Active Directory (AD) Account Management

Summary

The purpose of this document is to assist the OIT Team to understand AD Account creation, disabling, expiration and support process and responsibilities.

Body

 

Account Management

This procedure provides guidance on how Active Directory Accounts are to be created, disabled, deleted, maintained and supported at the UHCL Office of Information Technology. This document was generated as a part of the AD Account project and will be reviewed and updated annually by PMO.

 

Contents

 

Account Creation

The below table lists the method & process around creation and the resulting output from it.

No. Account Type Method Creation Process Output
1 Student Account Automatic a. Source is Campus Solution
b. It is an account in PCLAB Domain, created once a student is admitted to UHCL and registered in a course.
C. Accounts are automatically renewed for Fall and Spring semester through re-enrollment at UHCL.
D. An email is sent to support center having a list of student accounts created
AD Account in PCLAB and Mailbox
2 Staff Faculty Account Automatic a. Source is HR System
b. It is an account , created  on the official hired date after HR's approval.
c. An email is sent to support center with list of employee accounts created
AD Account and Mailbox
3 Adjunct Accounts Automatic  a. Source is HR System
 b. It is an account , created  on the official hired date after HR's approval.
 c. It has an expiry date.
 d. An email is sent to support center with list of employee accounts created
AD Account and Mailbox
4 Student Worker Accounts Automatic  a. Source is HR System
 b. It is an account , created  on the official hired date after HR's approval.
 c. It has an expiry date.
 d. An email is sent to support center with list of employee accounts created
AD Account and Mailbox
5 POI Account
 
Automatic a. Departement creates ePOI record for the requester, with a start and end date
b. HR approves it.
c. POI Types approved by HR are Auditors, Campus Program Workers, Consultants, Future Employees, Future Faculty Employees, Guest Speakers, Guests, Other Students – UHCL Conf Edu, Temps
d. An email is sent to support center with list of accounts created
AD Account and Mailbox
6 Exception/Emergency Account Semi-Automatic It is a temporary account with a start and end date, and that cannot wait for POI process
a. Department submits Account creation Form
b. Dept Head/Director/VP approves it
c. Support Center- Level1 submits a work order
d. Support Center - Level2 creates the account using Profiles
e. Accounts should have an expiration date set for 2 days by default
AD Account and/or Mailbox based on the request
7 Events Account
(Single or Multiple)
Semi-Automatic It is a temporary account with a start and end date created for an event
a. Department submits Account creation Form
b. Dept Head/Director/VP approves it
c. Support Center- Level1 submits a work order
d. Academic Computing creates the account using Profiles
AD Account Only
8 Test Account Semi-Automatic It is a temporary account created for testing systems/ applications.
a. Department submits Account Creation Form
b. Dept Head/Director/VP approves it
c. Support Center- Level1 submits a work order
d. Sysadmins create the account. Support center and Academic computing can create for their requirements
e. Account should be tied to an existing UHCL Empl ID and default expiration date should be 6 months
AD Account and Mailbox
9 Service Account Manual It is a non-human privileged account used to execute applications and run automated services etc
a. Department submits Account Creation Form
b. Dept Head/Director/VP approves it
c. ISO approves it
d. Support Center- Level1 submits a work order
d. Sysadmins create the account using AD tool
AD Account Only
10 Shared Mailbox Manual a. Department submits Account creation Form
b. Dept Head/Director/VP approves it
c. Support Center- Level1 submits a work order
d. Sysadmins create the mailbox using Profiles + Azure tool to separate the account
Mailbox Only tied to Owner's ID
11 Distribution List Manual a. Department submits Account creation Form
b. Dept Head/Director/VP approves it
c. Support Center- Level1 submits a work order
d. Sysadmins create the distribution list using AD tool
Distribution List tied to the requester
12 Oracle Accounts for students Semi-Automatic a. For classes that require students to use Oracle, a request is sent to the DBA by the instructor for the entire class prior to the beginning of each semester
b. DBA creates the account using Profiles Tool
Oracle Account
13 Unix Accounts for Students Semi-Automatic a. Source is Campus Solution
b. Scripts are run by CSE sys admin (Krishani) to create Unix accounts for all students registered for Computer Science and Software Engineering courses.
c. Students refer to the website for information on credentials - https://sceweb.sce.uhcl.edu/support/ 
Unix Accounts
14 SCE Account for Staff and Students Semi-Automatic a. Source is Campus Solution for students
b. Scripts are run by CSE SysAdmin (Krishani) to create SCE accounts for all students registered for Computer Science and Software Engineering courses every semester.
c. Students refer to the website for information on credentials - https://sceweb.sce.uhcl.edu/support/
d. For faculty and staff it is manually created based on the request
AD Account in SCE Domain

 

Account Disabling/Deletion

The below table lists the method & process around Expiration and method and process around permanent deletion.

No. Account Type Disabling Method Disabling/Expiration Process Permanent Deletion Method Permanent Deletion Process
1 Student Account Automatic a. Student account will expire approximately 15 months after a student stops attending UHCL for a long term (fall or spring). 
b. For an international student, the account is set to expire 30 months after the student's first non-attendance in a long term. 
Manual a. Deleted approximately 90 days after the account expires.
b. If a student returns to UHCL before the account is deleted, the account will be automatically re-activated. 
c. A change management request is raised and on approval, sysadmins delete the accounts
2 Staff Faculty Account Automatic

a. AD Account is disabled on separation, based on the date* confirmed by HR.
b. Mailbox  cannot be accessed as AD account is disabled.
c. An email is sent to CIO, 14 days prior to the disabling, with the list of accounts
d. CIO informs department heads about disabling of accounts.
e. If any of those accounts need to be enabled, Support Center Level2 will enable them based on the instruction from CIO
f. An email is sent to CIO, Support Center and HR with the list of Accounts that expired.

g. As soon as an employee’s status is expired, and it has no “Out of Office message added,  script will automatically add an “ Out of Office” message to it so that anyone who sends an email to that person receives it.

- Not happening currently
3 Adjunct Accounts Automatic

a. AD Account is disabled on separation, based on the date* provided by HR.
b. Mailbox cannot be accessed as AD account is disabled.

c. As soon as an employee’s status is expired, and it has no “Out of Office message added,  script will automatically add an “ Out of Office” message to it so that anyone who sends an email to that person receives it.

- Not happening currently
4 Student Worker Accounts Automatic

a. AD Account is disabled on separation, based on the date* provided by HR.
b. Mailbox is not deleted, but cannot be accessed as AD account is disabled.

c. As soon as an employee’s status is expired, and it has no “Out of Office message added,  script will automatically add an “ Out of Office” message to it so that anyone who sends an email to that person receives it.​​​​​​​

- Not happening currently
5 POI Accounts Automatic

a. AD Accounts are disabled on separation, based on the date* provided by HR.
b. Mailboxes are not deleted, but cannot be accessed as AD account is disabled.

c. As soon as an employee’s status is expired, and it has no “Out of Office message added,  script will automatically add an “ Out of Office” message to it so that anyone who sends an email to that person receives it.​​​​​​​

- Not happening currently
6 Exception/Emergency Account Automatic

a. Account gets disabled on the expiry date.

b. As soon as an UHCL account status is expired, and it has no “Out of Office message added,  script will automatically add an “ Out of Office” message to it so that anyone who sends an email to that person receives it.

- Not happening currently
7 Event Account
(Single or Multiple)
Automatic Account gets disabled on the expiry date  Manual If the events are a one time only affair, then after approximately two to three months Academic Computing team delete them.  However, if they are for repeating events (like COE’s KidsU summer camps) they simply stay expired and disabled until they’re needed again.
8 Test Account Automatic Account gets disabled on the expiry date  Manual a. If a test account is no longer required, a request should be sent to Support Center
b. Support Center Level-1 raises a work order
c. Sysadmins delete the account
9 Service Account - No Expiration Manual a. If a service account is no longer required, a request should be sent to Support Center
b. Support Center Level-1 raises a work order
c. Sysadmins delete the account
10 Shared Mailbox - No Expiration Manual a. If a mailbox is no longer required, a request should be sent to Support Center
b. Support Center Level-1  raises a work order
c. Sysadmins delete the mailbox
11 Distribution List - No Expiration Manual a. If a mailbox is no longer required, a request should be sent to Support Center
b. Support Center Level-1  raises a work order
c. Sysadmins delete the list
12 Oracle Accounts for Students - No Disabling
When a domain account is disabled, the oracle account cannot be used.
Manual Old student accounts are purged when the database is upgraded
 
13 Unix Accounts for Students Automatic Account that is not activated within 30days of creation, is automatically inactivated Semi-Automatic A script is run to delete accounts at the end of each semester. Home directory is retained for 5 years
14 SCE Account for Students - No Disabling Semi-Automatic A script is run to delete accounts at the end of each semester. 
*If a 499 code record exists for an individual, the disabling of that account would be based on the expiry date on it given by HR and not the regular end date

 

Account Reconciliation

The below table lists the method & process around Account reconciliation.

No. Account Type Method Reconciliation Process
1 Student Account Automatic a. ADRecon is a reconciliation program between Active Directory, Profiles and Phone_feed (in Profiles, but fed from the UHCL Phone System)
b. Program runs for students every Thursday.
c. An email is sent to Support Center giving information on all the accounts that ran successfull and alerts errors, if any
d. Support Center - level1 submits a workorder for the errors received.
e. Appdev resolves the issue and coordinates with sysadmins if required  
2 Staff Faculty Account Automatic a. ADRecon is a reconciliation program between Active Directory, Profiles and Phone_feed (in Profiles, but fed from the UHCL Phone System)
b. Program runs for Empoyees daily.
c. An email is sent to Support Center giving information on all the accounts that ran successfully and alerts errors, if any
d. Support Center - level1 submits a workorder for the errors received.
e. Appdev resolves the issue and coordinates with sysadmins if required
3 Adjunct Accounts Automatic a. ADRecon is a reconciliation program between Active Directory, Profiles and Phone_feed (in Profiles, but fed from the UHCL Phone System)
b. Program runs for Empoyees daily.
c. An email is sent to Support Center giving information on all the accounts that ran successfully and alerts errors, if any
d. Support Center - level1 submits a workorder for the errors received.
e. Appdev resolves the issue and coordinates with sysadmins if required
4 Student Worker Accounts Automatic a. ADRecon is a reconciliation program between Active Directory, Profiles and Phone_feed (in Profiles, but fed from the UHCL Phone System)
b. Program runs for Empoyees daily.
c. An email is sent to Support Center giving information on all the accounts that ran successfully and alerts errors, if any
d. Support Center - level1 submits a workorder for the errors received.
e. Appdev resolves the issue and coordinates with sysadmins if required
5 POI Accounts - No reconciliation
6 Exception/Emergency Account - No reconciliation
7 Events Account
(Single or Multiple)
- No reconciliation
8 Test Account - No reconciliation
9 Service Account - No reconciliation
10 Shared Mailbox - No reconciliation
11 Distribution List - No reconciliation
12 Oracle Accounts for Students - No reconciliation
13 Unix Accounts Semi-Automatic Script is run to gather data and a comparison is done by CSE Team (Krishani and TA's) every semester
14 SCE Accounts Semi-Automatic Script is run to gather data and a comparison is done by CSE Team (Krishani and TA's) every semester

 

Account Support

The below table lists the support for each of the Accounts

No Account Type  Tier1  Tier2 Tier3
1 Student Account Support Center - Level1 Appdev/SysAdmin
2 Staff Faculty Account Support Center - Level1 Appdev/SysAdmin
3 Adjunct Accounts Support Center - Level1 Appdev/SysAdmin
4 Student Worker Accounts Support Center - Level1 Appdev/SysAdmin
5 POI Account
 
Support Center - Level1 Appdev/SysAdmin
6 Exception/Emergency Account Support Center - Level1 Support Center - Level2 Appdev/SysAdmin
7 Events Account
(Single or Multiple)
Support Center - Level1 Academic Computing Appdev
8 Test Account Support Center - Level1 SysAdmin Appdev
9 Service Account Support Center - Level1 SysAdmin
10 Shared Mailbox Support Center - Level1 SysAdmin
11 Distribution List Support Center - Level1 SysAdmin
12 Oracle Accounts for students Support Center - Level1 DBA
13 Unix Accounts for Students CSE Team
14 SCE Account for Staff and Students CSE Team

 

Profiles Tool Information

Below table lists the owner, users and support team 

PROFILES TOOL
Profiles Tool An in-house application that supports user account management  
Application Owner  Dr. Gaskins
Tool Development & Maintenance Appdev Team (Sai's Team - Margaret & Bindu)
Tool Administrator SysAdmins - Mike's Team 
End Users  Support center - Level1 & Level2, Academic Computing, Sysadmins,  Appdev, DBA and ISO
Training & Documentation Appdev Team (Sai's Team - Margaret & Bindu)

 

 

Revision Log

Revision No. Approved Date Approved By
1 6/30/2022

Dr. Gaskins

 

Details

Details

Article ID: 6989
Created
Tue 6/28/22 4:56 PM
Modified
Mon 12/19/22 4:57 PM