ACTIVE DIRECTORY MANAGEMENT HANDBOOK
ACTIVE DIRECTORY MANAGEMENT
(CT:ADM-4; 11-13-2024)
(Office of Origin: DT/E-CISO/PLT)
5 FAH-12 H-111 Summary
(CT:ADM-4; 11-13-2024)
This handbook provides guidelines for of the on-premise Microsoft Active Directory (AD) forests associated with OpenNet, ClassNet, and the Demilitarized Zone (DMZ) enclave domestically and abroad. This handbook:
(1) Ensures uniformity of AD information across the enterprise;
(2) Assists information system security officers (ISSOs) and system administrators in identifying and removing inactive shared mailboxes, and inactive or terminated user and service accounts in a timely manner;
(3) Aids in tracking annual Cybersecurity Awareness training compliance;
(4) Allows for accurate iPost risk scoring of AD accounts and risk components;
(5) Ensures AD accounts are maintained to Department policies and guidelines; and
(6) Improves accuracy of Microsoft (MS) Outlook Global Address List (GAL) field searches.
5 FAH-12 H-112 SCOPE
(CT:ADM-4; 11-13-2024)
a. This handbook contains AD specific guidelines for general maintenance, including the creation and removal of AD accounts. For specific guidelines their management, refer to the Systems Administration Guide from the Directory Service Management division of the Office of Identity Services. (DT/ES/IS/DSM).
b. Guidance contained in this handbook is relevant to configuration and maintenance of AD on Department networks, including but not limited to:
(1) Division of AD by site (Organizational Unit (OU) or managed units);
(2) Primary user accounts;
(3) Secondary user accounts;
(4) Privileged (administrator and ISSO) accounts;
(5) Shared (group) mailbox accounts; and
(6) Service accounts.
5 FAH-12 H-113 MANAGED UNIT (MU)
(CT:ADM-4; 11-13-2024)
This section provides guidance for system administrators and ISSOs on organizing the AD objects they are responsible for per the Systems Administration Guide (Identity, Access, & Email).
5 FAH-12 H-113.1 Active Directory Design
(CT:ADM-4; 11-13-2024)
The Department's AD design was implemented to accommodate business and administration requirements domestically and abroad. See the Systems Administration Guide (Identity, Access, & Email) for details.
5 FAH-12 H-113.2 Account Transfers
(CT:ADM-4; 11-13-2024)
As accounts are transferred between assignments, including Foreign Service transfers between overseas posts or to a domestic assignment, the employee and the losing post has responsibility to prepare the account for transfer. See the Systems Administration Guide (Identity, Access, & Email) for further guidance.
5 FAH-12 H-113.3 Active Directory Naming Standards
(CT:ADM-4; 11-13-2024)
a. The Department's AD structure depends on unique object names. Naming standards allow objects within the AD structure to be easily identified, easily cataloged, and follow a logical order. This makes identifying objects throughout the enterprise by myriad enterprise systems and applications that reference the directory, whether locally or through modern cloud instances of the same information.
b. See the Systems Administration Guide (Identity, Access, & Email) for further guidance on the following naming standards within the AD structure including, but not limited to:
(1) DNS naming convention;
(2) Site names;
(3) Server names;
(4) Workstation names;
(5) Printer names;
(6) User names;
(7) Group names;
(8) Distribution group names;
(9) Security group names;
(10) Public folder names; and
(11)Group policy object names.
5 FAH-12 H-113.4 Computer Accounts
(CT:ADM-4; 11-13-2024)
a. All computers that are added to AD are represented by their individual computer objects.
b. All computer accounts must be configured according to the Systems Administration Guide (Identity, Access, & Email) maintained by DT.
5 FAH-12 H-113.5 Global Address List (GAL) Standardization
(CT:ADM-4; 11-13-2024)
This refers to the standards for Active Directory (AD) user account objects that are managed by each post and site, following these standards:
(1) Ensures uniformity of AD user account information across the enterprise;
(2) Allows for accurate scoring with regard to AD user and computer account risk components;
(3) Helps ISSOs better track and identify users within their purview that have taken the annually required Cybersecurity Awareness Training and those that have not;
(4) Makes searches on fields through directories like Microsoft Outlook's GAL relevant when searching for employees and offices by job title, location, and in some cases, function; and
(5) Allows certain AD-centric applications to maintain data integrity. See Systems Administration Guide (Identity, Access, & Email) for further standards and guidance.
5 FAH-12 H-114 USER ACCOUNT CREATION AND MAINTENANCE
(CT:ADM-4; 11-13-2024)
This section provides guidance for system administrators, managers, and ISSOs on the creation and maintenance of AD accounts.
5 FAH-12 H-114.1 Primary User Accounts
(CT:ADM-4; 11-13-2024)
a. All primary user accounts must be configured according to the Systems Administration Guide (Identity, Access, & Email).
b. Passwords must follow complexity rules specified in 12 FAH-10 H-130.
c. Configure all accounts to require smart card authentication for interactive logon , unless there is an approved exception. The password for these accounts must be centrally managed and kept compliant by DT as outlined in the Systems Administration Guide (Identity, Access, & Email).
5 FAH-12 H-114.2 Secondary Unprivileged User Accounts
(CT:ADM-4; 11-13-2024)
a. All secondary user accounts must be configured according to the Systems Administration Guide (Identity, Access, & Email) maintained by DT.
b. Configure all accounts to require smart card authentication for interactive logon. The password for these accounts must be centrally managed and kept compliant by DT as outlined in the Systems Administration Guide (Identity, Access, & Email).
5 FAH-12 H-114.3 Shared Mailbox Accounts
(CT:ADM-4; 11-13-2024)
a. All shared mailbox accounts must be configured according to the Systems Administration Guide (Identity, Access, & Email).
b. The manager field of all shared mailbox accounts must be set to the primary user account of the person responsible for its management.
c. Configure the mailbox account to be disabled to prevent interactive logon.
d. To prevent accidental interactive logon to the account, configure the mailbox account to require smart card for interactive logon, but do not configure a smart card for the account.
5 FAH-12 H-114.4 Service Accounts
(CT:ADM-4; 11-13-2024)
a. All service accounts must be configured according to Systems Administration Guide (Identity, Access, & Email).
b. All service accounts must be created as managed service accounts or group managed service accounts, unless the application or service for which the account is being configured does not support this account type.
c. Non-managed service accounts must have their passwords changed at least every 60 days and follow password complexity rules specified in 12 FAH-10 H-130.
5 FAH-12 H-114.5 Secondary Privileged Accounts (Admin and ISSO Accounts)
(CT:ADM-4; 11-13-2024)
a. All privileged accounts must be configured according to the Systems Administration Guide (Identity, Access, & Email).
b. All privileged accounts must be configured in AD to require smart card for interactive logon. Password-based authentication is not permitted.
c. The manager field of all privileged user accounts must be set to the primary user account of the person owning the account.
d. Privileged accounts may not be mail-enabled unless required for a time-delimited, specific administrative function.
e. Privileged accounts may not be used to conduct activities that can be accomplished with an unprivileged account, e.g., email, accessing the internet.
5 FAH-12 H-114.6 Enterprise Accounts
(CT:ADM-4; 11-13-2024)
All enterprise accounts must be configured according to the Systems Administration Guide (Identity, Access, & Email) maintained by DT.
5 FAH-12 H-115 ACCOUNT DISABLING AND DELETION
(CT:ADM-4; 11-13-2024)
This section provides guidance for system administrators on the disabling and deletion of user accounts.
5 FAH-12 H-115.1 Manual Disabling and Deletion
(CT:ADM-4; 11-13-2024)
a. System owners must ensure that accounts of all terminated and transferred users are immediately disabled when notified by the user’s supervisor or proper authority such as HR.
b. When notified by the user’s supervisor or proper authority such as HR that an employee has separated, been terminated, or is otherwise no longer authorized system access, system owners must ensure that the employee’s user account is immediately disabled and deleted within 30 days.
c. If a user will be unable to login for a period of time exceeding 60 days due to a legitimate, approved absence, the ISSO or system administrator may make a request by record email to askISSO@state.gov to retain the inactive account. (NOTE: No exceptions for accounts with inactivity exceeding 365 days Abe granted.) The requestor email must include the following:
(1) The user’s account ID;
(2) The date of last logon;
(3) The reason for absence (do not include privacy/PII information); and
(4) The anticipated date of return:
(i) If approved, Office of Information System Security Officer Oversight (DT/CO/ISSO) instructs the requester to configure the account as follows:
(a) Reset the password;
(b) Disable the user account;
(c) Enable “Smart Card is required for interactive logon”;
(d) Change the description field to “User | Hold Approval until M/DD/YYYY”; and
(e) Place the user in a hold status as defined in the Systems Administration Guide (Identity, Access, & Email); and
(ii) Alternatively, the following steps may be taken:
(a) Archive the user’s email and data files and delete the account;
(b) Upon return to duty, recreate the user account and restore the email and data files. The normal account creation process applies; and
(c) If an AD user account is inactive over 90 days and no guidance is received from the account holder, the account must be deleted.
5 FAH-12 H-115.2 Automated Disabling and Deletion
(CT:ADM-4; 11-13-2024)
a. DT/CO/ISSO must routinely identify misconfigured and inactive accounts per the Stale Account Remediation Process within Active Directory.
b. DT/CO/ISSO must periodically notify post and site ISSOs of which accounts are stale, inactive, or do not conform to configuration standards outlined in the Systems Administration Guide (Identity, Access, & Email).
c. Three weeks from notification to ISSOs, any un-remediated accounts not logged into in over 60 days must be disabled, and un-remediated accounts not logged into in over 90 days must be deleted by DT in coordination with DT/CO/ISSO.
5 FAH-12 H-116 AUDITING OR LOGGING
(CT:ADM-4; 11-13-2024)
DT/CO/ISSO must maintain all records of accounts that are disabled and deleted via the automated disabling and deletion process.
5 FAH-12 H-117 References
(CT:ADM-4; 11-13-2024)
5 FAH-12 H-117.1 Acronyms
(CT:ADM-4; 11-13-2024)
AD – Active Directory
DCIO – Deputy Chief Information Officer
DMZ – Demilitarized Zone
DT – Bureau of Diplomatic Technology
ISSO – Information Systems Security Officer
MS – Microsoft
OU – Organizational Unit
5 FAH-12 H-117.2 Definitions
(CT:ADM-4; 11-13-2024)
Administrative accounts: See secondary privileged account.
Elevated privileges: Escalated privileges that typically grant access to perform administrative functions.
Enterprise accounts: Special system user accounts managed by enterprise administrators or specific, authorized domain administrators. These accounts are identified by the use of SYSTEM in the beginning of the Description field. See the Systems Administration Guide (Identity, Access, & Email) for specific account examples.
Inactive account: Accounts that have not been logged in within 60 days.
Misconfigured account: An account which does not conform to the configuration guidelines set forth in the Systems Administration Guide (Identity, Access, & Email).
Primary user account: The primary Active Directory (AD) account that an individual utilizes to login to a network. This account, commonly referred to as an end-user account, is utilized by one individual and is used to perform tasks such as: logging on to the network, receiving/sending email, and accessing network file shares/resources. Primary user accounts must not have elevated privileges. There must be only one primary account per user. See the Systems Administration Guide (Identity, Access, & Email).
Shared mailboxes: A shared mailbox is a mailbox that multiple users access to read and send email messages from a generic email address. Shared mailboxes can also be used to provide a common calendar, allowing multiple users to schedule and view vacation time or work shifts.
Secondary privileged user account (admin and ISSO): An account utilized by an individual to perform specialized tasks that require elevated privileges. These accounts are also referred to as Administrator accounts. Administrator accounts are made to be members of domain-specific security groups, thus giving them access to files, folders, and systems that normal end-users do not have access to.
Secondary unprivileged user account: An unprivileged user account used in certain cases when a second user account is required in addition to a primary user account, e.g., a TDY account.
Service accounts: A special user account, often with elevated privileges, that an application or service uses to interact with the operating system. Services use the service accounts to log on and make changes to the operating system or the configuration. Through permissions, you can control the actions that the service can perform.
Stale account: An account which has not been logged into within 60 days. Also called an inactive account.
5 FAH-12 H-117.3 Authorities
(CT:ADM-4; 11-13-2024)
Authorities for this handbook are:
(1) Executive Order 13526 as amended — Classified National Security Information;
(2) Information Technology Management Reform Act of 1996 (Clinger-Cohen Act);
(3) Federal Information Security Modernization Act of 2014, Public Law 113-283;
(4) OMB Circular A-130, Management of Federal Information Resources (1996);
(5) OMB Memorandum M-00-13, Privacy Policies and Data Collection on Federal Websites, June 22, 2000;
(6) OMB Memorandum M-22-09, Moving the U.S. Government Toward Zero Trust Cybersecurity Principles, January, 26, 2022;
(7) Homeland Security Presidential Directive 12: Policy for a Common Identification Standard for Federal Employees and Contractors; and
(8) National Institute of Standards and Technology Special Publication 800-53, rev. 5, “Security and Privacy Controls for Federal Information Systems and Organizations,” December 10, 2020.
5 FAH-12 H-117.6 Related FAM/FAHs
(CT:ADM-4; 11-13-2024)
12 FAH-10 H-130 – IDENTIFICATION AND AUTHENTICATION
5 FAH-12 H-118 Through 119 UNASSIGNED