Windows at the University of Michigan

Windows at University of Michigan

LNGS Home
U-M Windows Home
U-M Forest
History/Design
UMROOT
Kerberos
Policies
Resources
Naming Standards
Maintenance
Test Forest
Security
ITCS Services
How To
FAQ
Development
Help
Internal

Last Updated: April 02, 2005

Active Directory Design of the UMROOT domain

As described in the History of the Design of the U-M Windows Forest section, Kerberos interoperability requirements have necessitated that centrally maintained Windows/Active Directory accounts be placed in the forest root domain, UMROOT. The UMROOT domain is provisioned with user objects derived from corresponding entries in the U-M Online Campus Directory. These user objects reside in the People Organizational Unit, as shown below. Using an LDAP-based update process, changes to user entries in the U-M Online Campus Directory are propagated to corresponding user objects in the Active Directory. For users who have requested privacy, only minimal Windows user accounts are created, containing no personal information. For a more complete discussion of schema attribute mapping between the U-M Online Campus Directory and Active Directory, see the Active Directory User Object Provisioning section below.

One aspect of the user provisioning from the campus directory bears mention here. As the user objects are created within Active Directory, they are assigned a long, random, unknown password. For many uses of the campus forest, it is not necessary to know your Windows AD password, because access is via pass-thru authentication (see Configuring a Windows 2000, or XP workstation for pass-thru logon and Accessing File Shares with pass-thru logon for information on how to do this). However, there are occasions when it is necessary to know your Windows AD password. To accomodate those occasions, you may use the Windows password reset web page, presented as a tab on the umich.edu Kerberos password web page at https://accounts.www.umich.edu/kpasswd/.

Accounts and Organizations OU's

The UMROOT domain also houses two types of delegated OU's, created within the Organizations and Accounts OU's.

The Accounts OU contains OU's for units who wish to manage the attributes of their users. Through the Central Accounts service, local admins may request that centrally-provisioned users be moved from the People OU into an Accounts OU established for their unit. Once moved into their Accounts OU, the local admins can modify the values of select attributes of the user objects. Local admins may not create or delete objects in their Accounts OU.

The purpose of the Organizations OU is to provide a space for U-M campus units to administer their own organizational resource OU's. Once an Organizations OU has been created by ITCS for the campus unit, administrative control of that OU is delegated to an Active Directory Security Group that is exclusively populated by local administrators of the designated organization. In effect, the local administrator retains exclusive control of that OU, and can create, delete and modify objects within, and subordinate to, their organizational OU. Such objects might include workstations, servers, printers, security groups, subordinate OU's, and "external" users.

In this context, an "external" user is defined as a user that does not have, and cannot obtain, a U-M uniqname, and thus does not exist as a user object in the People OU. Examples of Active Directory "external users" might be temporary U-M staff, or visiting faculty. To avoid user namespace collisions in the future, Active Directory external users should be given name that include a "dash" symbol, i.e. "-". Since the U-M uniqname naming standard does not support the use of a dash symbol, external user names of the form "part1-part2" are guaranteed not to collide with any uniqname that may be created in the future. Our Naming Standards recommend using the departmental prefix for part1, leaving the composition of part2 to the local admin.

View zoomable detailed image in new window

UMROOT Domain Characteristics

The following chart enumerates important characteristics of the UMROOT domain. Some of the restrictions listed in this table may be removed in the future.

Characteristic UMROOT Implementation

User object creation ITCS maintained users reside in the People OU. These AD user objects are provisioned from the U-M Online Campus Directory. External users, without a U-M uniqname, may be created within delegated Organization OU's, provided they use the proper naming convention. U-M user accounts (those created with a U-M uniqname) are initially created in the People OU. Using the Central Accounts service, users may be moved into a delegated Accounts OU.

Computer object creation OU administrators may create computers within their Organization OU, in the UMROOT domain. This is typically done by pre-allocating the computer object in the unit's Organization OU, while delegating to a security group the permission to join the computer to the forest.

User group policy User Group Policy may be applied directly to centrally-provisioned user objects within the People OU once they have been moved into their delegated Accounts OU. Delegated OU administrators can also apply Group Policy via computers within their own Accounts OU. Using loopback processing, these Group Policies can be applied to users logging into computers within the OU.

Computer group policy Computer Group Policy may be applied through the Organization OU's in the UMROOT domain by OU administrators.

Kerberos pass-thru logon's Pass-thru logons work for users in the People OU. If a "duplicate" user exists in another domain, the user account in the UMROOT domain will be used for pass-thru logins.

Security group creation ITCS may create security groups that can be used by other members of the U-M W2k forest. OU administrators may also create security groups to allow access to resource with their OU.

Application services Each OU may provide application services as needed.

Active Directory User Object Provisioning

Active Directory user objects in the "UMROOT" People OU are created and updated from equivalent user entries in the U-M Online Campus directory. This is a one-way process, from the U-M Online Campus Directory, to Active Directory. This process is described in the presentations given by Dave Detlefs to the Common Solutions Group in May, 2000, "Windows 2000 Planning at the University of Michigan" and "Active Directory at the University of Michigan, Data Population and Kerberos Interoperbility" by MaryBeth Stuenkel, presented at Internet 2 Early Adopters Workshop in November, 2000.

Active Directory Privacy Issues

A number of users in the U-M Online Campus Directory have designated their directory entries as "private". Corresponding AD user objects, created in the People OU of the UMROOT domain, will also be private. Private Active Directory user objects are created as "minimal" accounts. Like other user objects created in the People OU of the UMROOT domain, private user objects are created with a U-M uniqname. For private users, however, no other personal attributes are created. For instance, name and telephone numbers attributes are not included for AD private users. Additionally, each private user object includes a U-M specific attribute, "umichadHidePersonalInfo", which is set to a value of "TRUE".

Active Directory Schema in the U-M Forest

Attribute Mapping Table: U-M Online Directory to U-M Active Directory (UMICH domain)

Information Technology Central Services at the University of Michigan

ITCS Home | University of Michigan