This is supporting documentation for an OIT service. For complete service details and order information, visit Campus Active Directory.
Departments interested in participating in the Campus Active Directory service should contact the BYU Service desks at 801-422-4000 during normal operating hours to request an organizational unit within the enterprise domain. Department administrators must agree to all policies and procedures associated with the service before access to the departmental OU will be granted. In most cases, the OU administrator will be the lead CSR for the department. After the request is processed, the departmental OU will be created under the O=BYU container.
See the "Campus Active Directory – Policies" document for more information. Policies and procedures may be added or modified as needed. Please contact OIT Service Desk (2-4000) or the service desks if you have questions.
OIT monitors and maintains enterprise elements of the domain. This includes the technical infrastructure, domain schema, automatically populated users and groups, administrative accounts and other elements that are enterprise in nature. All efforts will be made to ensure that the domain and its infrastructure are operating properly 24 hours a day, 7 days a week. OIT will also maintain and administer elements of the domain for the products it supports, such as Desktop Technology Support or the Open Access Computer Labs.
OIT does not provide support for departmental OUs or the contents therein. Departments are responsible for configuring and maintaining their own OUs. The Campus Active Directory product is intended for users who have previous experience with Active Directory and directory management. Departments must ensure that personnel who administer their OUs have the expertise to manage the OU and the objects associated with it.
A product advisory board and a mailing list have been established for the discussion of topics related to campus active directory. While this community-based mechanism is available to assist departments with their configuration and maintenance needs, it does not guarantee a resolution for all issues. CSRs interested in joining the mailing list and/or advisory board should contact the OIT service desks at 801-422-4000. The community also has a self-maintained Wiki for Active Directory at https://csrwiki.lib.byu.edu/csrwiki/index.php/Active_directory.
Formal training is not available for the Campus Active Directory product at this time. There are a large number of training resources available from third parties, including Microsoft. OIT may choose to offer CSR-oriented active directory training in the future. Please contact OIT Training services if you are interested.
Please feel free to send your suggestion to the Campus Active Directory mailing list – firstname.lastname@example.org. You may also leave your suggestion with the OIT service desks at 801-422-4000.
The domain can be reached from any campus location. You can also access the domain through an off-campus connection if you use the approved campus VPN. Limited access is available on the wireless and/or public networks until the user has authenticated.
The domain is not accessible from off campus connections without the approved VPN connection. Domain controller names will not resolve off campus due to the ".local" suffix which has intentionally been attached to the domain. The suffix is necessary to prevent excessive login times for users who might be attempting to use their machines from an off-campus connection.
Domain elements can be administered through non-domain workstations, but you will not get the full functionality that a member workstation will have. To do this, you will need to edit your local account from the control panel and choose the "manage my network passwords" option.
You will then be shown the network accounts you have previously configured. Click the add button to get the Logon Information Properties form. This will allow you to add accounts.
After the properties form is visible, you will need to enter in the names of all three domain controllers along with the .local suffix as shown to the left. Your username will be byu\ and your password will be your myBYU password.
This procedure will allow you to edit users and computer objects but will not allow you to use the Group Policy snap-in. You must be on a member workstation to use the snap-in.
BYU has elected to centralize all of the user accounts in the "People" organization unit. This approach to centralization makes it possible to reduce the number of domains in operation and greatly expands the capability of the university to provide resources to the BYU community. Group policies operate in a slightly different manner when user accounts are centralized.
To use group policies in this environment, you will want to enable Loopback Processing Mode. Loopback processing allows you to add User Object based policies directly to Computer Objects and have them applied to the users that log into those machines. With loopback processing in place, you do not need to move the actual user object into the OU where the GPO's are linked – they can remain in the centralized "People" OU.
Loopback policies should be configured in "Replace" mode to take effect. "Merge" mode can be used in specific instances where local policies and/or other user policies need to be accounted for, but few areas will need to use the "Merge" mode.
Group policies are generally visible at a global level. You can apply any group policy that you have rights to use on any of the objects within your OU. You can also grant others the right to view, edit or use your group policy. OIT has a few group policies that it maintains on an enterprise level.
The Group Policy snap-in enables you to determine the group policies that are in effect for machines. This snap-in is not included in the Windows Server 2003 administration pack, but it can be downloaded from Microsoft.
You can also determine which policies are in effect by logging into the machine locally and issuing "gpresult" from the command line. This utility will provide you with valuable information about the computer and user configuration settings applied to the machine.
Policies may be refreshed on a machine at any time by issuing "gpupdate" from the command line. This will pull down group policies from the domain. For maximum effectiveness, use the "/force" switch with the command to force a complete refresh of the GPOs. Some GPOs may not refresh if a restart is required.
Usually, this indicates that there is a problem with the Windows XP template you used to build the default policy. The best way to correct this problem is to rebuild the template.
Much of active directory is Windows-centric, but a few elements can be utilized on Mac OS. To accomplish this, you'll need to sign in to manage Mac preferences on your OS X workstation or server.
From there, launch workgroup manager. At the login screen, type command –D or select "view directories" to get a list of current domains. Make sure to choose the Campus Active Directory domain (BYU or BYU.LOCAL). This will allow you to log in anonymously.
Once you are in, you'll need to click on the lock icon near the top right of Workgroup Manager screen. Enter your AD credentials when prompted. If you are able to log in successfully, you will then be able to manage objects. Please note that OS X will not recognize or accept all group policy objects.
Terminal Services is enabled within Campus Active Directory. OIT encourages those interested in offering applications through Terminal Services to utilize the enterprise Terminal Services Licensing server. The licensing server is located at variscite.byu.local.
The feedback box, located below, is intended for general comments on this page or service information and NOT for help with specific technical issues you are having with the service itself. If you would like a response to your feedback, be sure to include your contact information or log into it.byu.edu using the login button at the top of this page.