Last Updated: October 22, 2009

Naming Standards for the U-M Windows Forest

Domain Names
Computer Names
User Account Names
Security and Distribution Groups
Group Policy Objects
U-M Windows Organization Prefixes
 

Domain Names

When choosing a Windows domain name, the prefix of the domain name must be unique within the U-M Windows forest.  For instance, for the domain "ad.engin.umich.edu", the "ad" prefix must be unique, and cannot be used as a prefix for a new domain name.  This domain naming convention has been adapted to prevent duplicate names in the Microsoft Windows Network browsing environment.  The  Microsoft Windows Network browsing environment, available through My Network Places, currently uses the domain prefix to identify a domain.   'Browsing' is used to display the root of the Active Directory, and only displays the first part of each tree's domain name. When more than one tree begins with the exact same name, like 'ad.engin..' and 'ad.lsa..', users see two trees with only 'ad' and cannot determine which domain tree is which. Once they make a selection the full domain name for the tree is displayed properly."  In fact, a Windows domain name prefix and the short "NetBIOS" domain name can, and often do, differ.
 

Computer Names

Windows computers have two names; a "long" name, and a "pre-Windows 2000",  NetBIOS name.  In most cases, the two names will be identical.  The U-M naming standard is required for the "pre-Windows 2000",  NetBIOS name, and recommended for the "long" computer name.

The U-M naming standard for computer names is:

xxx-rest_of_name (or) xxxrest_of_name
	xxx	Registered organization prefix, 2 or more characters in length.  See the U-M Windows Organization Prefixes section below for directions on obtaining a prefix for your organization.  We recommend keeping the prefix length to 4 characters or less.  The dash (-) is optional, but recommended for ease of recognition.
	rest_of_name	A suffix chosen by the organization creating the computer.

Example: LNG-BJENSEN123456789  ("long" computer name)

COMPUTER NAME: LNG-JOE1 
DNS NAME: lng-joe1.ads.itcs.umich.edu
DN: cn=lng-joe1,ou=lngs,ou=organizations,ou=umich,dc=ads,dc=itcs,dc=umich,dc=edu

Example: LNG-BJENSEN1234  (NetBIOS name, truncated to 15 characters)

User Account Names

As is the case with computers, a Windows user object has two names; a user "distinguished name", and an "account name".  The account name must be unique within the Windows domain, while the user distinguished name, which serves as the Relative Distinguished Name (RDN) of the user in the Active Directory, must be unique within the Active Directory container in which it resides.  For example, an Organizational Unit container could not contain two identically named individuals.

U-M Uniqname AD Accounts

For users with a U-M uniqname, the user's Windows account name should be identical to the user's U-M uniqname, which is defined as 3 to 8 alpha characters.  In practice, these types of accounts are created automatically as users in the U-M Directory are duplicated with equivalent accounts in UMROOT domain.  For users created in the UMROOT domain ( adsroot.itcs.umich.edu ), the U-M uniqname is used for both the user "distinguished name" and the "account name".  By using the uniqname as a distinguished name, we avoid name collisions within the People OU that would otherwise result if full user names were used.  See the UMROOT Domain section for further information.

Campus units can request that uniqname-based Windows accounts be moved into a departmental Accounts OU to allow them to manage those user objects. For more information on this service, see the U-M Windows Central Accounts Service page.

Other AD Accounts

Some AD accounts do not directly correspond to a U-M uniqname. These types of accounts include administrative accounts, resource accounts, and accounts for individuals who may be visitors without a U-M uniqname. For "other AD accounts", the account name and Relative Distinguished Name do not need to match. Here are three rules which can be used to construct names for these non-uniqname AD accounts.

1. uniqnameN  (A uniqname suffixed with a digit.)  If the user has a uniqname, and wants to add an AD-only administrative account, this is the suggested format.
   
   Example: bjensen1



2. dept-anything  (An organization/department prefix, followed by a dash and a description.)  If the user does not have a U-M uniqname, this is the preferred syntax, where 'anything' would identify the user. It can also used for resource accounts, such as Exchange calendars, where 'anything' would describe the resource.
   
   Examples: chem-babsjensen, math-EventsCalendar



3. uniqname-anything  (A uniqname, followed by a dash and a description.)  This form is preferred for test accounts, if the user has a uniqname.
   
   Example: bjensen-test

Note: AD user naming conventions are closely related to Exchange naming conventions, which are described in this PDF document.

Security and Distribution Groups

A Windows Active Directory group may be one of six types.  Two broad categories, "security" and "distribution", define the general type of the group.  Each of these two types is further defined as either "domain local", "global" or "universal".  See the Microsoft paper Active Directory User, Computers and Groups for a more detailed explanation of Active Directory groups.  In practice, most groups created are of the default "global security" type. Because "universal" groups are replicated across the network to each domain in the forest, they should only be used in cases where cross-domain membership is needed.  Try to use global and domain local groups wherever possible.

The U-M naming standard for Active Directory security and distribution group names is a suggested standard, and not enforced.  After some initial experience with an overly complicated group naming standard, we've now settled on a simple two part standard:

Group Policy Objects

The naming convention for Group Policy Objects is to use a departmental prefix for all Group Policy names.  For instance, "math staff policy", or "psyc lab 460 policy".  Using Group Policy names prefixed with your U-M Windows Organization Prefix will reduced the likelihood that similarly named Group Policy objects will be confused with one-and-other.  Departmental prefixes should be chosen from the  U-M Windows Organization Prefixes section below.
 

U-M Windows 2000 Organization Prefixes

A large number of U-M organizations, large and small, participate in the U-M Windows forest. Most of the administrative responsibilities in the forest are delegated to administrators around campus, who create Windows resources, with their associated names. The purpose of the U-M Windows naming standard for organization prefixes is to maintain an orderly forest, to ease the recognition of Windows resources, and to avoid the chaos of naming collisions. Please note that these U-M Windows organization prefixes are completely independent of any other list of organization codes on the U-M campus.

A U-M Windows organization prefix is just a 2-8 character string.  The string must start with a letter, A-Z, and all other characters must either be letters, A-Z, or numbers 0-9.  A campus organization may request multiple prefixes, which may be used for sub-units, or for other purposes.  Each organization prefix must be registered with the U-M Windows forest administrators to insure that the same prefix is not being used by two separate units.

The table linked below lists current, registered U-M Windows organization prefixes.  When a department joins the forest as a delegated OU, they choose an organization prefix.  To register a new prefix, send a message to W2k-Support@umich.edu, stating the requested prefix(s) and the name of your U-M organization.

You may open a new window containing the U-M Windows Organization Prefixes Table here for easy reference.

Information and Technology Services