AD Roles and Responsibilities

Roles and Responsibilities

Overall Policy and Guidelines
Support
LBL Domain Administrators are currently on duty Monday-Friday, from 8 a.m. to 5 p.m. Best efforts on off hours.
The IT Division will maintain a policy and procedures web site. It will also maintain an Active Directory management web site for inventory, asset
management, and reporting purposes.
The LBL service includes only licenses for software (required to operate the LBL forest and Domain Controllers and for workstations to connect to
it (referred to as CALS). Departments should ensure that systems participating in the LBL forest are properly licensed for software running on
their systems, including operating system or server software.
Rules of engagement
Domain Administrators will assume a hands-off approach to local OU administration. The Domain Administrators group is not responsible for the
administration of local user accounts. Only when faced with an enterprise-wide emergency, where no adequate alternative exists and every
attempt has been made to contact appropriate support personnel and relevant OU managers first, will a Domain Administrator take action at the
OU level.
Domain Administrators manage the flow of information between the LBL AD Directory Services and any other Directories.
The Domain Admins group manages the replication of directory information within the Active Directory, and makes any enterprise level
changes to the AD directory, such as schema modifications.
Replicated user data such as account name , department, phone number and affiliation -- and any future extensions of other personal
data replicated to the Active Directory -- are subject to being over-written in the future by the LBL Directory synchronization process. The
authoritative Human Resources directory is the only place where these attributes can be changed, and then only by the user.
All administrators (domain and OU) in the LBL forest must read and agree to the Roles & Responsibilities.
The OU administrator that requested the top-level OU in the LBL domain will be the person responsible for designating which administrators will
be added to this local administrative group account and for communicating back to the Domain Admin when such actions have been taken.
Specific responsibilities
Function

Roles & Responsibilities

Domain
Administrators

Domain Administrators at LBL on occasion have to perform duties associated with Schema and Enterprise
administrators as identified below.
Schema Administrator
Maintains security and integrity of schema
Oversees modifications to schema
Full disaster recovery plan and practice of schemaEnterprise Administrator
Creation and management of the forest
Overall security and reliability of the forest
Creation and removal of domains
Management of trust relationship with ALS domain
Full disaster recovery plan and practice of trustsDomain Administrator
Creation and management of directory infrastructure
Includes FSMO roles, trusts, Kerberos KDCs, replication topology, etc.
Creation of all top-level OU hierarchies with subOUs, groups, and appropriate security permissions. This
includes adding the OU Admins to the AddComputers group, Group Policy Creator Owners group, and OU
Admins mail list. It also includes setting appropriate permissions on the created objects
Monitor and reporting associated with the reliability and security of the domain
Use the domain admin account only for actions that require the privilege level of this account
Monitoring changes to domain root and domain controllers OU to ensure unauthorized changes do not occur
Day-to-day management of domain controllers
Monitoring connectivity, synchronization, replication, netlogon, time services, FSMO roles, schema, NTDS
database partitions, DNS settings, SRV records, and trust relationships
Review DC event and security logs and take corrective actions
Monitor and resolve security situations at all levels of domain to ensure stable and secure domain
Domain Controller Management
Physical security of the domain controllers in IT Division space and oversite for all domain controllers
Backups and restores on domain controllers
Full disaster recovery plan and practice of DCs and core Directory objects
Policy monitoring and compliance
Apply and enforce LBL standard naming conventions for objects in the domain
Comply with LBL AD policies and standards as defined on the AD Web Site
Monitor compliance with LBL AD policies and standards as defined on the AD Web Site, including change
management
Communication and coordination
Arbitrate disputes between OU Admins
Provide OU Admins assistance when requested
Coordination with CPP to ensure the LBL domain is secure
Comply with all CPPM orders regarding emergency conditions
Work collectively with the OU administrators
Secure remote administration of the DCs and member servers managed by the Infrastructure Group
Manage group policy at root of domain and for Domain Controllers OU
Manage the Users and Computers Containers
Install and manage security reporting tools used to monitor changes to the Active Directory
Coordinate and configure alarm distribution to OU Admins for OU-related events
Plan and manage all migrations and upgrades related to the AD or the DCs

OU Administrators

Ensure overall security and integrity of their managed OU hierarchy

Use the OU admin account only for actions that require the privilege level of this account
Monitoring changes to OU hierarchy to ensure unauthorized changes do not occur
Delegation of authority to others for appropriate object administration in their OU hierarchy
Account management
Creation/deletion/management of objects, i.e. local user accounts, groups, workstations, servers, printers, etc.
in their OU hierarchy
Regularly perform housekeeping duties to keep OU hierarchy clear of stale, unused, expired, and objects no
longer needed
Process requests for access control authorized by data owner
Process requests for group drive mappings via login script
Create new computer accounts and join to directory services
The OU administrator will designate which administrators have "account operator" access to the Windows user
accounts for users in their department.
These account operators will have privileges that let them make changes to a subset of attributes for the
accounts in their OU
This subset of attributes includes Windows-centric information like home directory location, profile location,
terminal server settings and other kinds of user data that isnt replicated from the root of the LBL domain
Group Policy Object (GPO) administration, troubleshooting, and management
Publishing resource objects from their OU hierarchy in the Active Directory as applicable
Manage Group Policy Object (GPO) links in OU hierarchy
Coordinate activities of Member Server owners
Work with server and/or data owners to set up permissions
Policy Compliance
Comply with LBL AD policies and standards as defined on the AD Web Site
Apply LBL standard naming conventions to objects in their OU hierarchy
Contact information.
Each top-level OU must contain contact information for the department to facilitate contacting OU
administrators
When OU manager changes, notify the Enterprise Administrator
Verify new software deployments and GPO policies work by testing them in the Primus test domain as appropriate.
Communication and coordination
Work collectively with the domain admins and with other OU administrators
Keep informed about domain-wide changes (e.g. attend periodic meetings of the OU administrators or
participate in mail lists)
Provide the following to the domain admins, when suspecting a desktop related problem stems from a change
to the Active Directory or DC configuration
1. event description
2. logon name of affected user
3. name of affected computer
4. time of event
5. relevant warnings and errors in event logs
6. relevant warnings or errors displayed on screen

Server Owners
(maybe dual role
with OU
administrator)

Host and maintain server (i.e., IIS, business specific service, etc.)
Patching/software upgrades
Volume/partition space management
Hardware migration
Software licenses for all member server(s) added to their OU hierarchy
hardware maintenance for all non-Infrastructure-managed member servers
Operating system maintenance for all non-Infrastructure-managed member servers
Maintain level of member server system security by applying Service Packs and security patches
Department application, file service, workstation and printer support
Create printer objects and access control lists.
Backup/recovery
Full disaster recovery plan and practice

Desktop Support

Request drive mapping via login script when needed from OU manager
Add user domain account to workstation
Assist data owners with archiving to offline storage (dvd/cd)
Provide the following (if possible) to the domain admins, when suspecting a desktop related problem stems from a
change to the Active Directory or DC configuration
1. event description
2. logon name of affected user
3. name of affected computer
4. time of event
5. relevant warnings and errors in event logs
6. relevant warnings or errors displayed on screen

Data Owners

Request workspace from OU manager

Setup data access control lists with OU manager
Provide space usage projections to OU manager
Maintain house keeping & periodic data cleanup
Request drive mapping via login script when needed from OU manager

Help Desk

Create new user accounts

Disable user accounts for xstaff (Remove Password)
Password reset service
Creating and routing of tickets related to Active Directory issues

End user

Users who experience problems with a particular service should contact the IT Help desk for general questions.
If the issue cant be resolved, then the Help Desk (or the End user) can contact the OU administrator