Q: Section 2.1.1 End-User Requirements to Use the Service – Third bullet point
OU Administrators will adhere to the standards, policies and guidelines included in the OU Admin training such as the naming convention and use of privileged accounts;
I would like to read what these standards, policies and guidelines are exactly.
A: See the attached PowerPoint. This will answer your questions at a high level. For more detailed answers you would need to attend OU admin training.
Q: Section 2.1.2 Boundaries of Service Features and Functions – Third bullet point
UNM IT reserves the right to apply security policy settings through domain GPO with reasonable
notification;
What is the definition of “reasonable”, reasonable by whose standard UNM IT or the department that may be adversely affected. How much time would we have for researching proposed change and testing?
A: Changes to domain or forest wide GPO’s would go through our change management process and the change will be communicated through a number of channels including IT alerts and the OU admin listserv. If we anticipate that a change could impact customers we would solicit feedback from the OU admins. The amount of time we give depends on the reason for the change. If a GPO is being implemented to resolve a severe, time sensitive issue, the implementation would need to happen faster than a GPO meant to address a UNM policy change. Changes to Domain or Forest wide GPO’s are extremely rare and are handled on a case by case basis. To date there is only one domain wide GPO and it is the password policy.
Q: Where can we go to review the current security policy settings?
A: OU’s are currently delivered with 2 policies 1. The WSUS patch management policy which is adjustable to fit your needs and the local admin policy that give the OU admins local admin rights to all systems in their OU. Additional policies can be configured. It is the customer’s responsibility to configure additional policies for their department.
Q: Bullet point 6
User management such as creation of new accounts, and password management is done through NetID service and not directly performed in AD.
We create user accounts several times per year as a matter of course, and we use provisioning tools to both create the account and its associated mail box. Would we be able to continue this practice if we were being hosted on this system?
We also create accounts for adjuncts and students that are not enrolled at unm as regular employees and or students, would we still be allowed to do this?
A: You can continue the processes listed above using the NetID service. Email boxes are automatically provisioned through the NetID service. The NetID service allows for all of the scenarios in your questions above. Generally, no user accounts should not be created in Active Directory outside of the NetID service but exceptions can be made with adequate justification. Creating accounts outside of the NetID service disassociates the account from the service degrading security and in many cases degrades the user experience.
Q: Section 2.2.1 General Service Levels
Network security scans are completed for all systems slated for AD migration;
Is there a charge for this service?
A: This is an old practice that we have demised. We no longer require a security scan of systems before migrating to the Enterprise AD. I will remove this from the SLA. If the customer is migrating data to our windows file storage service we scan the data at no charge.
Q: Default policies configured for Department IT OU.
What is the default policy currently?
A: OU’s are delivered with 2 policies 1. The WSUS patch management policy which is adjustable to fit your needs and the local admin policy that give the OU admins local admin rights to all systems in the OU. Additional policies can be configured. It is the customer’s responsibility to configure additional policies for their department.