Home Up Feedback Table of Contents SearchEnterprise Administrators

Security Agreement

Introduction

Microsoft’s Active Directory (AD) infrastructure requires the use of a high level administrative group called Enterprise Administrators, or EAs, which resides in the top or root level of the AD tree.  Due to the special privileges granted to members of this group, considerable restrictions must be placed on these sign-ons to establish clear administrative boundaries throughout the Active Directory tree and to fully comply with the Michigan State University Acceptable Use of Computing Systems, Software and the University Digital Network administrative ruling.

Implications

The Enterprise Administrators group has complete administrative rights over the enterprise.  This group has the highest level of permissions of all groups in Active Directory and can perform actions within the entire domain forest.

Terms of Use

All Enterprise Administrators will sign this security agreement and agree to comply with its terms of use.  Child domain system owners who chose to participate in the ad.msu.edu Active Directory tree will receive a copy of the signed agreement for their records. 

The EA sign-on will be limited to two persons within Administrative Information Services and two within the Computer Lab.

EA sign-ons are intended to be limited in use to those tasks that require those specific privileges.  Use of the sign-on shall be subject to a high level of system-level auditing.  EA passwords must adhere to predetermined password length and complexity rules. 

EA sign-ons and passwords are issued to individuals for their use only.  No one with EA authority should give his/her sign-on or password to others or ask co-workers to give him/her sign-on or passwords. 

Enterprise Administrators have elevated privileges and potential access to personal data:  they must not intentionally seek information on individual users or child domains except with the expressed consent of the individual or child domain system owners.  Each EA is responsible for actions traceable to his or her sign-on and has the legal and ethical obligation to protect the privacy of all parties involved.

Enterprise Administrators must not grant themselves administrative rights to any child domain without the expressed consent of the child domain system owner.

No EA shall make changes to the Active Directory schema without the unanimous consent of all Enterprise Administrators and where the change will benefit the Active Directory forest as a whole.  Proposed changes to the Active Directory schema will be reviewed on a case-by-case basis.

Michigan State University computing systems and related equipment are an institutional resource.  Enterprise Administrators may not use such equipment for personal gain, nor maliciously misuse such equipment and associated software to the University’s detriment.

Typical Enterprise Administrators tasks include, but are not limited to the following:

bullet

Managing domain trusts, adding new domains to the AD tree, applying operating system service packs and hot fixes, installing/upgrading software in the root domain, monitoring security/performance counters, configuring email connectors, upgrading system BIOS and firmware, managing Active Directory-integrated DNS and other network services and other tasks related to the administration, maintenance and optimization of the Active Directory root.

bullet

All Enterprise Administrators are expected to fully comply with the terms of use in this agreement and should realize that violation of the above conditions may be grounds for disciplinary action commensurate with the violation’s severity, not excluding immediate dismissal.

Send mail to ais311@msu.edu with questions or comments about this web site.                   
Copyright © 2003 Administrative Information Services
Last modified: September 22, 2003