Scribd Logo
Upload

Welcome to Scribd!

  • Active Directory Procedures

    Uploaded by

    nbt1234
    22 views5 pages
    Procedure in Active Directory

    Original Title

    Active Directory Procedures

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PS, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Procedure in Active Directory

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PS, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    22 views5 pages

    Active Directory Procedures

    Uploaded by

    nbt1234
    Procedure in Active Directory

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PS, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 5

    1 AD Procedures - T reguenIIy Asked uesIions (A) - 8erkeIey Lab Commons

    02/08/2013 06:21:3S PM hIIps://commons.IbI.gov/dispIay/iIIag/ADProcedures


    BerkeIey Lab Login
    BERKELEY LAB COMMONS
    D Procedures
    ctive Directory
    Procedures
    Change Management Process
    Change Initiation
    Chnge tht cn impct Active Directory nd its community cn be initited by three different groups
    nd with expected impcts tht rnge from significnt to limited (or none).
    The three groups tht cn initite chnge re:
    1. dentity Mngement Tem
    Directory services uthentiction requirements (psswords, smrt crds, biometrics)
    Directory services integrtion (e.g. with LDAP)
    Cyber security policy implementtion (e.g. ccount mngement)
    2. Desktop Support Tem
    File nd Print
    Softwre deployment
    Desktop inventory nd license trcking
    Desktop security
    3. nfrstructure Support Tem
    Domin Controller hrdwre upgrdes
    Domin Controller operting system softwre upgrdes nd ptches
    Cyber security implementtion (e.g. firewlls)
    StakehoIders
    T Division mngement (Cyber Security, dentity Mngement, Worksttion Support)
    OU dmins group, T Division Help Desk, others (to be referred to s the AD-notify group)
    End user
    Viewable by the world
    2 AD Procedures - T reguenIIy Asked uesIions (A) - 8erkeIey Lab Commons
    02/08/2013 06:21:3S PM hIIps://commons.IbI.gov/dispIay/iIIag/ADProcedures
    End user
    Events and timeIines
    Approvl: provide 2 4 weeks in dvnce, s pproprite
    Advise: provide minimum 1 week in dvnce, include in testing nd evlution phses
    Notify: 1 dy in dvnce, in progress sttus (if problems occur) nd fter completion of the
    work
    GeneraI GuideIines
    Chnge Mngement requires uniform processes no mtter which group initites chnge. The
    process will differ bsed on urgency nd expected impct, but not by the group tht initites the
    chnge. CCM will be enforced t the root level of the domin or when n ction requires Domin
    Admin privileges.
    When pprovl or dvice is required, the nnouncement must indicte wht chnges will be mde,
    why the chnges re being mde, potentil impct to T stff nd end users, nd how much time
    the chnges re expected to tke.
    Notifiction requires very short one or two sentence description (mintennce on domin
    controllers will tke plce t X for period of Y hours). Notifiction is not needed for plnned
    outges published on the Web site (norml weekend mintennce for exmple).
    n the event tht chnge tkes longer thn expected, the AD-Notify mil list must be immeditely
    notified with the new completion time
    Chnge mngement does not involve the test domin.
    Change Management Matrix
    Scope ExampIe IT division
    management
    OU
    admins
    D-notify
    group
    End
    User
    PIanned Projects
    (with potentil wide
    impct on the lb
    community)
    single sign-on
    directory
    integrtion
    Domin
    controller
    upgrdes
    Mndtory use
    of new firewll
    policy
    pprovl Advise Notify Advise
    3 AD Procedures - T reguenIIy Asked uesIions (A) - 8erkeIey Lab Commons
    02/08/2013 06:21:3S PM hIIps://commons.IbI.gov/dispIay/iIIag/ADProcedures
    Routine or pIanned
    maintenance
    (Chnge with limited
    or no expected
    impct)
    Apply ptches
    to Win2003 OS
    on DC
    Updte of
    ntivirus
    definitions.
    Response to
    norml event
    nd security
    log dt
    Notify
    Incident response
    (Emergency chnge
    directed by CPP or T
    mngement, or in
    response to
    unplnned events)
    Mjor windows
    virus outbrek
    Filure
    condition within
    AD tht needs
    immedite
    ttention
    Power outge
    Notify (for other
    thn plnned
    mintennce)
    ccount Management (create, disabIe, deIete actions)
    Workstation Info
    1. Worksttions in the LBL forest should be configured to turn off DDNS registrtion. This my
    be enforced by domin GPOin the future nd should not be blocked t the OUs
    2. LBL nming stndrds re recommended for computer ccount nmes. The stndrd is to
    combine the UD of the primry person using the mchine, followed by dsh, followed by
    worksttion operting system identifier, nd finlly the lst two digits of the DOE number. The
    worksttion identifiers re x for Windows XP, w for Windows 2000, nd n for Windows NT 4.
    e.g. cwnelson-x44 or cwnelson-w39
    3. t is recommended tht you wit 30 minutes fter creting nd deleting computer ccount
    before ttempting to crete new computer ccount with the sme nmeTop
    Creating and DepIoying GPOs
    GPOguidelines t Berkeley LbTop
    Group Management
    Best Practices
    Try to use globl groups to orgnize the users in your OUs into groups
    4 AD Procedures - T reguenIIy Asked uesIions (A) - 8erkeIey Lab Commons
    02/08/2013 06:21:3S PM hIIps://commons.IbI.gov/dispIay/iIIag/ADProcedures
    Try to use domin locl groups to ssign permissions to resources
    CCM
    More words on when CCM tkes effect nd when it does not?
    These rules pply to ll chnges to the Domin Controllers (DCs) in the LBL domin, including but
    not limited to the registry, file system permissions, network settings, security settings, virus definition
    updtes, ptching, directory services chnges, group policy settings, etc. However, good judgment
    must be used in order to identify which CCM ctegory the specific chnges pply to.Top
    Windows Patch Management
    Windows Ptches delivered by WSUS
    Updted My 10, 2012
    Overview
    The T division mnges n institutionl Windows Server Updte Service (WSUS). The purpose of
    the WSUS server is to fcilitte ptching of Windows computers in the LBNL environment.
    Prticiption in the WSUS server is optionl, but widely deployed nd the defult for computers in
    AD.
    The overrching philosophy is to replicte the ptches Microsoft delivers vi the LBNL WSUS
    server (E.g., security ptches, office ptches, nd non-criticl ptches). The WSUS service dds
    the bility to monitor nd verify the ptch sttus s well s stop the deployment of problem ptch.
    Patch pprovaI
    Ptch pprovl is done by collbortive tem (WSUS tem) from T Desktop Support, nd CPP.
    This tem communictes monthly on the second Tuesdy of the month (e.g. Microsoft Ptch
    Tuesdy) to relese ptches. T Collbortion Systems is responsible for pproving ptches but
    delegtes this uthority to the WSUS tem. As norml prctice, one individul tkes the led
    notifying stkeholders of specil situtions tht might require n exception to the norml prctice of
    relesing ptches s they re provided by Microsoft.
    The WSUS tem (or designted individul) first reviews the ptches to identify ny high priority
    ptches tht my require CPP to scn nd isolte. The tem then briefly reviews the function of
    ech ptch nd releses them to ll clients. The tem lso performs brief review of WSUS to
    ensure ptches re pplying correctly.
    Patch ProbIems
    The WSUS tem releses ll WSUS ptches t the sme time s Microsoft. The WSUS tem will
    not pprove ptch in the event the ptch is creting significnt disruption or cusing significnt
    S AD Procedures - T reguenIIy Asked uesIions (A) - 8erkeIey Lab Commons
    02/08/2013 06:21:3S PM hIIps://commons.IbI.gov/dispIay/iIIag/ADProcedures
    Lbels
    problems in the LBNL environment. T Collbortion support is responsible for deciding when
    ptches re unpproved.
    Group PoIicy Objects
    The T division creted nd mnges two Group Policy Objects (GPOs) in Active Directory (AD).
    The consumer of these GPO's re OU mngers. OU mngers re encourged, but not required
    (unless they support Opertions Divisions), to link one of these policies to the computers they
    mnge. Most computer re linked, but some computers opt to use the built in Automtic Updte
    cpbilities or mnully updte systems to mximize control in certin scenrios, such s servers
    or instrumenttion. The two policies provided re s follows:
    IT-WSUS3
    This is the GPO recommended for most systems. This GPO will configure WSUS to downlod the
    ptches nd instll them t 10:00AM. f nyone is logged into the system, they will be prompted to
    reboot every hour, but never forcible rebooted. f no one is logged into the computer, it will reboot.
    IT-WSUS3-NotifyOnIy
    This is the GPO recommended for servers nd instrumenttion computers. A person must do
    instlltion nd reboot; the WSUS policy only prompts for downlod nd reboot. This GPO simply
    trcks the ptch sttus.
    None
    rinted by Atlassian Confluence 4.2. 13, the Enterprise Wiki.
    Commons contins user-contributed content nd does not represent the position or
    endorsement of the Lbortory, DOE, or the University of Cliforni. Your use of this site is
    subject to our security nd privcy policies.
    A U.S. Deprtment of Energy Ntionl Lbortory Operted by the University of Cliforni
    Questions & Comments Privcy & Security Notice

    You might also like