It is recommended that all campus Windows computers be connected to Active Directory
to receive the widest range of services and functionality. The purpose for these standards
is to keep the Active Directory as current and healthy as possible.
It is recommended that all UVU computers be connected to the campus network and powered
up at least quarterly.
Machines not physically on campus should either be brought to campus and connected
to the wired network, or connected to the campus network via VPN quarterly. Doing
so will allow machines to receive operating system and application updates, and will
prevent many of the problems associated with computers being removed from the network
for a long period of time including:
Computer authentication to the domain (will prevent the object from becoming "stale")
Microsoft updates
Microsoft licensing (KMS)
Password updates for those that have changed their UVID password.
Group policies.
Bradford agent registration & updates
AD Computer Object Naming Conventions:
It is the Area Tech's prerogative to use either of three standard names:
room number-Inventory number
room number-machine number
Inventory number
The Description field should be filled in with the person's name and room number that
will be using the computer.
Computer objects for surplus or replaced computers should be deleted.
Group Policy Objects (GPO) Standards
Campus wide (OU=DEPT or OU=USERS) GPO's are named beginning with "Default" and are
general setting needed in all areas, such as DNS settings, firewall settings, and
management settings. Current approved and functioning Default GPO's are:
"Default Domain Policy"
"Default Set DNS Suffix"
"Default add Mailmarshal to Local Intranet"
"Default add UVShare to Local Intranet"
"Default rename local Administrator password"
"Default Windows Firewall settings"
"Default deploy SCCM 2012 client"
"Default IDM S: Drive CIFS"
"Default IDM USERS S: Drive"
"Default PST Settings"
"Default" GPO's will only go live after approval by TSC & IPC.
Area specific GPO's have settings that are specific to a particular area, such as
printers, and should be named to identify the area that owns the GPO.
Should be named "DEPT. CODE" "short Description"
All GPO's will be documented in the notes field of the object.
Including: Owner, Purpose, Used By, and Department.
OUs (Organizational Units) Standards
"COMPUTERS" OU
The "Computers OU" in AD is a staging area only, computers should not stay in this
OU after they are loaded and delivered.
Computers will be moved from this container on the first working Monday of each month
before 8:00 am.
"LABS" OU
Computers in Labs should be in this OU.
Microsoft updates are not automatically applied to computers in this container.
"SERVERS" OU
Contains Central IT Servers
Microsoft updates are not automatically applied to computers in this container.
"DEPT" OU
Contains all objects for desktop computers.
Microsoft updates are automatically applied to computers in this container.
"TO BE DELETED" OU
This container is a holding place for those computer objects within the "Stale Computer
Object" removal process described below.
A special GPO is applied to this container which places a startup message on Windows
computers which warns the user of pending action and recommends they contact their
area technician. There are not other GPO's acting on this container
Microsoft updates are not automatically applied to computers in this container.
"DEPT_Servers" OU
This container is a place where departments can put server machines within departmental
OU's to separate them from desktop machines so that they may be easily managed differently
than desktop systems.
Area technicians are assigned rights to manage objects within departmental OU's.
Microsoft updates are not automatically applied to computers in this container.
Stale Computer Object Removal Process.
Computer objects should be removed from the AD OU they are in when the machines are
sent to surplus, the scripts in this process are a backup for that process.
Report/Script to be run monthly (first working Monday each month) on "AD.UVU.EDU"
to identify and move objects which have not authenticated to the domain for 17 weeks
into TO BE DELETED OU.
A spreadsheet of object names and locations will be created containing objects affected
by this process. (Date (mmddyy) 17 week.xlsx)
Report/Script to be run monthly on TO BE DELETED to identify and disable objects which
have not authenticated to the domain for 23 weeks.
A spreadsheet of object names will be created containing objects affected by this
process (Date (mmddyy) 23 week.xlsx)
Report/Script to be run monthly on TO BE DELETED to identify and delete objects which
have not authenticated to the domain for 26 weeks.
A spreadsheet of object names will be created containing objects affected by this
process (Date (mmddyy) 26 week.xlsx)
The spread sheets for this process can also be found at:
