Enterprise Active Directory Frequently Asked Questions (FAQs)

Overview

This article answers frequently asked questions (FAQs) about Enterprise Active Directory.

 

Detail

LDAP

1. How do I bind a LDAP application to the Pitt Domain?

A load-balanced VIP has been created so that applications only need to bind to a single interface to authenticate and query Enterprise Active Directory (AD). This IP provides load balancing and high availability in the case that any one server is unavailable.

To connect, the DNS name pittad.univ.pitt.edu should be entered in the server field. The access is based on LDAP over SSL so the port used should be 636/TCP.

Objects

1. Where are user accounts located in the Pitt Domain?

All of the user accounts are stored in a single Organizational Unit (OU) called Accounts. Pitt Information Technology does not allow departments to move objects out of this container. Nor does Pitt IT allow departments to apply policies to these objects.

To apply Group Policies to user objects, see Group Policy Loopback Processing mode.

2. How can I create additional user accounts?

There are different types of user accounts that can be created in the Pitt Domain. The first is called a Primary Account and represents a person that is affiliated with the University. Primary accounts are automatically created after a person is enrolled in the University or hired as a staff or faculty member.

If an account is needed for a person who is not affiliated with the University, there are two types of accounts that can be created. If the user only needs access to the wireless network, they can be given a PittNet Guest Wi-Fi account. Refer to our PittNet Guest Wi-Fi page for additional details.

If an account is needed for a person so that they can access other types of resources, a sponsored account may be necessary. Sponsored accounts can be created by Responsibility Center Administrators. Find your RC Administrator.

The final type of account is a resource account. Resource accounts are used to represent something other than a person, such as a mailbox to represent a conference room or a service account for an application. Responsibility Center Account Administrators can create resource accounts. More detailed instructions are available on the RC Administrators SharePoint site.

3. What is a service account and how do I create one?

Resource accounts are used to represent something other than a person. Examples of a resource account are a mailbox to represent a conference room or a service account for an application. These types of accounts can be created by submitting a request to the Technology Help Desk.

4. Where are groups located in the Pitt Domain?

Groups that are created via my.pitt.edu will be automatically placed in the Groups OU. This path can be accessed via LDAP using ou=groups,dc=univ,dc=pitt,dc=edu.

5. How can I create additional groups?

There are two ways to create additional groups.

The first is by using the accounts.pitt.edu interface. Log into Accounts Administration via My Pitt (my.pitt.edu), then click Manage Groups. RC Administrators also maintain groups and group membership within CDS. These groups can be used for Enterprise Exchange distribution lists or to assign access rights to various resources within the University computing environment.

RC Administrators can request that additional individuals be granted access to manage groups within their responsibility center. The individual must be in the same responsibility center as the RC administrator and will have access to manage all groups within that responsibility center.

The other type of group is one that a departmental administrator can create within their own OU. These groups can be used to secure local departmental resources. Departments have more flexibility in how they are created and managed, but their scope is limited. These groups cannot be used as email distribution lists or to maintain access control on enterprise resources such as Enterprise Web Infrastructure (EWI).

6. What is the difference between groups created via my.pitt.edu and directly in a departmental OU?

 

7. Why am I able to query Enterprise Active Directory, but I cannot see another user's group membership?

In order to query this type of information, a user needs to be given additional privileges. Contact the Technology Help Desk to obtain this access.

8. Where are my departmental objects stored within the Pitt domain?

These objects are stored within the Departments top level OU. Each department is given an OU under this level that they may control.

9. What types of objects can I create within my departmental OU?

Departmental administrators can create OUs, Groups, Computer Objects, Shared Folders, and Printers. Users are not permitted and must be created using the my.pitt.edu interface.

10. How can I manage my objects within Enterprise Active Directory?

Objects within the Enterprise Active Directory can be managed using the Microsoft Remote Server Administrative Tools. These tools need to be installed first and then activated as a feature. To download the tools, click here>

Once the tools are installed, they need to be enabled. In order to enable the tools, open Control Panel > Programs and Features > Turn Windows features on or off. From the interface, select Remote Server Administration Tools > Role Administration Tools > AD DS and AD LDS Tools.

Once the tools are installed and the features are enabled, they can be launched from the start menu. Go to Start > Administrative Tools > Active Directory Users and Computers.

Group Policy

1. How are Group Policies created in the Pitt Domain?

Pitt IT requires that new Group Policy objects be created by Pitt IT administrators. Departments may request as many group policy objects as they need. Pitt IT will create the policies using a naming convention similar to groups (dept - group policy description). Departments will then be given full control of the policy, including the ability to link the policy to any of their organizational units.

2. How do I apply Group Policies to a user account?

Because group policies cannot be linked to the Accounts OU, applying policies to user objects is handled differently within the Enterprise Active Directory. In order to apply settings from the user portion of the policies, Loopback Group Policy processing mode is used. This special mode applies the user portion of the group policy to any user that accesses the workstation that the policy applies to.

In order to set up Group Policy loopback processing mode, navigate to the following: Computer Configuration > Policies > Administrative Templates > System > Group Policy.

Open the setting called User Group Policy loopback processing mode. Check the box that says Enabled and set the mode to Merge. This will cause the machine to apply policy settings from the User portion of the policy to any user that logs onto the machine and will merge these settings with any other user group policy.

3. How do I create log-on scripts in the Pitt Domain?

Group Policy Loopback Processing Mode is required for this. Make sure this is set up before proceeding.

Log-on scripts are created and managed with a group policy. Open the group policy object that you plan to use for the log-on script. Expand > User Configuration > Policies > Windows Settings > Scripts > Logon.

Click on Show Files... and Windows Explorer will open a view of the directory you can use to store your log-on script.

Add your script to this directory, then click Add... This file will then be run each time a user logs onto the workstation that this policy applies to.

4. How do I prevent other University users from being able to log on to servers/workstation that we own?

By default any authenticated user will have the ability to log on to a Windows workstation that is added to the domain. This user will not be given administrative privileges, but will still have access to log on. If this is not desired, the following steps can be followed to restrict access.

1. Create a group that contains only the users that should be given access to the desired workstations or servers.
2. Open a Group Policy object that will be used to control access.
3. Navigate to the following policy Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Allow log on locally.
4. When the Allow log on locally properties dialogue opens, check Define these policy settings: and click Add User or Group... Add administrators and the name of the group that was defined in step 1. This will allow the local administrator account and anyone in the group from step 1 the ability to log on. Everyone else will be denied.

5. What policies does the University push down to our servers/workstations?

In general, Pitt IT will not push any policies down to a machine that is joined to the domain. There is only a single exception to this rule. To avoid confusion for password changes, Pitt IT disables Change Password when a user hits Ctrl+Alt+Delete. Since this button would not allow a user to reset a University password, it has been removed.

General

1. How do I add a workstation to the Pitt Domain?

Pitt IT does not allow departments to directly add a machine to the domain. The reason is that by default all workstations are added to a default container. To enforce ownership, workstation additions are required to happen within a departmental organization until. There are two ways to add a machine to the domain.

Step 1. Open AD Users and Computers and pre-stage the computer object. To do this, right click on the OU and choose New > Computer.

The object that you pre-stage has to have the same name as the NetBIOS name of the computer. Add that name to the Computer name: field. Make sure to change the user or group that can add the machine. Change this to the user who will be adding the machine.

After the machine has been staged, it can be added normally to the domain using the system control panel applet.

Step 2: Use Netdom to add it using the following syntax:

netdom.exe JOIN %computername% /Domain:univ.pitt.edu /OU:OU=dept,OU=Departments,DC=univ,DC=pitt,DC=edu /UserD:pitt\user /PasswordD:YourPassword

2. I would like to host my department's servers and workstations in the Pitt domain, how do I get started?

Contact the Technology Help Desk and someone will contact you with the initial set up procedure.

3. Can I store BitLocker recovery keys in Enterprise Active Directory?

Yes! BitLocker encryption technology is built into newer desktop operating systems and can be installed on server operating systems 2008 or newer. BitLocker is used to encrypt a hard drive or removable USB. In the event of corruption or lost key, the recovery key may be stored in Enterprise Active Directory. The Enterprise Active Directory is already prepped to do this. All that is required is to set up a Group Policy to tell the machines to back it up to the directory.

There are two policy settings that are required.

Computer Configuration > Policies > Administrative Templates > System > Trusted Platform Module Services > Turn on TPM Backup to Active Directory Services.

Change the setting to Enabled.

Computer Configuration > Policies > Administrative Templates > Windows Components > BitLocker Drive Encryption > Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista).

Change the setting to Enabled.

These steps are required to be in place before the drive is encrypted. If the drive is already encrypted, the recovery steps can still be stored in Enterprise Active Directory using the following procedures>

4. Can I add my Apple workstation to the Pitt Domain?

The University has licensed software from Centrify that makes it easy to add non-Windows machines to the University's Enterprise Active Directory (AD). While macOS ships with a Directory Services plug-in that can be used to join a machine to AD, there are limitations as to how many AD services can be used. In addition to the Join function, the tool also provides the capability of managing profiles, permissions, and settings–all through Group Policy.

To get started with Centrify, visit the Software Download Service via My Pitt (my.pitt.edu) to download the Centrify client and associated documentation.

5. Can I add my Linux or other Unix machines to the Pitt Domain?

The University has licensed software from Centrify that makes it easy to add non-Windows machines to University's Enterprise Active Directory (AD). Centrify supports over 400 operating systems, and can easily join any of those to Pitt's AD environment. In addition to the Join function, the tool also provides the capability of managing profiles, permissions, and settings - all through Group Policy.

To get started with Centrify, visit the Software Download Service via My Pitt (my.pitt.edu) to download the Centrify client and associated documentation.

6. How do I apply Group Policies to non-Windows machines?

Through the use of the Centrify tool, non-Windows machines may also leverage Group Policies. These policies can be used to standardize configuration, run log-on scripts, and apply security controls. If you are currently an Enterprise Active Directory OU administrator, then the tools are already available to you.

To learn more about how to use these settings, visit the Software Download Service via My Pitt (my.pitt.edu) to download the Centrify client and associated documentation.

 

Alumni Accounts: Granting or Restricting Access to Departmental Services

Beginning in spring 2015, graduating students will be granted Alumni Accounts that provide access to certain enterprise services such as Pitt Email (Outlook). Some University departments provide additional technology services, and they may want to allow alumni access to these services or restrict these services (for example, because of licensing requirements). The technical information provided in this section is intended to help departmental IT staff modify access to their services as needed.

Some changes happen automatically when an account transitions to an Alumni account. Service owners should review the list below to determine if these changes are sufficient to remove access for individuals with Alumni accounts, or if additional steps are necessary. Please keep in mind that Alumni accounts will remain active in Enterprise Active Directory and the Central Directory Service (CDS).

Automated changes when an account transitions to Alumni

• Account is moved from the Accounts OU in Active Directory to the Alumni OU 
  • Accounts OU: ou=account,dc=univ,dc=pitt,dc=edu
  • Alumni OU: ou=alumni,dc=univ,dc=pitt,dc=edu
• Account is added to an Alumni group
  • Alumni Group: Pitt-ActiveAlumniAccount or cn=Pitt-ActiveAlumniAccount,ou=groups,dc=univ,dc=pitt,dc=edu
• Account has an attribute added to it that defines it as an Alumni account
  • Alumni Attribute: pittCategory = Alumni
• All group memberships are removed
  • CDS-managed groups
  • Active Directory groups
  • Office 365 groups
• Shibboleth modifications are made
  • eduPersonAffiliation = affiliate and alum
  • eduPersonScopedAffiliation = affiliate@pitt.edu and alum@pitt.edu
• Global Address List (GAL) changes are made
  • Students, faculty, and staff will not be able to see Alumni in the GAL
  • Alumni will not be able to see students, faculty, and staff in the GAL
  • Alumni will not be able to see other Alumni in the GAL
• All Alumni email mailboxes will exist in Exchange Online, so if an individual's mailbox is on premise, we will move the mailbox to Exchange Online when the account transitions to Alumni

 

Related Information

Additional changes departments may want to make

• If your departmental service uses LDAP for authentication and you want to allow Alumni accounts access to that service, then you will need to modify the search base to point to dc=univ,dc=pitt,dc=edu with a subtree search.
• If you are using a service in InCommon with our Shibboleth authentication, you may want to inform the cloud service provider so that they can filter out Alumni accounts if the contract does not cover Alumni. See the Shibboleth modifications above for details.