Active Directory Standards
The following standards and responsibilities are for managing user accounts in the University of Minnesota Active Directory (AD) that are in support of University Information Security Policy.
IAM Managed Accounts
Identity and Access Management (IAM) provides a centralized account creation service. Prior to creating an Active Directory user object, you must review whether the service already provides an account that meets your needs.
Functional Accounts
Functional accounts are for non-human purposes like automation, a kiosk account, or to run a particular service on a server.
Sponsored Accounts
Sponsored accounts may be created for collaborators not formally affiliated with the University so that they may gain access to University resources to provide support for instruction, research, or administrative services.
- Create a Sponsored Account
- How-to: Create a University Sponsored Account
- How-To: Manage a University Sponsored Account
Person of Interest (POI) Account
There are certain situations where people have an association outside of a defined appointment within the University of Minnesota, and they need access to University-wide resources. Some examples of when to request this type of account are for External Service Providers, Affiliates, or Office of the Vice President of Research appointees.
- Contact your department's or unit's Human Resources team.
OUAdmin Accounts
OUAdmins are a specific privileged role of administering an Organizational Unit (OU) within Active Directory. IAM is responsible for the delegation of these rights. These rights cannot be delegated to any user account or group without the approval of IAM.
Upon request and with proper approval, IAM will create an OUAdmin account and delegate rights for a unit after the completion of an access request form:
Users granted OUAdmin rights are responsible to comply with University Information Security Policy for their unit. IAM reserves the right to remove rights when warranted.
OUAdmin Group Attestation
IAM will send reports biannually to OUAdmins to attest to OUAdmin group membership. Any changes required can use the Microsoft Active Directory OU Admin Access Request Form (ARF).
Units are responsible to attest to the membership of their OUAdmin groups. Furthermore, units must notify IAM promptly when a change in membership is necessary at [email protected].
User Objects
Naming Standard
Units using AD have had prefix(es) assigned to distinguish them from other units. OU Admin accounts will use unit prefixes prepended to the user’s Internet ID.
- Example:<Prefix><InternetID>
- Example: oitxxxx0000
User accounts, like other unit created AD objects, must prepend the name of the object with their prefix. Since IAM uses the standard <Prefix><InternetID> for OU Admin accounts, units must include a hyphen to differentiate them from IAM-managed accounts.
- Example: <Prefix>-<InternetID>
- oit-xxxx0000
- Example: <Prefix>-<Purpose>
- oit-computerbind01
Password Policy
All passwords set must meet University Policy standards.
Passwords must meet complexity standards using uppercase and lowercase alphabetic characters, numbers, and special characters at least 16 characters long.
- Password can contain the following character(s): abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 ~`!@#$%^&*()-_+={[}]\|;:'",./?. Spaces are allowed.
- Passwords must not match or contain first or last name, or Internet ID.
- Previous passwords must not be reused.
- Do not use the same password for multiple accounts.
- Do not use easily guessable or common passwords.
When setting a password for another user, set a one-time use password that prompts to change after initial logon.
Do not share AD passwords over email or any other public means such as a help desk ticket or a messaging system. Best practice is to use a secure method to share passwords like a password manager.
AD is single factor authentication, so passwords must expire at least annually to comply with University Policy. IAM is not responsible for the compliance of unit-managed user accounts nor handling any exceptions to policy.
Account Management
Each unit is responsible to comply with University Policy for account management. While IAM may provide some reporting for inactive users or never expiring passwords, IAM is not responsible for auditing or reviewing access for unit user accounts.
Expiring Passwords
AD users authenticate via a single factor so to comply with University Policy, passwords should not be set to never expire. IAM will provide biannual reports to OU Admins of accounts under their management that are set to never expire.
Inactive User Accounts
IAM will send reports biannually to OU Admins for user accounts that have not logged in for a year or more or that have never logged in. IAM will not take any action on these accounts unless warranted; units are responsible to disable or delete accounts that are no longer needed to help secure Active Directory.