Windows Services Index | Overview | Getting Started | How To | Forest Design | Resources | Troubleshooting | Policies | Contact Info

Administrator Policies

General Administration Policy

It is the intention of the WIN-AD Team to not force group policies down to an OU or Child Domain; however, the WIN-AD Team reserves the right to do so as necessary. Any group policies applied to the Domain user's OU containing all skeleton accounts may be overridden in an organization.

Enterprise Administrators

Currently, there are two Enterprise Administrators. These administrators are responsible for the underlying Forest infrastructure. This level of authority mandates a high level of responsibility, including being subject to an audit. Actions of the Enterprise Administrators are audited and available for review by Penn State Security Operations and Services. Members of this group are restricted to select WIN-AD Team members only.

Domain Administrators

In the ACCESS.PSU.EDU domain, there are no members of the Domain Administrators. The Enterprise Administrators are tasked with all duties related to domain administration. Within a Child Domain, there will be members of this group. These members carry a high responsibility and must be audited. Membership must be carefully considered.

Child Domain Administrators

The WIN-AD Team has created a group called Child Domain Administrators. This group is responsible for installing a Child Domain as well as setting Exchange® mailboxes. The members of this group are limited to the two points of contact for each Child Domain.

OU Administrators

OU Administrators are limited to only objects under their respective OU. These include user object, computer object, and OU containers. They have the ability to link GPOs to containers, as well as set permissions on any object under their OU. An OU administrator will not have administrative rights above their respective OU, with the exception of the "PSUComputers" container. This is the container where computer accounts may be added and then moved at another time by the creator of the account. OU Administrators have the right to create computer accounts in this container, but only the creator has the ability to move the account.