UVM Active Directory Naming Standards

Version 0.3

Updated: 06/28/2004

1. Introduction
2. Computer Names
3. User Account Names
4. Security and Distribution Groups
5. Group Policy Objects (GPOs)
6. UVM Organization Prefixes

1. Introduction

The creation and maintenance of Active Directory user, group, and computer accounts is a shared responsibility.  These naming standards are meant to maintain an orderly forest, to ease recognition of forest resources, and to help avoid naming collisions.

2. Computer Names

Windows 2000/XP/2003 computers have two names; a Fully Qualified Domain Name (FQDN) name, and a "pre-Windows 2000",  NetBIOS name.  In most cases, the host portion of two names will be identical.  Computers in the UVM Active Directory should be constrained to 15 characters in length.

Default Workstation Naming:  All workstation computers added to the domain should have their computer name set to be the same as the MAC, or Ethernet Hardware address, of the primary network interface of the system.  Use of this convention will minimize or eliminate name collisions on the network, and will aid in the physical location of computers on the network. 

Alternative 1: If a workstation will be accessed by a single-user only, the workstation name may be set to the user's NetID, with or without a descriptive suffix (i.e. "mkapoodle-desktop" or "mkapoodle-mobile").

Alternative 2: All Dell systems ship with an "Asset Tag".  Use of the six-character departmental designator, followed by the Dell Asset Tag is an approved naming scheme.

The MAC address can be determined by using the "ipconfig" command line utility:

C:> ipconfig /all
Ethernet adapter Wireless Network Connection:

Connection-specific DNS Suffix . : uvm.edu
Description . . . . . . . . . . . : 3Com 3C920 Integrated Fast Ethernet
Physical Address. . . . . . . . . : 00-02-2D-6B-05-74
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . :
Subnet Mask . . . . . . . . . . . :
Default Gateway . . . . . . . . . :
DHCP Server . . . . . . . . . . . :
DNS Servers . . . . . . . . . . . :
Primary WINS Server . . . . . . . :
Secondary WINS Server . . . . . . :
Lease Obtained. . . . . . . . . . : Wednesday, March 24, 2004 8:50:33 AM
Lease Expires . . . . . . . . . . : Wednesday, March 31, 2004 8:50:33 AM

Remove the hyphens from the "ipconfig /all" command output to determine the Windows computer name.

Example: 00022D6B0574

Optionally, container administrators may prepend the six-letter departmental designator code (up to six characters) to the computer name.  Thus, the same computer from the example above in the Computing and Information Technology (CIT) department would take the name:

Example: CIT-00022D6B0574

Server systems in the domain may take any reasonable name at the discretion of the local systems administrator, as long as the chosen name is not in violation the campus DNS policy

3. User Account Names

User account names for all University affiliates are populated via a nightly feed from the UVM LDAP Directory.  The following attributes are set during this feed.  If the value indicates that it is "User defined", that attribute may be modified from the UVM Directory pages:

Active Directory Users and Computers GUI Name LDAP Attribute Value
Account Name cn: <LastName>, <FirstName> <NetID>
Last name sn: <LastName>
Title title: <HR Position Title>
Description description: <Faculty|Staff|Student> (single-valued, shows primary affiliation only!)
Office physicalDeliveryOfficeName: <HR or Student System Office Address>
Telephone number telephoneNumber: <HR or Student SystemTelephone Number>
Fax facsimileTelephoneNumber: <User-defined fax number>
First name givenName: <FirstName>
Initials initials: <HR or Student System initials>
Display Name displayName: <LastName>, <FirstName>
Telephone number ("Other..." button) otherTelephone: <User-defined Telephone Number>
Member Of (Tab) memberOf: <HR and Student Group Object DN>
Department department: <HR Department Classification>
Company company: University of Vermont and State Agricultural College
Web page wWWHomePage: <User-defined home page>
(Same as account name) name: <LastName>, <FirstName> <NetID>
User logon name (pre-Windows 2000) sAMAccountName: <NetID>
User logon name userPrincipalName: <NetID>@campus.ad.uvm.edu
Security Identity Mapping (Advanced view only) altSecurityIdentities: Kerberos:<NetID>@uvm.edu

The following attributes are populated for users of Windows Services using a different nightly update process.  Container (OU) administrators may modify these attributes if necessary:

Active Directory Users and Computers GUI Name LDAP Attribute Value
Home folder "to" homeDirectory: <defined by OU administrator OR Windows Services Administrators>
Home folder "Connect" homeDrive: <defined by OU administrator OR Windows Services Administrator>
"Managed By" field on selected computer object managedObjects: <defined by OU administrator OR Windows Services Administrator>

Container administrators may need to create custom administrative user accounts.  These accounts should adhere to the following convention to avoid collisions with the UVM LDAP feed:

Use your department's six-letter designator followed by a hyphen (-), then the administrator's NetID, if they have one. 

Format: dddd-<NetID>

For an administrator with NetID=jmackinn in the Computing and Information Technology department:

Example: CIT-jmackinn

For compatibility with "pre-Windows 2000" operating systems, the length of the "pre-Windows 2000", or NetBIOS, the account name is limited to 15 characters.

4. Security and Distribution Groups

A Windows 2000 Active Directory group may be one of six types.  Two broad categories, "security" and "distribution", define the general type of the group.  Each of these two types is further defined as either "domain local", "global" or "universal".  See the Microsoft paper Active Directory User, Computers and Groups for a more detailed explanation of Active Directory groups.

The UVM recommended naming standard for Active Directory security and distribution group names is:

  dddd UVM six-letter department designator
  tt type of group ( ls, gs, us, ld, gd, ud )  See Note, below
  group_name descriptive name which explains the purpose of the group

Active Directory group types are:

group types (tt)
ls domain local security
gs global security
us universal security
ld domain local distribution
gd global distribution
ud universal distribution

Example: CIT-SysAdmins-gs

Because Active Directory groups are replicated across the network, they must be populated in ways that minimize network replication.  Try to use global and domain local groups where possible.  If you have a need to create a universal group, avoid populating the universal group with individual users.  Instead, use the names of other groups to build the universal group membership.

Note: All group types in AD are displayed with the same group icon, which can be visually confusing.  The Active Directory Users and Computers console does shows the group type field, however testing has shown that after making changes to an individual group, the user interface may no longer displays the group type field description.  This can cause confusion and lead to error, which is why we include the group type as part of the group naming scheme. Using this scheme will help prevent Administrators from choosing the wrong group when they are managing groups within groups, in their own domain and across other domains.

5. Group Policy Objects (GPOs)

The naming convention for Group Policy Objects is to use a six-letter department designator as a prefix for all Group Policy names.  For instance, "CIT staff policy", or "BSAD Kalkin lab policy".  Using Group Policy names prefixed with your departmental designator will reduce the likelihood that similarly named Group Policy objects will be confused with one-another. 

6.  Container (OU) Names

Containers will named according to the managing department's six-letter descriptor.