmance and event S AD RoIes and ResponsbIIes - !T reguenIIy Asked uesIons (A) - 8erkeIey Lab Commons 02/08/2013 06:19:27 PM hIIps://commons.IbI.gov/dspIay/IIag/ADRoIesandResponsbIIes Wrk with server and/r data wners t set up permissins Plicy Cmpliance Cmply with LBL AD plicies and standards as defined n the AD Web Site Cmply with LBL AD Change and Cnfiguratin Management (CCM) requirements Apply LBL standard naming cnventins t bjects in their OU hierarchy Cntact infrmatin. Each tp-level OU must cntain cntact infrmatin fr the department t facilitate cntacting OU administratrs When OU manager changes, ntify the Enterprise Administratr Verify new sftware deplyments and GPOplicies wrk by testing them in the Primus test dmain as apprpriate. Cmmunicatin and crdinatin Wrk cllectively with the dmain admins and with ther OU administratrs Keep infrmed abut dmain-wide changes (e.g. attend peridic meetings f the OU administratrs r participate in mail lists) Prvide the fllwing t the dmain admins, when suspecting a desktp related prblem stems frm a change t the Active Directry r DC cnfiguratin 1. event descriptin 2. lgn name f affected user 3. name f affected cmputer 4. time f event 5. relevant warnings and errrs in event lgs 6. relevant warnings r errrs displayed n screen Server Owners (maybe dual rle with OU administratr) Hst and maintain server (i .e., S, business specific service, etc.) Patching/sftware upgrades Vlume/partitin space management Hardware migratin Sftware licenses fr all member server(s) added t their OU hierarchy hardware maintenance fr all nn-nfrastructure-managed member servers Operating system maintenance fr all nn-nfrastructure-managed member servers Maintain level f member server system security by applying Service Packs and security patches