Viewable by the world

This page contains technical documentation.

Active Directory Overview

Active Directory Components

The LBL Active Directory Structure consists of:

  • A single Forest
  • A single root domain
  • Multiple Organization Units each containing:
    • Computer Accounts
    • User Accounts 
    • Groups
    • Group Policy Objects
  • Domain controllers (software and hardware)
    • 2 Domain Controllers in the 50A-1156 machine room
    • 2 remote Domain Controllers located in buildings 15 and 977 a.k.a. Potter Street.

Organizational Units (OUs)

Departments and units are encouraged to join the LBL forest as an Organizational Unit

  1. OUs are containers for directory objects (i.e., user, computer, and policy objects)
  2. The primary purpose of an OU is to make management and delegation easier
  3. Control of an OU in the LBL forest will be delegated to an OU administrator group
  4. The OU Admin group will have the ability to manage users, computers, local security groups, and Group Policy Objects (GPOs) in their OU and sub-OUs

Computer Accounts

[Summary of computer account info ]

Because the LBL forest consists of a single domain, and all computer accounts in the same domain must have a unique name, you will not be able to use a computer name if it has already been assigned to another computer in the LBL domain.

User Accounts

[overview of user account ]

The account name must be unique within the LBL domain. The AD User account name should match the employees Berkeley Lab Identity account name.

Groups

Groups represent a tool for organizing user accounts so that resources may be assigned in an efficient way.

  1. A Microsoft Active Directory group may be one of six types. The type generally used at Berkeley lab for this purpose is the Global Security Group.
  • The LBL recommended naming standard for Active Directory security and distribution group names is: oun-GroupName, where oun is your OU name, GroupName is a descriptive name that explains the purpose of the group.

GPO section

[ overview of GPO ]

GPOs are a set of common configuration settings use for distributing software or changing the user environment, and managing directory objects such as computers and users.

It is required that OU admins name their GPOs using <top-level OU name-GPO purpose>, such as CIS-DesktopRestrictions, so that GPOs created by one OU admin group are not accidentally linked by another OU admin group.

  • No labels

Was this site useful for you? Do you have any feedback or suggestions? Please click here to send your comments about this FAQ to IT.