Policies

Applicable MSU Policy

Microsoft Windows 2000 Active Directory (AD), as administered jointly by Administrative Information Services and the Computer Lab, (AD.MSU.EDU) will adhere to all provisions of the Michigan State University Acceptable Use Policy (AUP) put forth by the Vice Provost for Libraries, Computing and Technology. Review the AUP at http://www.msu.edu/dig/aup/msuaup.html.

AIS Policy Statement

Active Directory Root Domain

System Administrators having “root” access will follow the MSU AUP and sign and follow the AD non-disclosure agreement regarding computer administration. Only Enterprise Administrators (EAs) will have access to the AD root and shall be limited in number: two AIS staff members and two Computer Lab staff members. All system changes undertaken by EAs will have prior acceptance by all other EAs. EA login and system changes will be audited and alerts will be sent to all EA Administrators. Administrators of all child Domains will be advised prior to any AD schema changes. EA IDs will not be utilized for child Domain administration.

Universal groups shall be used sparingly. Most privileges will be assigned to Local or Domain Local groups. Local or Domain Local groups that require resource access in another Domain shall be explicitly added by the resource Domain's Administrator.

Operating system and application patches and updates will be applied in a timely manner. Enterprise Administrators shall be responsible for coordinating patch installation with Domain Administrators.

AIS Domain

The AIS Domain will follow the Child Domain Suggested Practices Document regarding account, resource and Domain management.

Account Policies

	42 Day expiration period.*
	8 character minimum password.*
	Remember the last 10 passwords.*
	‘Account expiration’ will not be used for staff user accounts.
	‘Password never expires’ will not be used for user accounts.
	Service Accounts will not be able to change their own password and must be >8 characters in length.
	All accounts are urged to maintain 'strong' passwords. Privileged accounts are strongly urged to use ‘strong’ passwords. Further information regarding ‘strong’ passwords can be found at: http://www.microsoft.com/…password_tips.htm

* suggested minimum.

Rights and Resource Assignments

User accounts will be assigned to Local or Domain Local groups. Rights to resources will then be assigned to these groups. Groups (and user accounts) will be given access via the principle of privilege. Access will be given according to the minimum rights that that group requires. Domain user and group accounts will be given a maximum privilege of "change" access to any resource. "Full" access will only be given to Domain administrator accounts and "system" accounts.

Unauthorized attempts to access, corrupt, damage, or otherwise alter the Active Directory Structure or its contents shall be investigated as allowed under the Enforcement Section (V) of the MSU AUP.