Userids in Nexus: Conventions



General Users

Typical user accounts in Nexus should be named by the user's uwuserid.  In cases where there is a long and short format (the short one being 8 characters or less), the short format will be used.  These typically take the format p2huck, jd24smith. 

Even if the user is granted administrator privileges on his own single office machine, this is the format to be used.

Nexus administrators must be careful to not 'make up' userids.  They must either find the user's correct uwuserid, or create a new uwuserid for the user (doable here with privileges), or create a temporary account named with a name that could never be generated by uwdir's short uwuserid rules, a sort of out-of-band name.

Uwuserids, in terms of Nexus, are maximum 8 character userids in the format: initials  optional-number surname, e.g.. psmith, p2smith, etc.  There are only a few rare instances where a user has no initials or no surname (but never missing both). 

Out-of-band userids can be constructed by ending with a number, or including underscores or other non-alpha, non-numeric characters.  Another method would be to use more than 8 characters.  Examples of these would be  psmith2, psmith-visitor, etc.

In some cases, a second account is required.  For example, a professor may wish to keep his teaching account entirely separate from his research account.  It is entirely reasonable to perform this separation by creating a second userid.  We suggest appending a number to the end of the uwuserid.   E.g..  p2smith might have a second account named p2smith2 or p2smit-research.

Elevated Privileges - BANG

Sometimes users are given 'elevated' privileges, which might be the ability to change passwords for a group of users, or the ability to administer certain machines. 

In the case of a research group, the elevated privileges might be finely tuned permissions to just perform the actions needed on particular userids and/or computers.

In the case of a departmental or faculty computing office resource person, the elevated privilege would have access to the entire portion of the active directory tree that is co-managed by that individual.

These are referred to as BANG accounts, and they take the format of exclamation mark followed by uwuserid.  E.g.. !jblow, !j2smith.

Beginning with Windows 2000, the most effective way to elevate a user's capabilities is to leverage permissions of the active directory.  We can fine tune the permissions to entirely (but not excessively) cover the actions this elevated user is expected to perform. 

The NT 4 style of elevation is to add the user to the local administrators' group, but with Active Directory it is easier to group the stations in to an OU and assign the privilege at the OU level.

The user is required to use his general account for normal computing, and save his bang account for only those times he needs the special privileges.  Using the runas command, it is possible to be logged in as a general user, but execute a particular program with the elevated privileges.  This is described here.

Whenever possible, Nexus creates more detailed logs of activities performed by bang userids. 

System Wide Privileges - BANG BANG

The BANG BANG account (e.g.. !!jblow, !!j2smith) has Nexus-wide capabilities.  The most common need for this is to
  - set passwords of visiting students from other faculties (or other departments)
  - fix accounts of students who are transferring from (or graduating from) other faculties (or other departments)
  - fix accounts of staff and faculty who are moving from another part of the active directory to the new location
  - to read GPOs created by someone else

The BANG BANG privilege should not be taken lightly, it has a great deal of power.  Only a select few of the campus administrators have this power, and they must use it wisely. 

Any operation performed on a jurisdiction other than what you have privileges for with your single bang account must be announced to either the Nexus manager for that jurisdiction, or to the wnag mailing list through a wnag representative. 

Nexus attempts to take very detailed logs of the activities performed by bang bang accounts. 

To ensure that we are aware that system wide privileges are being used, system wide accounts must be of the form !!uwuserid, with the only exceptions being approved through the channels listed below. 

Some special purpose accounts used in the AD administration of Nexus, such as the active directory tape backup recovery account, etc. are excluded from these requirements.

The basic design of the bang bang strategy is that there are
Special allowances have been made:

Any bang bang account created must have the authorization of all three of the following:
  1. the Associate Dean for Computing of the local faculty, or the Associate Provost for Computing if the computer manager is not from a faculty
  2. the Waterloo Nexus Advisory Group
  3. Engineering Computing's designated manager, as EC is the custodian of the Nexus Active Directory
If two of the three approve but one does not, the matter may be escalated to UCIST for its consideration.

The creation of a system privileged userid will be detected.  We monitor the Active Directory constantly.  If such an account is created without following the steps above, it will quickly be disabled and assumed to be a break-in.  This assumption is fair, because any legitimate account would have been cleared with all the bodies listed above.

This document was first created on May 21, 2004.  Prior to that date there may have been some confusion, and the standards may have not been entirely consistent.  Once this document is approved at WNAG, we will strive to make our current practices comply with the documented standard.


References
  1. UWdir background information
  2. Active Directory Naming Conventions, November 2000
  3. Campus Active Directory Project, Appendix A, describes our November 2000 administration vision, published April 2001
  4. Account creation notes, including bang bang terminology December 2001
  5. Best Practices, more stuff, January 2003
  6. Using RunAs, January 2003
  7. History of Bang Bang Accounts,  April 2004


Updated May 21, 2004, Erick Engelke