Userids in Nexus: Conventions
General Users
Typical user accounts in Nexus should be named by the user's
uwuserid. In cases where there is a long and short format (the
short one being 8 characters or less), the short format will be
used. These typically take the format p2huck, jd24smith.
Even if the user is granted administrator privileges on his own single
office machine, this is the format to be used.
Nexus administrators must be careful to not 'make up' userids.
They must either find the user's correct uwuserid, or create a new
uwuserid for the user (doable here with
privileges), or create a temporary account named with a name that could
never be generated by uwdir's short uwuserid rules, a sort of out-of-band name.
Uwuserids, in terms of Nexus, are maximum 8 character userids in the
format: initials optional-number surname, e.g.. psmith, p2smith,
etc. There are only a few rare instances where a user has no
initials or no surname (but never missing both).
Out-of-band userids can be constructed by ending with a number, or
including underscores or other non-alpha, non-numeric characters.
Another method would be to use more than 8 characters. Examples
of these would be psmith2, psmith-visitor, etc.
In some cases, a second account is required. For example, a
professor may wish to keep his teaching account entirely separate from
his research account. It is entirely reasonable to perform this
separation by creating a second userid. We suggest appending a
number to the end of the uwuserid. E.g.. p2smith
might have a second account named p2smith2 or p2smit-research.
Elevated Privileges - BANG
Sometimes users are given 'elevated' privileges, which might be the
ability to change passwords for a group of users, or the ability to
administer certain machines.
In the case of a research group, the elevated privileges might be
finely tuned permissions to just perform the actions needed on
particular userids and/or computers.
In the case of a departmental or faculty computing office resource
person, the elevated privilege would have access to the entire portion
of the active directory tree that is co-managed by that individual.
These are referred to as BANG accounts, and they take the format of
exclamation mark followed by uwuserid. E.g.. !jblow, !j2smith.
Beginning with Windows 2000, the most effective way to elevate a user's
capabilities is to leverage permissions of the active directory.
We can fine tune the permissions to entirely (but not excessively)
cover the actions this elevated user is expected to perform.
The NT 4 style of elevation is to add the user to the local
administrators' group, but with Active Directory it is easier to group
the stations in to an OU and assign the privilege at the OU level.
The user is required to use his general account for normal
computing, and save his bang account for only those times he needs the
special privileges. Using the runas
command, it is possible to be logged in as a general user, but execute
a particular program with the elevated privileges. This is
described here.
Whenever possible, Nexus creates more detailed logs of activities
performed by bang userids.
System Wide Privileges - BANG BANG
The BANG BANG account (e.g.. !!jblow, !!j2smith) has Nexus-wide
capabilities. The most common need for this is to
- set passwords of visiting students from other faculties (or
other departments)
- fix accounts of students who are transferring from (or
graduating from) other faculties (or other departments)
- fix accounts of staff and faculty who are moving from another
part of the active directory to the new location
- to read GPOs created by someone else
The BANG BANG privilege should not be taken lightly, it has a great
deal of power. Only a select few of the campus administrators
have this power, and they must use it wisely.
Any operation performed on a jurisdiction other than what you have
privileges for with your single bang account must be announced to either the
Nexus manager for that jurisdiction, or to the wnag mailing list
through a wnag representative.
Nexus attempts to take very detailed logs of the activities performed
by bang bang accounts.
To ensure that we are aware that system wide privileges are being used,
system wide accounts must be
of the form !!uwuserid, with the only exceptions being approved through
the channels listed below.
Some special purpose accounts used in the AD administration of Nexus,
such as the active directory tape backup recovery account, etc. are
excluded from these requirements.
The basic design of the bang bang strategy is that there are
- up to two bang bang accounts from each faculty
- one bang bang account per Engineering department
- two bang bang accounts in IST
- two additional bang bang accounts in Engineering Computing - for
the administration of the active directory infrastructure
Special allowances have been made:
- one additional bang bang account exists in each of two
Engineering departments: Mechanical and Civil. This was approved
through all the required management bodies (history)
- one additional bang bang account exists in Arts. The Arts
faculty provide some teaching related computing for the entire campus
because most students take Arts electives. Having three staff
able to fix password and other AD settings for other faculties is
important. Also, a lot of people transfer to Arts either during
their undergraduate stage, or when they enter graduate studies.
Any bang bang account created must have the authorization of all three
of the following:
- the Associate Dean for Computing of the local faculty, or the
Associate Provost for Computing if the computer manager is not from a
faculty
- the Waterloo Nexus Advisory Group
- Engineering Computing's designated manager, as EC is the
custodian of the Nexus Active Directory
If two of the three approve but one does not, the matter may be
escalated to UCIST for its consideration.
The creation of a system privileged userid will be detected. We
monitor the Active Directory constantly. If such an account is
created without following the steps above, it will quickly be disabled
and assumed to be a break-in. This assumption is fair, because
any legitimate account would have been cleared with all the bodies
listed above.
This document was first created on May 21, 2004. Prior to that
date there may have been some confusion, and the standards may have not
been entirely consistent. Once this document is approved at WNAG,
we will strive to make our current practices comply with the documented
standard.
References
- UWdir
background information
- Active
Directory Naming Conventions, November 2000
- Campus
Active Directory Project, Appendix A, describes our November 2000
administration vision, published April 2001
- Account
creation notes, including bang bang terminology December 2001
- Best
Practices, more stuff, January 2003
- Using
RunAs, January 2003
- History
of Bang Bang Accounts, April 2004
Updated May 21, 2004, Erick
Engelke