Roles and Responsibilities
Overall Policy and Guidelines
Support
The LBL Domain Administrators are currently on duty Monday-Friday, from 8 a.m. to 5 p.m. Best efforts will be made during off hours.
The LBL IT Division will maintain a policy and procedures web site. It will also maintain an Active Directory management web site for inventory, asset management, and reporting purposes.
The LBL service includes only Client Access Licenses (referred to as CALS) This software is required to operate the LBL Forest and Domain Controllers, and for workstations and users to connect to it. Departments should ensure that their systems participating in the LBL forest are properly licensed for software running on their systems. Including, but not limited to, operating system, server operating system and/or application software.
Rules of engagement
Domain Administrators will assume a “hands-off” approach to local OU administration. The Domain Administrators group is not responsible for the administration of local OU user accounts. Only when faced with an enterprise-wide emergency, where no adequate alternative exists and every attempt has been made to contact the appropriate support personnel and relevant OU managers first, will a Domain Administrator take action at the OU level.
Domain Administrators manage the flow of information between the LBL Active Directory Service and any other Directories.
- The Domain Administrators group manages the replication of directory information within the Active Directory, and makes any enterprise level changes to the Active Directory, such as schema modifications and trust relationships.
- Replicated user data such as account name, department, phone number and affiliation -- and any future extensions of other personal data replicated to the Active Directory -- are subject to being over-written in the future by the LBL Directory synchronization process. The authoritative Human Resources directory is the only place where these attributes can be changed, and then only by the user.
All administrators (Domain and OU) in the LBL forest must read and agree to these Roles & Responsibilities.
The OU administrator that requested the top-level OU in the LBL domain will be the person responsible for designating which administrators will be added to this local OU administrative group and for communicating back to the Domain Admins when such actions have been taken.
Specific responsibilities
Function | Roles & Responsibilities |
Domain Administrators | Domain Administrators at LBL, on occasion, have to perform the duties associated with Schema and Enterprise administrators as identified below. Schema Administrator - Maintains security and integrity of schema
- Oversees modifications to schema
- Full disaster recovery plan and practice of schema recovery
Enterprise Administrator - Creation and management of the forest
- Overall security and reliability of the forest
- Creation and removal of domains
- Management of trust relationship with ALS domain
- Management of trust relationship with JGI-OSF domain
- Full disaster recovery plan and practice of trust recovery
Domain Administrator - Creation and management of directory infrastructure
- Includes FSMO roles, trusts, Kerberos KDCs, replication topology, etc.
- Creation of all top-level OU hierarchies with LBL standard sub-OUs, groups, and appropriate security permissions. This includes adding the OU Admins to the AddComputers group, Group Policy Creator Owners group, and OU Admins mail list. It also includes setting appropriate permissions on the created objects and linking of default GPOs.
- Monitoring and reporting associated with the reliability and security of the domain
- Use the domain admin account only for actions that require the privilege level of this account
- Monitoring changes to domain root and domain controllers OU to ensure unauthorized changes do not occur
- Day-to-day management of the domain controllers
- Monitoring connectivity, synchronization, replication, netlogon, time services, FSMO roles, schema, NTDS database partitions, DNS settings, SRV records, and trust relationships
- Review DC event and security logs and take corrective actions
- Monitor and resolve security situations at all levels of the domain to ensure a stable and secure domain
- Domain Controller Management
- Physical security of the domain controllers in IT Division space and oversite for all domain controllers
- Backups and restores on domain controllers
- Full disaster recovery plan and practice recovery of DCs and core Directory objects
- Policy monitoring and compliance
- Apply and enforce LBL standard naming conventions for objects in the domain
- Comply with LBL AD policies and standards as defined on the AD Web Site
- Monitor compliance with LBL AD policies and standards as defined on the AD Web Site, including Change Management,
Communication and Coordination
- Arbitrate disputes between OU Admins
- Provide OU Admins with assistance when requested
- Coordination with the LBL Cyber Security group to ensure the LBL domain is secure
- Comply with all Cyber Security group orders regarding emergency conditions
- Work collectively with the OU administrators
- Secure remote administration of the DCs and member servers managed by the Infrastructure Group
- Manage group policy at root of domain and for Domain Controllers OU
- Manage the root Users and the root Computers OUs
- Install and manage security reporting tools used to monitor changes to the Active Directory
- Coordinate and configure alarm distribution to OU Admins for OU-related events
- Plan and manage all migrations and upgrades related to the AD or the DCs
|
OU Administrators | - Ensure overall security and integrity of their managed OU hierarchy
- Use the OU admin account only for actions that require the privilege level of this account
- Monitoring changes to OU hierarchy to ensure unauthorized changes do not occur
- Delegation of authority to others for appropriate object administration in their OU hierarchy
- Account management
- Creation/deletion/management of objects, i.e. local user accounts, groups, workstations, servers, printers, etc. in their OU hierarchy
- Regularly perform housekeeping duties to keep their OU hierarchy clear of stale, unused, expired, and other no longer needed objects
- Process requests for access control authorized by data owner
- Process requests for group drive mappings via login script
- Create new computer accounts and join to directory services
- The OU administrator will designate which administrators have "account operator" access to the Windows user accounts for users in their department.
- These account operators will have privileges that let them make changes to a subset of attributes for the accounts in their OU
- This subset of attributes includes Windows-centric information like home directory location, profile location, terminal server settings and other kinds of user data that isn’t replicated from the root of the LBL domain
- Group Policy Object (GPO) creation, troubleshooting, and management
- Publishing resource objects from their OU hierarchy in the Active Directory as applicable
- Manage Group Policy Object (GPO) links within their OU hierarchy
- Coordinate activities of Member Server owners
- Work with server and/or data owners to set up permissions
- Policy Compliance
- Comply with LBL AD policies and standards as defined on the AD Web Site
- Apply LBL standard naming conventions to objects in their OU hierarchy
- Contact information.
- Each top-level OU must contain contact information for the department to facilitate contacting OU administrators
- When OU manager changes, notify the Enterprise Administrator
- Verify new software deployments and GPO policies work by testing them in a test domain as appropriate.
- Communication and coordination
- Work collectively with the domain admins and with other OU administrators
- Keep informed about domain-wide changes (e.g. attend periodic meetings of the OU administrators or participate in mail lists)
- Provide the following to the domain admins, when suspecting a desktop related problem stems from a change to the Active Directory or DC configuration
- event description
- logon name of affected user
- name of affected computer
- time of event
- relevant warnings and errors in event logs
- relevant warnings or errors displayed on screen
|
Server Owners (maybe dual role with OU administrator) | - Host and maintain server (i.e., IIS, business specific service, etc.)
- Patching/software upgrades
- Volume/partition space management
- Hardware migration
- Software licenses for all member server(s) added to their OU hierarchy
- Hardware maintenance for all non-Infrastructure-managed member servers
- Operating system maintenance for all non-Infrastructure-managed member servers
- Maintain level of member server system security by applying Service Packs and security patches
- Department application, file service, workstation and printer support
- Create printer objects and access control lists.
- Backup/recovery
- Full disaster recovery plan and practice recovery
|
Desktop Support | - Request drive mapping via login script when needed from OU manager
- Add user domain account to workstation
- Assist data owners with archiving to alternative storage (cloud/solid state device/Blu-Ray/dvd/cd)
- Provide the following (if possible) to the domain admins, when suspecting a desktop related problem stems from a change to the Active Directory or DC configuration
- event description
- logon name of affected user
- name of affected computer
- time of event
- relevant warnings and errors in event logs
- relevant warnings or errors displayed on screen
|
Data Owners | - Request workspace from OU manager
- Setup data access control lists with OU manager
- Provide space usage projections to OU manager
- Maintain house keeping & periodic data cleanup
- Request drive mapping via login script when needed from OU manager
|
Help Desk | - Create new user accounts
- Disable user accounts for xstaff (Remove Password)
- Password reset service
- Creating and routing of tickets related to Active Directory issues
|
End user | Users who experience problems with a particular service should contact the IT Help desk for general questions. If the issue can’t be resolved, then the Help Desk (or the End user) can contact the OU administrator |