• Section Navigation
• Financial Resources
• Forms
• Human Resources
• IT Resources
• Policy & Procedures
• Safety & Training
• Services
• Templates & Tutorials
• Visitor Resources

IT Policies - MRI Windows Domain

 

UNDER CONSTRUCTION

 

Purpose

 

Scope

 

Rationale

 

Policy

 

Definitions

 

Introduction

MRI administers a Microsoft Windows domain (mri.psu.edu) that includes Active Directory (AD), Domain Name Service (DNS), Dynamic Host Configuration Protocol (DHCP), Microsoft Exchange Server, Microsoft SQL Server, Microsoft Internet Information Services (IIS), and Microsoft SharePoint Services.

 

Accounts

An account (hereafter referred to as a domain account) is required to access MRI Windows Domain resources. Domain accounts are available to any MRI community member that holds a Penn State Access Account. Domain accounts are comprised of a username (used interchangeably with userid) and a password.

 

Usernames

A user's username for a domain account will be the user's Penn State Access Account username (i.e., xyz123). By using the Penn State format as a standard, MRI is better able to audit accounts to tell when a user is no longer associated with the University. As such, domain accounts will only be created after the Penn State Access Account has been created.

 

Passwords

Prior to July 1, 2007, passwords for domain accounts have the following characteristics:

• Maximum password age = 180 days
• Minimum password age = 14 days
• Minimum password length = 6 characters
• Enforce password history = 4 passwords remembered
• Password must meet complexity requirements = Disabled
• Account lockout policy:
  • Account lockout duration = 10 minutes
  • Account lockout threshold = 5 invalid logon attempts
  • Reset account lockout counter after = 10 minutes

 

After July 1, 2007, passwords for domain accounts have the following characteristics:

• Maximum password age = 90 days
• Minimum password age = 14 days
• Minimum password length = 8 characters
• Enforce password history = 4 passwords remembered
• Password must meet complexity requirements = Enabled
  • Not contain significant portions of the user's account name or full name
  • Be at least six characters in length
  • Contain characters from three of the following four categories:
    • English uppercase characters (A through Z)
    • English lowercase characters (a through z)
    • Base 10 digits (0 through 9)
    • Non-alphabetic characters (for example, !, $, #, %)
• Account lockout policy:
  • Account lockout duration = 30 minutes
  • Account lockout threshold = 3 invalid logon attempts
  • Reset account lockout counter after = 30 minutes

 

Users are reminded of upcoming passwords changes upon logon within 14 days of a password change. In addition, a custom script scans domain accounts every morning and sends an e-mail reminder to those users whose passwords will expire within 14 days.

 

Account Closing/Auditing

Users are required to inform MRI IT Staff when leaving MRI or Penn State. MRI IT Staff will work with the user to agree upon a date on which the user's domain account is disabled and deleted from the domain.

 

On a monthly basis, MRI IT Staff will audit the user accounts within the domain, disabling and deleting those accounts that no longer have a matching record in the Penn State LDAP directory.

 

Non-Penn State Owned Computers

Only Penn State owned computers are eligible to be joined to the MRI Windows Domain. Therefore, no non-Penn State owned computer -— whether personally owned by a person holding a Penn State Access Account or owned by someone without a Penn State Access Account -- will be allowed to join the MRI Windows Domain. MRI reserves the right to request proof of ownership if ownership is in doubt.

 

Software

Under development.

 

File servers

Anyone with a domain account may request and obtain file server space on the MRI file servers. Storage space granted to users will be used for official Penn State purposes only. Multimedia files not directly related to Penn State education, research or service are not to be stored on the file servers. Certain MRI IT Staff reserve the right to scan file servers periodically for such files and will notify users of files found as well as a deadline for resolution.

 

While certain MRI IT Staff have full access to the file servers in order to properly administer the servers, these staff members are obligated to comply with University policies related to privacy and therefore will not unnecessarily access files stored on the servers.

 

Microsoft Exchange

MRI administers a Microsoft Exchange server for e-mail, calendar, tasks and other organizational needs. Access to the MRI Exchange server will be granted to any faculty or staff members with a domain account.

 

Accessing the Exchange server will be permitted only via a web browser (web mail) and MAPI or compatible protocols. POP3 and IMAP access to the Exchange service is not permitted; the main Penn State e-mail servers serve this need.

 

One advantage of using using the MRI Exchange server is the ability of a user to grant access to other users. Examples of this permission granting includes that of a faculty member granting full mailbox access to a staff assistant and sharing of calendars to all Exchange users. Under no circumstance will a MRI IT Staff member grant access to a user's resources without that user's permission.

 

RPC over HTTP

 

Outlook Web Access

 

Backup/Disaster

Objective

The backup system employed by MRI is designed to restore data in case of a total system failure or for restoring an user's files that have been deleted or corrupted. Magnetic tapes used in the backup system are stored off-site in a firesafe at the house of one of the MRI IT Staff members in case of a catastrophic event. Future plans include sending these tapes to an off-site storage facility that is out of the reach of region-level disasters.

Scope

All servers within the MRI IT infrastructure are covered by the backup system. Individual computers are not covered.

Backup Procedure

When scheduled all backup content moves first to the local backup-to-disk server. Upon completion of the backup-to-disk job, an auxiliary job copies the backup data to magnetic tape and those tapes are eventually moved to the off-site location. In the instance where the local backup-to-disk server is co-located with the magentic tape library, an additional copy of the backup data is sent to a backup-to-disk server in another building.