Identity Management – Active Directory

Viewing 5 reply threads
  • Author
    Posts
    • #573
      recooper
      Participant

      Identity management has a very broad scope with two major components 1. Identity and access management (accounts) 2. Systems integration. The Active Directory SLA is meant to address the one of the many possible systems integration components. Additional services are available to address the systems integration component.

      • This topic was modified 8 years, 9 months ago by recooper.
    • #596
      aballo
      Participant
    • #634
      jjgonza
      Participant

      Section 2.1.1 End-User Requirements to Use the Service – Third bullet point
      OU Administrators will adhere to the standards, policies and guidelines included in the OU Admin training such as the naming convention and use of privileged accounts;
      I would like to read what these standards, policies and guidelines are exactly.

      Section 2.1.2 Boundaries of Service Features and Functions – Third bullet point
      UNM IT reserves the right to apply security policy settings through domain GPO with reasonable
      notification;
      What is the definition of “reasonable”, reasonable by whose standard UNM IT or the department that may be adversely affected.  How much time would we have for researching proposed change and testing?  Where can we go to review the current security policy settings?

      Bullet point 6
      User management such as creation of new accounts, and password management is done through NetID service and not directly performed in AD. 
      We create user accounts several times per year as a matter of course, and we use provisioning tools to both create the account and its associated mail box.  Would we be able to continue this practice if we were being hosted on this system?
      We also create accounts for adjuncts and students that are not enrolled at unm as regular employees and or students, would we still be allowed to do this?
      Section 2.2.1 General Service Levels
      Network security scans are completed for all systems slated for AD migration;
      Is there a charge for this service?
      Default policies configured for Department IT OU.
      What is the default policy currently?

    • #650
      bpietrewicz
      Keymaster

      Q: Section 2.1.1 End-User Requirements to Use the Service – Third bullet point
      OU Administrators will adhere to the standards, policies and guidelines included in the OU Admin training such as the naming convention and use of privileged accounts;
      I would like to read what these standards, policies and guidelines are exactly.

      A: See the attached PowerPoint.  This will answer your questions at a high level.  For more detailed answers you would need to attend OU admin training.

      Q: Section 2.1.2 Boundaries of Service Features and Functions – Third bullet point
      UNM IT reserves the right to apply security policy settings through domain GPO with reasonable
      notification;
      What is the definition of “reasonable”, reasonable by whose standard UNM IT or the department that may be adversely affected.  How much time would we have for researching proposed change and testing?  

      A: Changes to domain or forest wide GPO’s would go through our change management process and the change will be communicated through a number of channels including IT alerts and the OU admin listserv.  If we anticipate that a change could impact customers we would solicit feedback from the OU admins.  The amount of time we give depends on the reason for the change.  If a GPO is being implemented to resolve a severe, time sensitive issue, the implementation would need to happen faster than a GPO meant to address a UNM policy change.  Changes to Domain or Forest wide GPO’s are extremely rare and are handled on a case by case basis.  To date there is only one domain wide GPO and it is the password policy.  

      Q: Where can we go to review the current security policy settings?

      A: OU’s are currently delivered with 2 policies 1. The WSUS patch management policy which is adjustable to fit your needs and the local admin policy that give the OU admins local admin rights to all systems in their OU. Additional policies can be configured. It is the customer’s responsibility to configure additional policies for their department.   

      Q: Bullet point 6
      User management such as creation of new accounts, and password management is done through NetID service and not directly performed in AD. 
      We create user accounts several times per year as a matter of course, and we use provisioning tools to both create the account and its associated mail box.  Would we be able to continue this practice if we were being hosted on this system?
      We also create accounts for adjuncts and students that are not enrolled at unm as regular employees and or students, would we still be allowed to do this?

      A: You can continue the processes listed above using the NetID service.  Email boxes are automatically provisioned through the NetID service.  The NetID service allows for all of the scenarios in your questions above.  Generally, no user accounts should not be created in Active Directory outside of the NetID service but exceptions can be made with adequate justification.  Creating accounts outside of the NetID service disassociates the account from the service degrading security and in many cases degrades the user experience.            

      Q: Section 2.2.1 General Service Levels
      Network security scans are completed for all systems slated for AD migration;
      Is there a charge for this service?

      A: This is an old practice that we have demised.  We no longer require a security scan of systems before migrating to the Enterprise AD.  I will remove this from the SLA.  If the customer is migrating data to our windows file storage service we scan the data at no charge.     

      Q: Default policies configured for Department IT OU.
      What is the default policy currently?

      A: OU’s are delivered with 2 policies 1. The WSUS patch management policy which is adjustable to fit your needs and the local admin policy that give the OU admins local admin rights to all systems in the OU. Additional policies can be configured. It is the customer’s responsibility to configure additional policies for their department.   

    • #654
      jwong
      Participant

      Questions: 
      1. If I am a new customer, do I need a sla specifically for my needs.  Does this mean departments that are not on already on IT AD and want to use this service will need an SLA?

      2. There is no AD category in UNM.Help.  How do I get to the support items for CAS and AD using Help.UNM.

      2.1.1  It would be helpful to provide a URL that has the AD OU admin best practices, standards and guidelines that the OU administrators can reference. 
      Will the OU Admin training have a set monthly schedule? If so, it would be helpful to add an URL to this SLA so OU Admins can sign up for the training. 

      2.1.2  It would be helpful to provide references to other SLAs and Standards for IT issues which are not covered by this SLA but which are related to Active Directory.  For example, server hosting, print/file management, LoboCloud, Workstations management.

      What do you mean by resale? Can you please define resale of service?

    • #683
      bpietrewicz
      Keymaster

      Q:If I am a new customer, do I need a sla specifically for my needs.  Does this mean departments that are not on already on IT AD and want to use this service will need an SLA?

      A: This SLA applies to all departments that are already in AD and will apply to new departments that will be joining AD. 

      Q: There is no AD category in UNM.Help.  How do I get to the support items for CAS and AD using Help.UNM.

      A: There is a category for AD in help.UNM called ‘Active Directory OU Administration request’.

      Q: It would be helpful to provide a URL that has the AD OU admin best practices, standards and guidelines that the OU administrators can reference. 

      A: OU Admin documents are stored in WES SharePoint site. Once OU Admins complete the training, they get access to that site.  You do not need to be a customer to take the OU admin training. 

      Q: Will the OU Admin training have a set monthly schedule? If so, it would be helpful to add an URL to this SLA so OU Admins can sign up for the training. 

      A: Currently we provide OU Admin training to new departments that are joining AD. Existing OU Admins can also request training through help.UNM. As of today, we don’t have a set monthly schedule; however in the future if we decide to have a set schedule, we will post it in Active Directory service catalog. 

      Q: It would be helpful to provide references to other SLAs and Standards for IT issues which are not covered by this SLA but which are related to Active Directory.  For example, server hosting, print/file management, LoboCloud, Workstations management.

      A: All SLA’s are being posted for comment.  All IT services will be in the IT service catalog.  There is discussion about posting a link to SLA’s in the associated service catalog entry.  I will discuss this with our agreement committee.    

      Q: What do you mean by resale? Can you please define resale of service?
      A: If any IT services are being used to generate revenue directly or indirectly it must be disclosed. Ex: If a department charges to host or manage an application and the application is hosted in LoboCloud, this must be disclosed. 

Viewing 5 reply threads
  • The topic ‘Identity Management – Active Directory’ is closed to new replies.