Identity Management – Active Directory

Section 2.1.1 End-User Requirements to Use the Service – Third bullet point
OU Administrators will adhere to the standards, policies and guidelines included in the OU Admin training such as the naming convention and use of privileged accounts;
I would like to read what these standards, policies and guidelines are exactly.

Section 2.1.2 Boundaries of Service Features and Functions – Third bullet point
UNM IT reserves the right to apply security policy settings through domain GPO with reasonable
notification;
What is the definition of “reasonable”, reasonable by whose standard UNM IT or the department that may be adversely affected.  How much time would we have for researching proposed change and testing?  Where can we go to review the current security policy settings?

Bullet point 6
User management such as creation of new accounts, and password management is done through NetID service and not directly performed in AD. 
We create user accounts several times per year as a matter of course, and we use provisioning tools to both create the account and its associated mail box.  Would we be able to continue this practice if we were being hosted on this system?
We also create accounts for adjuncts and students that are not enrolled at unm as regular employees and or students, would we still be allowed to do this?
Section 2.2.1 General Service Levels
Network security scans are completed for all systems slated for AD migration;
Is there a charge for this service?
Default policies configured for Department IT OU.
What is the default policy currently?

Q: Section 2.1.1 End-User Requirements to Use the Service – Third bullet point
OU Administrators will adhere to the standards, policies and guidelines included in the OU Admin training such as the naming convention and use of privileged accounts;
I would like to read what these standards, policies and guidelines are exactly.

A: See the attached PowerPoint.  This will answer your questions at a high level.  For more detailed answers you would need to attend OU admin training.

Q: Section 2.1.2 Boundaries of Service Features and Functions – Third bullet point
UNM IT reserves the right to apply security policy settings through domain GPO with reasonable
notification;
What is the definition of “reasonable”, reasonable by whose standard UNM IT or the department that may be adversely affected.  How much time would we have for researching proposed change and testing?  

A: Changes to domain or forest wide GPO’s would go through our change management process and the change will be communicated through a number of channels including IT alerts and the OU admin listserv.  If we anticipate that a change could impact customers we would solicit feedback from the OU admins.  The amount of time we give depends on the reason for the change.  If a GPO is being implemented to resolve a severe, time sensitive issue, the implementation would need to happen faster than a GPO meant to address a UNM policy change.  Changes to Domain or Forest wide GPO’s are extremely rare and are handled on a case by case basis.  To date there is only one domain wide GPO and it is the password policy.  

Q: Where can we go to review the current security policy settings?

A: OU’s are currently delivered with 2 policies 1. The WSUS patch management policy which is adjustable to fit your needs and the local admin policy that give the OU admins local admin rights to all systems in their OU. Additional policies can be configured. It is the customer’s responsibility to configure additional policies for their department.   

Q: Bullet point 6
User management such as creation of new accounts, and password management is done through NetID service and not directly performed in AD. 
We create user accounts several times per year as a matter of course, and we use provisioning tools to both create the account and its associated mail box.  Would we be able to continue this practice if we were being hosted on this system?
We also create accounts for adjuncts and students that are not enrolled at unm as regular employees and or students, would we still be allowed to do this?

A: You can continue the processes listed above using the NetID service.  Email boxes are automatically provisioned through the NetID service.  The NetID service allows for all of the scenarios in your questions above.  Generally, no user accounts should not be created in Active Directory outside of the NetID service but exceptions can be made with adequate justification.  Creating accounts outside of the NetID service disassociates the account from the service degrading security and in many cases degrades the user experience.            

Q: Section 2.2.1 General Service Levels
Network security scans are completed for all systems slated for AD migration;
Is there a charge for this service?

A: This is an old practice that we have demised.  We no longer require a security scan of systems before migrating to the Enterprise AD.  I will remove this from the SLA.  If the customer is migrating data to our windows file storage service we scan the data at no charge.     

Q: Default policies configured for Department IT OU.
What is the default policy currently?

A: OU’s are delivered with 2 policies 1. The WSUS patch management policy which is adjustable to fit your needs and the local admin policy that give the OU admins local admin rights to all systems in the OU. Additional policies can be configured. It is the customer’s responsibility to configure additional policies for their department.   

Questions: 
1. If I am a new customer, do I need a sla specifically for my needs.  Does this mean departments that are not on already on IT AD and want to use this service will need an SLA?

2. There is no AD category in UNM.Help.  How do I get to the support items for CAS and AD using Help.UNM.

2.1.1  It would be helpful to provide a URL that has the AD OU admin best practices, standards and guidelines that the OU administrators can reference. 
Will the OU Admin training have a set monthly schedule? If so, it would be helpful to add an URL to this SLA so OU Admins can sign up for the training. 

2.1.2  It would be helpful to provide references to other SLAs and Standards for IT issues which are not covered by this SLA but which are related to Active Directory.  For example, server hosting, print/file management, LoboCloud, Workstations management.

What do you mean by resale? Can you please define resale of service?

Q:If I am a new customer, do I need a sla specifically for my needs.  Does this mean departments that are not on already on IT AD and want to use this service will need an SLA?

A: This SLA applies to all departments that are already in AD and will apply to new departments that will be joining AD. 

Q: There is no AD category in UNM.Help.  How do I get to the support items for CAS and AD using Help.UNM.

A: There is a category for AD in help.UNM called ‘Active Directory OU Administration request’.

Q: It would be helpful to provide a URL that has the AD OU admin best practices, standards and guidelines that the OU administrators can reference. 

A: OU Admin documents are stored in WES SharePoint site. Once OU Admins complete the training, they get access to that site.  You do not need to be a customer to take the OU admin training. 

Q: Will the OU Admin training have a set monthly schedule? If so, it would be helpful to add an URL to this SLA so OU Admins can sign up for the training. 

A: Currently we provide OU Admin training to new departments that are joining AD. Existing OU Admins can also request training through help.UNM. As of today, we don’t have a set monthly schedule; however in the future if we decide to have a set schedule, we will post it in Active Directory service catalog. 

Q: It would be helpful to provide references to other SLAs and Standards for IT issues which are not covered by this SLA but which are related to Active Directory.  For example, server hosting, print/file management, LoboCloud, Workstations management.

A: All SLA’s are being posted for comment.  All IT services will be in the IT service catalog.  There is discussion about posting a link to SLA’s in the associated service catalog entry.  I will discuss this with our agreement committee.    

Q: What do you mean by resale? Can you please define resale of service?
A: If any IT services are being used to generate revenue directly or indirectly it must be disclosed. Ex: If a department charges to host or manage an application and the application is hosted in LoboCloud, this must be disclosed.