User accounts fall into one of seven categories:
- Kiosk Account:
These accounts generally have simple passwords, have the password for the account posted on the computer, or are set to login automatically. These accounts may be shared, are not covered by our passphrase policy, do not have access to any department resources (shares, calendars, etc…).
- Limited Access, Shared Account.
These accounts are unlike kiosk accounts in that they may have access to departmental shared and/or access to exchange calendars. The accounts may be shared, but ONLY to ‘need-to-use’ persons and may only be given access to resources required by their job function. These accounts are special because they fall under our passphrase policy, but are required to change their passphrase whenever a worker leaves.
- Limited Access, Single User.
This account is one which would typically be granted to a student worker, or certain staff members. These accounts are used for a specific purpose such as access to the internet, or another system which requires its own password. These accounts cannot be shared, are not covered by our passphrase policy, cannot be allowed access to departmental shares or data and are not allocated a home directory.
- Staff Access, Single User.
These are the most common accounts. The accounts may have access to: departmental shares, a user home directory, a user mailbox, and/or other resources. These accounts may not be shared and must adhere to our passphrase policy.
- Delegate Access, Single User.
These accounts are granted special access to certain staff members to perform limited administrative functions in their respective areas. This is not typically an IT person. Generally this type of account allows the user to unlock other user accounts and may be granted privilege to define access to departmental shares. These accounts may not be shared and must adhere to delegate passphrase policy.
- OU Admin, Single User:
These accounts are given to IT staff members that have been delegated administrative authority of AD objects and files shares for a department or area, typically within a single AD OU. These accounts may not be shared, have a user directory, may have a mailbox, may be granted access to departmental shares, may be delegated authority to AD objects (reset passwords, unlock accounts, create new accounts, etc…), and must adhere to our IT passphrase policy. This is a minimum 20 characters passphrase.
- Domain Admin:
These accounts are given to a limited number of individuals and grant complete access to all resources within the domain. These accounts may not be shared, do not have a user directory, may NOT have a mailbox, have full access to all domain resources (shares, ad objects, mailboxes, etc…), and must adhere to our domain admin passphrase policy. This requires a minimum of 30 characters and minimum complexity.