Skip Ribbon Commands
Skip to main content
Sign In
Last modified at 5/14/2015 12:30 PM by Kevin Burney Windows System Admin

1. Introduction
2. Computer Names
3. User Account Names
4. Security and Distribution Groups
5. Group Policy Objects (GPOs)
6. CalNetAD Organization Prefixes

  1. Introduction

    We anticipate that many departments and units, large and small, on the Berkeley Campus will elect to join the CalNetAD forest. Most of the administrative responsibilities in the forest will be delegated to system administrators in these departments and units who will be creating Active Directory resources, with their associated names. These naming standards are meant to maintain an orderly forest, to ease recoginition of forest resources, and to help avoid naming collisions.

  2. Computer Names

    Windows computers have two names; a Fully Qualified Domain Name (FQDN) name, and a "pre-Windows 2000",  NetBIOS name.  In most cases, the host portion of two names will be identical and will be based upon the campus DNS name assigned to the campus IP address used by a machine. 

    However, naming collisions can occur when computer names are moved into the CalNetAD.

    Example 1: Computer with hostname ad-host1, DNS name ad-host1.ist.berkeley.edu, located in the EEI OU in Active Directory

    COMPUTER NAME: ad-host1 
    DNS NAME: ad-host1.ist.berkeley.edu
    DN: cn=ad-host1,ou=EEI,dc=campus,dc=berkeley,dc=edu

    Example 2: Computer with hostname ad-host1, DNS name ad-host1.coe.berkeley.edu, located in the COEDEAN OU in Active Directory

    COMPUTER NAME: ad-host1
    DNS NAME: ad-host1.coe.berkeley.edu
    DN: cn=ad-host1,ou=COEDEAN,dc=campus,dc=berkeley,dc=edu

    The "pre-Windows 2000", or NetBIOS, computer name is really the "account" name for the computer, and must be unique within the Windows 2000 domain in which it resides. In the two examples above, the account name 'ad-host1' is already taken by the machine in the EEI OU in Example 1. Thus, the machine in the COEDEAN OU in the second example will need to request a DNS name change to another, unique name.

     

    For compatibility with "pre-Windows 2000" operating systems, the length of the "pre-Windows 2000", or NetBIOS, computer name is limited to 15 characters. 

  3.  User Account Names

    As is the case with computers, a Windows user object has two names; a user "distinguished name", and an "account name".  The account name must be unique within the CalNetAD domain, while the user distinguished name, which serves as the Relative Distinguished Name (RDN) of the user in the Active Directory, must be unique within the Active Directory container in which it resides.

    For users with a CalNetID, the user's Windows account name should be identical to the user's CalNetID.

    For users who do not possess a CalNetID, the Windows user account name must be prefixed by pvt or svc followed by the OU Prefix and the user id, for example  pvt-joe or svc-joe.  Since pvt or svc are not allowed in CalNetID's, these non-uniqname Windows user names will not conflict with uniqname-based accounts that may be created in the future.

    Example: mycalnetid (uniqname-based CalNetAD user account name)
    Example: pvt-localname (non-uniqname CalNetAD user account name)
    Example: svc-localname (non-uniqname CalNetAD user account name)

    For users with a CalNetID, the CalNetID is used for both the user "distinguished name" and the "account name".   By using the uniqname as a distinguished name, we avoid name collisions within the CalNetAD forest that would otherwise result if full user names were used. For compatibility with "pre-Windows 2000" operating systems, the length of the "pre-Windows 2000", or NetBIOS, the account name is limited to 15 characters.

  4.  Security and Distribution Groups

    A Windows Active Directory group may be one of six types.  Two broad categories, "security" and "distribution", define the general type of the group.  Each of these two types is further defined as either "domain local", "global" or "universal".  See the Microsoft Technet Article on  Active Directory Groups for a more detailed explanation of Active Directory groups.

    The CalNetAD recommended naming standard for Active Directory security and distribution group names is:

    dddd-group_name-tt

     

    dddd

    CalNetAD OU name

     

    tt

    type of group ( ls, gs, us, ld, gd, ud )  See Note, below

     

    group_name

    descriptive name which explains the purpose of the group

     

     

    Active Directory group types are:
     

    group types (tt)

    ls

    domain local security

    gs

    global security

    us

    universal security

    ld

    domain local distribution

    gd

    global distribution

    ud

    universal distribution

    Example: EEI-OU_ Admins-gs

    Because Active Directory groups are replicated across the network, they must be populated in ways that minimize network replication.  Try to use global and domain local groups where possible.  If you have a need to create a universal group, do not populate the universal group with individual users.  Instead, use the names of other groups to build the universal group membership.

    Note: All group types in AD are displayed with the same group icon, which can be visually confusing.  The Active Directory Users and Computers console does shows the group type field, however testing has shown that after making changes to an individual group, the user interface no longer displays the group type field description.  This can cause confusion and lead to error, which is why we include the group type as part of the group naming scheme. Using this scheme will help prevent Administrators from choosing the wrong group when they are managing groups within groups, in their own domain and across other domains.

  5.  Group Policy Objects (GPOs)

    The naming convention for Group Policy Objects is to use a CalNetAD OU Name as a prefix for all Group Policy names.  For instance, "EEI staff policy", or "HAAS lab 300 policy".  Using Group Policy names prefixed with your CalNetAD OU Name will reduce the likelihood that similarly named Group Policy objects will be confused with one-another. 

  6. CalNetAD OU Names

    A list of the CalNetAD OU names and prefixes is available here requires CalNet authentication.