2. Computer Names
3. User Account Names
4. Security and Distribution Groups
5. Group Policy Objects (GPOs)
6. UVM Organization Prefixes
The creation and maintenance of Active Directory user, group, and computer accounts is a shared responsibility. These naming standards are meant to maintain an orderly forest, to ease recognition of forest resources, and to help avoid naming collisions.
Windows 2000/XP/2003 computers have two names; a Fully Qualified Domain Name (FQDN) name, and a "pre-Windows 2000", NetBIOS name. In most cases, the host portion of two names will be identical. Computers in the UVM Active Directory should be constrained to 15 characters in length.
Default Workstation Naming: All workstation computers added to the domain should have their computer name set to be the same as the MAC, or Ethernet Hardware address, of the primary network interface of the system. Use of this convention will minimize or eliminate name collisions on the network, and will aid in the physical location of computers on the network.
Alternative 1: If a workstation will be accessed by a single-user only, the workstation name may be set to the user's NetID, with or without a descriptive suffix (i.e. "mkapoodle-desktop" or "mkapoodle-mobile").
Alternative 2: All Dell systems ship with an "Asset Tag". Use of the six-character departmental designator, followed by the Dell Asset Tag is an approved naming scheme.
The MAC address can be determined by using the "ipconfig" command line utility:
C:> ipconfig /all
Ethernet adapter Wireless Network Connection:
Connection-specific DNS Suffix . : uvm.edu
Description . . . . . . . . . . . : 3Com 3C920 Integrated Fast Ethernet
Physical Address. . . . . . . . . : 00-02-2D-6B-05-74
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 22.214.171.124
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 126.96.36.199
DHCP Server . . . . . . . . . . . : 188.8.131.52
DNS Servers . . . . . . . . . . . : 184.108.40.206
Primary WINS Server . . . . . . . : 220.127.116.11
Secondary WINS Server . . . . . . : 18.104.22.168
Lease Obtained. . . . . . . . . . : Wednesday, March 24, 2004 8:50:33 AM
Lease Expires . . . . . . . . . . : Wednesday, March 31, 2004 8:50:33 AM
Remove the hyphens from the "ipconfig /all" command output to determine the Windows computer name.
Optionally, container administrators may prepend the six-letter departmental designator code (up to six characters) to the computer name. Thus, the same computer from the example above in the Computing and Information Technology (CIT) department would take the name:
Server systems in the domain may take any reasonable name at the discretion of the local systems administrator, as long as the chosen name is not in violation the campus DNS policy
User account names for all University affiliates are populated via a nightly feed from the UVM LDAP Directory. The following attributes are set during this feed. If the value indicates that it is "User defined", that attribute may be modified from the UVM Directory pages:
|Active Directory Users and Computers GUI Name||LDAP Attribute||Value|
|Account Name||cn:||<LastName>, <FirstName> <NetID>|
|Title||title:||<HR Position Title>|
|Description||description:||<Faculty|Staff|Student> (single-valued, shows primary affiliation only!)|
|Office||physicalDeliveryOfficeName:||<HR or Student System Office Address>|
|Telephone number||telephoneNumber:||<HR or Student SystemTelephone Number>|
|Fax||facsimileTelephoneNumber:||<User-defined fax number>|
|Initials||initials:||<HR or Student System initials>|
|Display Name||displayName:||<LastName>, <FirstName>|
|Telephone number ("Other..." button)||otherTelephone:||<User-defined Telephone Number>|
|Member Of (Tab)||memberOf:||<HR and Student Group Object DN>|
|Department||department:||<HR Department Classification>|
|Company||company:||University of Vermont and State Agricultural College|
|Web page||wWWHomePage:||<User-defined home page>|
|(Same as account name)||name:||<LastName>, <FirstName> <NetID>|
|User logon name (pre-Windows 2000)||sAMAccountName:||<NetID>|
|User logon name||userPrincipalName:||<NetID>@campus.ad.uvm.edu|
|Security Identity Mapping (Advanced view only)||altSecurityIdentities:||Kerberos:<NetID>@uvm.edu|
The following attributes are populated for users of Windows Services using a different nightly update process. Container (OU) administrators may modify these attributes if necessary:
|Active Directory Users and Computers GUI Name||LDAP Attribute||Value|
|Home folder "to"||homeDirectory:||<defined by OU administrator OR Windows Services Administrators>|
|Home folder "Connect"||homeDrive:||<defined by OU administrator OR Windows Services Administrator>|
|"Managed By" field on selected computer object||managedObjects:||<defined by OU administrator OR Windows Services Administrator>|
Container administrators may need to create custom administrative user
accounts. These accounts should adhere to the following convention to
avoid collisions with the UVM LDAP feed:
Use your department's six-letter designator followed by a hyphen (-), then the administrator's NetID, if they have one.
For an administrator with NetID=jmackinn in the Computing and Information
For compatibility with "pre-Windows 2000" operating systems, the length of the "pre-Windows 2000", or NetBIOS, the account name is limited to 15 characters.
A Windows 2000 Active Directory group may be one of six types. Two broad categories, "security" and "distribution", define the general type of the group. Each of these two types is further defined as either "domain local", "global" or "universal". See the Microsoft paper Active Directory User, Computers and Groups for a more detailed explanation of Active Directory groups.
The UVM recommended naming standard for Active Directory security and distribution group names is:
|dddd||UVM six-letter department designator|
|tt||type of group ( ls, gs, us, ld, gd, ud ) See Note, below|
|group_name||descriptive name which explains the purpose of the group|
Active Directory group types are:
|group types (tt)|
|ls||domain local security|
|ld||domain local distribution|
Because Active Directory groups are replicated across the network, they must be populated in ways that minimize network replication. Try to use global and domain local groups where possible. If you have a need to create a universal group, avoid populating the universal group with individual users. Instead, use the names of other groups to build the universal group membership.
Note: All group types in AD are displayed with the same group icon, which can be visually confusing. The Active Directory Users and Computers console does shows the group type field, however testing has shown that after making changes to an individual group, the user interface may no longer displays the group type field description. This can cause confusion and lead to error, which is why we include the group type as part of the group naming scheme. Using this scheme will help prevent Administrators from choosing the wrong group when they are managing groups within groups, in their own domain and across other domains.
The naming convention for Group Policy Objects is to use a six-letter department designator as a prefix for all Group Policy names. For instance, "CIT staff policy", or "BSAD Kalkin lab policy". Using Group Policy names prefixed with your departmental designator will reduce the likelihood that similarly named Group Policy objects will be confused with one-another.
Containers will named according to the managing department's six-letter descriptor.