1 AD RoIes and ResponsbIIes - !

T reguenIIy Asked uesIons (A) - 8erkeIey Lab Commons

02/08/2013 06:19:27 PM hIIps://commons.IbI.gov/dspIay/IIag/ADRoIesandResponsbIIes
BerkeIey Lab Login
BERKELEY LAB COMMONS
D RoIes and ResponsibiIities
RoIes and ResponsibiIities
OveraII PoIicy and GuideIines
Support
LBL Dmain Administratrs are currently n duty Mnday-Friday, frm 8 a.m. t 5 p.m. Best effrts
n ff hurs.
The T Divisin will maintain a plicy and prcedures web site. t will als maintain an Active
Directry management web site fr inventry, asset management, and reprting purpses.
The LBL service includes nly licenses fr sftware (required t perate the LBL frest and Dmain
Cntrllers and fr wrkstatins t cnnect t it (referred t as CALS). Departments shuld ensure
that systems participating in the LBL frest are prperly licensed fr sftware running n their
systems, including perating system r server sftware.
RuIes of engagement
Dmain Administratrs will assume a "hands-ff apprach t lcal OU administratin. The Dmain
Administratrs grup is nt respnsible fr the administratin f lcal user accunts. Only when
faced with an enterprise-wide emergency, where n adequate alternative exists and every attempt
has been made t cntact apprpriate supprt persnnel and relevant OU managers first, will a
Dmain Administratr take actin at the OU level.
Dmain Administratrs manage the flw f infrmatin between the LBL AD Directry Services and
any ther Directries.
The Dmain Admins grup manages the replicatin f directry infrmatin within the Active
Directry, and makes any enterprise level changes t the AD directry, such as schema
mdificatins.
Replicated user data such as accunt name , department, phne number and affiliatin --
and any future extensins f ther persnal data replicated t the Active Directry -- are
subject t being ver-written in the future by the LBL Directry synchrnizatin prcess. The
authritative Human Resurces directry is the nly place where these attributes can be
changed, and then nly by the user.
All administratrs (dmain and OU) in the LBL frest must read and agree t the Rles &
Viewable by the world
2 AD RoIes and ResponsbIIes - !T reguenIIy Asked uesIons (A) - 8erkeIey Lab Commons
02/08/2013 06:19:27 PM hIIps://commons.IbI.gov/dspIay/IIag/ADRoIesandResponsbIIes
authritative Human Resurces directry is the nly place where these attributes can be
changed, and then nly by the user.
All administratrs (dmain and OU) in the LBL frest must read and agree t the Rles &
Respnsibilities.
The OU administratr that requested the tp-level OU in the LBL dmain will be the persn
respnsible fr designating which administratrs will be added t this lcal administrative grup
accunt and fr cmmunicating back t the Dmain Admin when such actins have been taken.
Specific responsibiIities
Function RoIes & ResponsibiIities
Dmain
Administratrs
Dmain Administratrs at LBL n ccasin have t perfrm duties
assciated with Schema and Enterprise administratrs as identified
belw.
Schema Administratr
Maintains security and integrity f schema
Oversees mdificatins t schema
Full disaster recvery plan and practice f schemaEnterprise
Administratr
Creatin and management f the frest
Overall security and reliability f the frest
Creatin and remval f dmains
Management f trust relatinship with test and ALS dmains
Full disaster recvery plan and practice f trustsDmain Administratr
Creatin and management f directry infrastructure
ncludes FSMO rles, trusts, Kerbers KDCs, replicatin tplgy,
etc.
Creatin f all tp-level OU hierarchies with subOUs, grups,
and apprpriate security permissins. This includes adding the
OU Admins t the AddCmputers grup, Grup Plicy Creatr
Owners grup, and OU Admins mail list. t als includes setting
apprpriate permissins n the created bjects
Mnitr and reprting assciated with the reliability and security f the
dmain
Use the dmain admin accunt nly fr actins that require the
privilege level f this accunt
Mnitring changes t dmain rt and dmain cntrllers OU t
ensure unauthrized changes d nt ccur
Day-t-day management f dmain cntrllers
Mnitring cnnectivity, synchrnizatin, replicatin, netlgn,
time services, FSMO rles, schema, NTDS database partitins,
3 AD RoIes and ResponsbIIes - !T reguenIIy Asked uesIons (A) - 8erkeIey Lab Commons
02/08/2013 06:19:27 PM hIIps://commons.IbI.gov/dspIay/IIag/ADRoIesandResponsbIIes
ensure stable and secure dmain
Dmain Cntrller Management
Physical security f the dmain cntrllers in T Divisin space
and versite fr all dmain cntrllers
Backups and restres n dmain cntrllers
Full disaster recvery plan and practice f DCs and cre
Directry bjects
Plicy mnitring and cmpliance
Apply and enfrce LBL standard naming cnventins fr bjects
in the dmain
Cmply with LBL AD Change and Cnfiguratin Management
(CCM) requirements
Cmply with LBL AD plicies and standards as defined n the
AD Web Site
Mnitr cmpliance with LBL AD plicies and standards as
defined n the AD Web Site, including change management
Verify LBL AD Change and Cnfiguratin Management (CCM)
requirements are implemented by OU Administratrs
Cmmunicatin and crdinatin
Arbitrate disputes between OU Admins
Prvide OU Admins assistance when requested
Participate in ADAC
Crdinatin with CPP t ensure the LBL dmain is secure
Cmply with all CPPM rders regarding emergency cnditins
Crdinate with nstitutinal Services t help them implement
SSO, metadirectry, and ther S initiatives
Crdinate the use f the test dmain by OU admins and thers
that need t mdel prcesses befre they are deplyed t the
prductin LBL dmain
Participate in OU Admin meetings as needed
Wrk cllectively with the OU administratrs
Secure remte administratin f the DCs and member servers
managed by the nfrastructure Grup
Manage grup plicy at rt f dmain and fr Dmain Cntrllers OU
Creatin, testing, and management f GPOs intended t be used by
multiple OU Admins
Manage the Users and Cmputers Cntainers
nstall and manage security reprting tls used t mnitr changes t
the Active Directry
Delegate mnitred data and elevated privileges t thers as needed
Create and maintain the test dmain as a reasnable apprximatin f
the prductin dmain
Crdinate and cnfigure alarm distributin t OU Admins fr OU-
4 AD RoIes and ResponsbIIes - !T reguenIIy Asked uesIons (A) - 8erkeIey Lab Commons
02/08/2013 06:19:27 PM hIIps://commons.IbI.gov/dspIay/IIag/ADRoIesandResponsbIIes
nstall and manage security reprting tls used t mnitr changes t
the Active Directry
Delegate mnitred data and elevated privileges t thers as needed
Create and maintain the test dmain as a reasnable apprximatin f
the prductin dmain
Crdinate and cnfigure alarm distributin t OU Admins fr OU-
related events
Plan and manage all migratins and upgrades related t the AD r the
DCs
Verify new sftware deplyments and GPOplicies wrk by testing
them in the Primus test dmain as apprpriate
OU Administratrs Ensure verall security and integrity f their managed OU hierarchy
Use the OU admin accunt nly fr actins that require the
privilege level f this accunt
Mnitring changes t OU hierarchy t ensure unauthrized
changes d nt ccur
Delegatin f authrity t thers fr apprpriate bject
administratin in their OU hierarchy
Accunt management
Creatin/deletin/management f bjects, i.e. lcal user
accunts, grups, wrkstatins, servers, printers, etc. in their OU
hierarchy
Regularly perfrm husekeeping duties t keep OU hierarchy
clear f stale, unused, expired, and bjects n lnger needed
Prcess requests fr access cntrl authrized by data wner
Prcess requests fr grup drive mappings via lgin script
Create new cmputer accunts and jin t directry services
The OU administratr will designate which administratrs have "accunt
peratr" access t the Windws user accunts fr users in their
department.
These accunt peratrs will have privileges that let them make
changes t a subset f attributes fr the accunts in their OU
This subset f attributes includes Windws-centric infrmatin like
hme directry lcatin, prfile lcatin, terminal server settings
and ther kinds f user data that isn't replicated frm the rt f
the LBL dmain
Grup Plicy Object (GPO) administratin, trubleshting, and
management
Publishing resurce bjects frm their OU hierarchy in the Active
Directry as applicable
Manage Grup Plicy Object (GPO) links in OU hierarchy
Crdinate activities f Member Server wners
Mnitr department/member server(s) perfrmance and event
S AD RoIes and ResponsbIIes - !T reguenIIy Asked uesIons (A) - 8erkeIey Lab Commons
02/08/2013 06:19:27 PM hIIps://commons.IbI.gov/dspIay/IIag/ADRoIesandResponsbIIes
Wrk with server and/r data wners t set up permissins
Plicy Cmpliance
Cmply with LBL AD plicies and standards as defined n the
AD Web Site
Cmply with LBL AD Change and Cnfiguratin Management
(CCM) requirements
Apply LBL standard naming cnventins t bjects in their OU
hierarchy
Cntact infrmatin.
Each tp-level OU must cntain cntact infrmatin fr the
department t facilitate cntacting OU administratrs
When OU manager changes, ntify the Enterprise Administratr
Verify new sftware deplyments and GPOplicies wrk by testing
them in the Primus test dmain as apprpriate.
Cmmunicatin and crdinatin
Wrk cllectively with the dmain admins and with ther OU
administratrs
Keep infrmed abut dmain-wide changes (e.g. attend peridic
meetings f the OU administratrs r participate in mail lists)
Prvide the fllwing t the dmain admins, when suspecting a
desktp related prblem stems frm a change t the Active
Directry r DC cnfiguratin
1. event descriptin
2. lgn name f affected user
3. name f affected cmputer
4. time f event
5. relevant warnings and errrs in event lgs
6. relevant warnings r errrs displayed n screen
Server Owners
(maybe dual rle
with OU
administratr)
Hst and maintain server (i .e., S, business specific service, etc.)
Patching/sftware upgrades
Vlume/partitin space management
Hardware migratin
Sftware licenses fr all member server(s) added t their OU hierarchy
hardware maintenance fr all nn-nfrastructure-managed member
servers
Operating system maintenance fr all nn-nfrastructure-managed
member servers
Maintain level f member server system security by applying Service
Packs and security patches