Guidelines for the Use of Active Directory and 389 Accounts

Types of Accounts and their Uses

All user accounts in Active Directory and 389 can only be created by ITS automatic provisioning infrastructure or by the Identity and Access Management Group.

Person Accounts

NetID Account

Personal NetID accounts (accounts assigned to individuals who qualify for one of the roles defined by the University) are systematically created by ITS and stored in the Organizational Unit (OU) called People in both Active Directory and 389.  These accounts are not allowed to be moved out of their assigned OU by any person or service other than ITS' Identity and Access Management System.  Nor does ITS allow departments to apply policies to these objects.

The use of NetID accounts is limited to non-privileged user activities such as accessing email, file shares, web browsers, workstations, and non-privileged application access.  These accounts will not be granted administrative privileges on hosts or used to authenticate services or applications to Active Directory or LDAP 389. 



Administrative Account

All users who have elevated access to a system or service will have one secondary account used solely for tasks that require greater administrative access.  These accounts will be created and maintained in the OU Admin in Active Directory and can only be acted on by Domain Admins. In 389 these accounts are stored in the OU People and access is restricted to System Admins. 

This account will be tied to an individual user and that user will be responsible for keeping the account secure. For more details on privileged accounts and their use please refer to the Privileged Access Standard.  

The password for this account must follow the Network Password Requirements and cannot be the same as your personal account.  If available, the account and password should be stored in the University Controlled Password Manager.  



Vendor Account

A vendor account can be requested for a vendor only after a contract is in place.  The account will follow the naming convention as established in the Privileged Access Standard and is limited to non-privileged user activities such as using the University VPN. These accounts will be created and maintained in the OU Generic in Active Directory, and in People for 389.



Vendor Privileged Account

If the vendor will be doing work that requires privileged access, they will be required to use a vendor administrative account using the established Privileged Access Standard.  The account should only be used for the purpose it was created for and will be stored in the OU Admin and can only be acted on by Domain Admins.



Non-personal Accounts

A non-personal account is created for a service, application or a group to gain access to a resource. The manager and or owner of the account is responsible for the use of the account and administrative responsibilities such as responding to renewals when necessary.    

Service Account

Service accounts are accounts that are designated for use for a particular service or application.  A service account will be created for each function for a particular service or application, and must only be used for that purpose. The account must abide by the rules of least privilege as described by NIST.  These accounts will be created and maintained in the Generic OU in Active Directory and can only be acted on by Identity and Access Management. In 389 these accounts are to be stored in the OU People can only be acted on by ITS personnel.

Service accounts will be created and follow the naming conventions as established in the Privileged Access Standard.  

When possible, password must be unique with a minimum length of 20 characters.

If available, the account and password must be stored in the approved University Controlled Password Manager.  

Privileged Service Account

Service accounts are accounts that are designated for use for a particular service or application and have elevated privileges.  A service account will be created for each function for a particular service or application, and must only be used for that purpose. The account must abide by the rules of least privilege as described by NIST.  These accounts will be created and maintained in the OU Admin in Active Directory and can only be acted on by Domain Admins. In 389 these accounts are to be stored in the OU Special and can only be acted on by System Administrators.

Service accounts will be created and follow the naming conventions as established in the Privileged Access Standard.  

Password must be unique with a minimum length must be 20 characters.

If available, the account and password must be stored in the approved University Controlled Password Manager. 

Departmental Account

A departmental account is an account sponsored by an active University faculty or staff member and provides a group of individuals access to a single resource.    

This account is shared by the group to access department resources, such as email and file shares.

Departmental accounts will not be granted administrative privileges on any system and must not be used to authenticate services or applications to Active Directory or LDAP 389. 



Guest Access Account

A generic account is an account sponsored by an active University faculty or staff member and used to grant individual access.  These accounts, although may be used by an individual, do not guarantee any singular person is using the account.   

These accounts are intended for use to access such things as file shares and research computing.  They are created and maintained in the OU Generic in Active Directory and in the People OU for 389. 

Generic accounts will not be granted administrative privileges to any system and must not be used to authenticate services or applications to Active Directory or LDAP 389. 



Event Access Account

An event access account is an account that is shared by a group to access resources, such as files shares, web browsers and workstations for a short predefined period of time.

Event access accounts will not be granted administrative privileges to any system and must not be used to authenticate services or applications to Active Directory or LDAP 389. 



Account Type Overview 

Type of Account

Used to gain
Privileged Access

Password Storage

Password

Used to authenticate a service or
application for Directory Services

Type of Account

Used to gain
Privileged Access

Password Storage

Password

Used to authenticate a service or
application for Directory Services

NetID Account

No

User's discretion to keep the password private and secure

Personal

No

Administrative Account

Yes

Enterprise Password Management solution

Personal

No

Vendor Account

No

User's discretion to keep the password private and secure

Personal

No

Privileged Vendor Account

Yes

Enterprise Password Management solution

Personal

No

Service Account

Yes

Enterprise Password Management solution

non-Personal

Yes

Departmental Account

No

User's discretion to keep the password private and secure

non-Personal

No

Generic Account

No

User's discretion to keep the password private and secure

Personal

No

Event Access Account

No

User's discretion to keep the password private and secure

non-Personal

No