UVM Windows Services Policies

Version 0.5

Updated: 5/17/2011

  1. Introduction
  2. Scope of Services
    1. Desktop login integration
    2. Filing services
    3. Print services
    4. Security policies
    5. Patch distribution
    6. Third-Party Software Distribution and Updates
    7. PKI/Certificate services
    8. Operating system distribution
    9. Windows SharePoint Services
  3. How to join Windows Services
  4. System requirements
  5. Storage policies and quotas
  6. Printer policy and compatibility notes
  7. Software distribution, security policy, and patch distribution policies
  8. Access to RIS Servers
  9. Obligations of Windows Services Administrators
  10. Obligations of Windows Services Participants
    1. Obligations of participating departments
    2. Obligations of designated departmental IT contact

1. Introduction

The rise of personal computer usage in the 1990's caught the University unprepared to cope with the demand for traditional "LAN" services (File storage services, network print services).  As a result, many departments deployed their own LAN server solutions.  When local systems administrators moved on to new positions, or departmental technology funds dried up, these departments found themselves reliant on rapidly aging, unreliable equipment.

To address the needs of these and other departments, ETS has provided free traditional LAN services to all UVM-affiliated faculty and staff departments since 1997.  "Windows Services" represents the third iteration of these services.  As network services have continued to grow and evolve, so have ours.  "Windows Services" is a tightly-coupled suite of services which includes traditional file and print services, but now includes integrated desktop login, Windows operating system security management, software distribution services, pre-configured operating system distribution, web-based collaboration tools, and PKI certificate services.

The Windows Services Administrators pledge to provide highly-available services with an emphasis on system integrity and security, rapid support, and clear and consistent documentation.

2. Scope of Services

2.1. Desktop Login Services

People with UVM network accounts (or UVM "NetIDs") will be able to use their NetID and password to login interactively with any computer which has been "joined" to the Active Directory.  Integrated login services are offered on all systems which meet the system requirements listed in section 4 of this document.

2.2 File storage services

Personal and shared file storage is available for all University-affiliated faculty and staff.  All files stored using this service will be backed up daily.  This service is provided free-of-charge in order to promote secure and reliable file storage practices among University affiliates.  File storage is subject to the policies described in section 5 of this document.

2.3 Print services

Network printer job routing, print spooling, and print driver distribution is provided free-of-charge to all University-affiliated faculty and staff departments.  These services are subject to the policies described in section 6 of this document.

2.4 Security Policies

A minimal set of security policies is pushed to every computer joined to the Active Directory domain.  These policies are designed to protect the domain from common attacks.  Use of any of the offered Windows Services implies consent to the application of these security policies.  There will be no "opt-out" option for security policy application.

2.5 Patch distribution

All Windows-based operating systems joined to the Active Directory domain are subjected to automated installation operating system patches.  Automated patch distribution is necessary to ensure the integrity of computers in the domain.  Use of any of the offered Windows Services implies consent to the application of these patches.  There will be no "opt-out" option for automated patch distribution.

2.6 Third-Party Software Distribution and Updates

A variety of software installation packages are offered though the LiteTouch depolyment system, general "software" and Campus Agreement "mca" file shared, and via extensions to automated patch distribution system.  By default, critical updates to third party software will be pushed to all workstations in the domain.   An "opt-out" option will be made available under special circumstances.

2.7 PKI/Certificate services

ETS maintains an Active Directory-integrated Certificate Server to satisfy the requirements of several Windows Services.  Certificate Servers are used to provide encryption keys for secure web services, secure LDAP connections, IPsec channels, and VPN services.  Users of Windows Services may leverage the central Certificate Servers for departmental servers and applications if desired. 

2.8  Operating system distribution

ETS maintains several Windows OS deployment systems.  ETS uses Windows "LiteTouch" for preparation of new computers purchased through the depot.  However, individuals wishing to leverage ETS's investment in deployment systems for storage if their own system images may do so.  Use of ETS's deployment servers is governed by the policies in section 8 of this document.

2.9 Windows SharePoint Services

Access to a Windows SharePoint Services (formerly "SharePoint Team Services") web-site will be granted to all Windows Services users.  Users will be able to create their own SharePoint team sites without intervention from a system administrator.  All sites will be subject to automatic expiration and removal if left unused for over one year.  Site owners will be notified via email prior to site deletion. 

Individual SharePoint sites will be restricted to a 5-Gigabyte quota.  If more storage space is required for your site, your quota may be extended at the discretion of the Windows Services Administrators.

All SharePoint databases are backed up are backed up on a nightly basis. Backup files are retained for 2-4 months before being purged from tape.

3.  How to join Windows Services

  1. Familiarize yourself with all of the policies contained within this document.
  2. Schedule a meeting with the UVM Active Directory project team by sending email to Greg Mackinnon (jgm@uvm.edu), Phil Plourde (pjp@uvm.edu), or Geoff Duke (gcd@uvm.edu). The UVM Active Directory team will discuss your requirements with you and develop a timeline for joining your department to the directory.  You should be prepared to:

4. System requirements

Windows Services are supported on the following computer operating systems:

Access to Windows Services from most Macintosh systems may require the use of the Thursby ADMitMac, or other third-party Active Directory integration software.  Web-based access to Windows Services will work from any Macintosh OS X platform.  Reliable support for AD/Macintosh integration is an ongoing project within ETS.

Windows Services can be accessed from Linux operating systems, but owing to the changing and diverse Linux desktop offerings, ETS cannot offer official support for these configurations at this time.

See section 6 of this document for information on supported network printing equipment.

5.  Storage Policies and quotas

ETS will provide file storage services to all University-affiliated Faculty and Staff members.  File storage services are available in three formats:

ETS will provide access to files through multiple protocols.  The primary access methods will be:

All files stored via Windows Services will be backed up nightly.  Up to three months of file revisions will be available via the enterprise backup system.  Additionally, twice-daily "snapshots" will be taken on all files.  Snapshot  will allow users retrieve revised or deleted files from the storage system "volume shapshots" without requiring the intervention of a systems administrator.

Owing to the high-cost of enterprise-class storage systems (and associated backup systems), storage quotas will be placed on the total amount of storage provided to individuals and to departments.

At present, individual file storage (combined Home directory and "My Documents" directories) may not exceed ten Gigabytes (10 Gb) in size.  For users will a legitimate need for larger volumes of storage, a quota increase to twenty five Gigabytes (25 Gb) can be requested.

Quotas on departmental shared directories will be negotiated at the time the department signs on for Windows Services.  Total quota size for departments will depend upon:

Requests for expansion of departmental quotas always will be approved provided that the following criteria have been met:

Notification of quota over-run will be provided to users prior to terminating file-write privileges. Notifications are provided via University email, and are generated hourly.

6. Printer Compatibility

ETS will integrate and support all approved print sharing devices and approved network ready printers.  Printers must have a connection to the campus network.   If one is not available currently, it may be ordered from ETS, Network Services at 656-8888.  Please consult with ETS Client Services prior to the purchase of your network printer.  Consultation is available through the contacts web page.  ETS has extensive experience with a wide range of printer models, and easily can find one which will meet the needs of your department.  If you purchase a printer that does not meet with our approval, we may not be able to support it for use on our network.

ETS will provide assistance with the networking configuration of your printer only.  Assistance will not be provided with the physical installation of printing devices.  Assistance will not be provided with the physical maintenance of printers (changing of toner, clearing of paper jams, etc.).

Because of the rapidly changing offerings of printer manufacturers, ETS cannot maintain a list of pre-approved network ready printers.  However, ETS has been working with purchasing to ensure that all network-capable printers sold through University-approved purchasing contracts will be Windows-services compatible.  Additionally, ETS expresses a strong preference for HP-brand workgroup and enterprise-class printers.  The use of smaller Home/Home Office/Small Office printer models is discouraged strongly.

7. Software distribution, security policy, and patch distribution policies

In order to maintain a more secure network environment, ETS reserves the right to distribute automatic software updates, computer security policies, and operating system patches.  Use of any of the ETS-provided Windows Services implies consent to this policy.

Security policies will be distributed using a combination of Windows Group Policy settings and login scripts.  Software package distribution may be accomplished through the use of Group Policy software distribution policies, Microsoft System Center Configuration Manager agents, and logon policies.   Patch distribution will be accomplished using Microsoft's Windows Server Update Services (WSUS) in combination with Group Policy-enforced settings on the Windows Automatic Update agent which runs on every Microsoft Windows operating system.

Blocking of these central policies by local OU administrators is not permitted without written consent of the Active Directory Enterprise Administrators.

Distribution of custom security policies is possible by registering to become a Container Administrator.

8. Operating System Deployment Technologies

ETS maintains several systems to facilitate deployment of Windows computers in the Active Directory environment.  These services are the Microsoft Deployment "LiteTouch" system, and Windows Deployment Services (or "Windows DS").  These servers also are used by consultants in ETS Client Services in the restoration of damaged operating systems to their original state.  All users of Windows Services may access these stock system images from any campus network-connected system.  Support will NOT be provided for all models of systems in use on the campus network.  Compatibility of Windows DS system images with any given computer system is NOT guaranteed.  Re-installation using central ETS servers is likely to take over one hour (with LiteTouch), or over 30 minutes (with Windows DS). 

Some departments may require specialized systems images.  These departments will be allowed to store up to two system images for every model of computer currently offered by the Microcomputer Services Depot.  Departments will be responsible for maintaining their own system images.  The Windows Services Administrators reserve the right to remove old, obsolescent, or un-patched images from the central image store; however, every effort will be made to contact a responsible party in the affected department before taking this action. 

Deployment of non-Microsoft operating systems is not supported at this time.

9.  Obligations of Windows Services Administrators

The UVM Windows Services are a loosely coupled suite of servers, application services, and consulting services.  This section outlines the distribution of responsibility for these services, and the obligations of the responsible parties.

A group within ETS Client Services serve as the Windows Services Administrators. They install, configure, and maintain all services in the Windows Services suite, and provide integration of these services with the greater UVM Active Directory infrastructure. There is significant overlap between the Windows Services Administrators and the Active Directory Enterprise Administrators.  Active Directory Enterprise Administrators maintain the directory which ties toegther all of the Windows Services.  The ETS Technical Support Group maintain the "uvm.edu" Kerberos Authentication servers (the UVM NetID authentication service), and the UVM LDAP Directory which feeds account information to the Active Directory. 

All general-usage problems with Windows Services should be reported to your departmental IT contact.

If your contact is not available, or the problem is of a pressing nature, contact the ETS Helpdesk. Your problem will be routed to an on-duty Windows Services Administrator.

For general discussion, this group can be contacted via e-mail.

The responsibilities of the Windows Services Administrators are:

10. Obligations of Windows Services Participants

10.1 Obligations of participating departments

Departments making use of Windows Services will perform the following duties:

10.2  Obligations of designated departmental IT contact