|
Last Updated: October 22, 2009 U-M Windows Central Accounts ServiceWhat is the U-M Windows Central Accounts Service?User accounts can reside in several places within Active Directory, including OUs in the root domain, other forest domains and in a special OU of root domain called the "People" OU. The U-M Windows Central Accounts service gives departmental Windows admins the ability to manage users in the U-M campus Active Directory that have been automatically provisioned as they are created in the campus directory and campus MIT Kerberos realm. In order to manage their own user accounts in the root domain, departments must have a delegated OU. To request a new delegated OU see the document "Joining the U-M Windows Forest as a Delegated Organizational Unit". For more information and background on this service, see U-M Windows Central Accounts Service Purpose and Design
User Account AttributesA key task in developing the service was to determine the appropriate set of Active Directory attribute values that departmental admins may modify without impacting users' use of central campus resources, such as the Campus Computing Sites and Libraries. A table of attributes for which departmental admins are granted and denied access modify permissions is available at Description of Attributes ACLs Assigned to Accounts OU.Web ApplicationsSeveral common tasks performed by delegated OU administrators have been automated with self-service web applications. The current set of applications can be found at:U-M Windows Central Accounts Applications Documentation for each web application can be referenced from the "User FAQ and Documentation" menu items of the home page, and by pressing the "Help" button from with the application. You can view a high-level summary of the web application, at U-M Central Accounts Service Web Applications. Change LogThe Change Log page documents changes to the design and functionality of the U-M Windows Central Accounts Web Applications.Future EnhancementsDuring the pilot phase of the web application development, a number of suggestions were gathered to improve the functionality of the U-M Windows Central Accounts web applications. We are always open to suggestions for improvement, which may be sent to w2k-support@umich.edu. For a tentative list of improvements under consideration for phase 2 of this development project, see Future Enhancements fo U-M Windows Central Accounts Applications. Passwords and AuthenticationDepartment admins have the ability to set Windows passwords, but may decide to have users log in with their Kerberos credentials (users may also set their own Windows passwords, through the Password Reset Web Page). Some Windows services such as mapping a remote drive from a non Kerberos authenticated computer requires the Windows password. Department administrators may choose to set the campus Kerberos and Windows passwords the same. While this process is not encouraged, neither is it prohibited. In order to log into Windows with campus Kerberos credentials, each computer must be configured for pass-thru authentication. Windows 2000 and XP workstations can be configured so users can log in with their campus Kerberos uniqname and password rather than their Windows password. Information on how to do this is available at Setting up a Workstation for pass-thru logon.
More information:A presentation on this project was given at the Windows Higher Education Conference at Redmond, Washington in July, 2003.
|
