Naming Standards for the U-M Windows Forest

A large number of U-M organizations, large and small, participate in the U-M Windows forest. Most of the administrative responsibilities in the forest are delegated to campus administrators, who create Windows resources with associated names. The purpose of the U-M Windows naming standards is to maintain an orderly forest, to ease the recognition of Windows resources, and to avoid the chaos of naming collisions. Currently, naming standards have been drafted for the following types of Windows resources:

Domain Names

When choosing a Windows domain name, the prefix of the domain name must be unique within the U-M Windows forest. For instance, for the domain "ad.engin.umich.edu", the "ad" prefix must be unique, and cannot be used as a prefix for a new domain name. This domain naming convention has been adapted to prevent duplicate names in the Microsoft Windows Network browsing environment. The Microsoft Windows Network browsing environment, available through My Network Places, currently uses the domain prefix to identify a domain. 'Browsing' is used to display the root of the Active Directory, and only displays the first part of each tree's domain name. When more than one tree begins with the exact same name, like "ad.engin.." and "ad.lsa..", users see two trees with only "ad" and cannot determine which domain tree is which. Once they make a selection the full domain name for the tree is displayed properly. In fact, a Windows domain name prefix and the short "NetBIOS" domain name can, and often do, differ.

Computer Names

Windows computers have two names; a "long" name and a "pre-Windows 2000" or NetBIOS name. In most cases, the two names will be identical. The U-M naming standard is required for the "pre-Windows 2000" (NetBIOS) name and recommended for the "long" computer name.

The U-M naming standard for computer names is as follows:

xxx-rest_of_name (or)
xxxrest_of_name

  • xxx
  • Registered organization prefix, 2 or more characters in length. See the U-M Windows Organization Prefixes section below for directions on obtaining a prefix for your organization. We recommend keeping the prefix length to 4 characters or less. The dash (-) is optional, but recommended for ease of recognition.
  • rest_of_name
    A suffix chosen by the organization creating the computer.

Example: LNG-WOLVERINE123456789 ("long" computer name)

The "long" computer name is typically used to form the DNS name of the computer, and is also used to form the Distinguished Name (DN) of the computer in the Active Directory. For example:

COMPUTER NAME: LNG-WOLV1
DNS NAME: lng-wolv1.ads.itcs.umich.edu
DN: cn=lng-wolv1,ou=lngs,ou=organizations,ou=umich,dc=ads,dc=itcs,dc=umich,dc=edu

The "pre-Windows 2000" (NetBIOS) computer name is really the "account" name for the computer, and must be unique within the Windows domain in which it resides. Because WINS-based browsing services are still being used on campus, choosing a computer name that is unique throughout the entire U-M campus environment is highly recommended, to avoid WINS name collisions. For compatibility with "pre-Windows 2000" operating systems, the length of the "pre-Windows 2000" (NetBIOS) computer name is limited to 15 characters.

Example: LNG-WOLVERI1234 (NetBIOS name, 15 characters in length)

Note: Avoid the use of users' names or uniqnames in naming computers. Using names that identify the users of your computers may limit your ability to request log data. See Guidelines for Release of Security Log Information.

User Account Names

As is the case with computers, a Windows user object has two names: a user "distinguished name" and an "account name." The account name must be unique within the Windows domain, while the user distinguished name—which serves as the Relative Distinguished Name (RDN) of the user in the Active Directory—must be unique within the Active Directory container in which it resides. For example, an Organizational Unit container could not contain two identically named individuals.

U-M Uniqname AD Accounts

For users with a U-M uniqname, the user's Windows account name should be identical to the user's U-M uniqname, which is defined as 3 to 8 alpha characters. In practice, these types of accounts are created automatically as users in the U-M Directory are duplicated with equivalent accounts in UMROOT domain. For users created in the UMROOT domain (adsroot.itcs.umich.edu), the U-M uniqname is used for both the user "distinguished name" and the "account name." By using the uniqname as a distinguished name, we avoid name collisions within the People OU that would otherwise result if full user names were used. See Active Directory Design of the UMROOT Domain for further information.

Campus units can request that uniqname-based Windows accounts be moved into a departmental Accounts OU to allow them to manage those user objects. For more information on this service, see the U-M Windows Central Accounts Service page.

Names for Privileged Accounts

Privileged accounts and their naming conventions include the following:

  • Domain Administrator Accounts. These accounts are reserved to a limited number of Information and Technology Services (ITS) administrators.
    • Naming convention: uniqname1 (the account holder's uniqname followed by the number 1)
    • Example: bjensen1
  • Server Administrator Accounts. These are accounts with broad authority within UMROOT with privileges in multiple OUs.
    • Naming convention: uniqname2
    • Example: bjensen2
  • Organizational Unit (OU) Administrator Accounts. This includes anyone who can make modifications within an OU and accounts with privileges within a specific OU.
    • Naming convention: uniqname + a number suffix other than 1 or 2, or a department name with a number or descriptive suffix
    • Examples: bjensen0, department_name-ouadmins1

Names for Other AD Accounts

Some AD accounts do not directly correspond to a U-M uniqname. These types of account include resource accounts and accounts for individuals who may be visitors without a U-M uniqname. For "other AD accounts," the account name and Relative Distinguished Name do not need to match.

Follow these rules to construct names for non-uniqname AD accounts:

  • dept-anything (An organization/department prefix, followed by a hyphen and a description.) If the user does not have a U-M uniqname, this is the preferred syntax, where anything would identify the user. It can also used for resource accounts, such as Exchange calendars, where anything would describe the resource.
    • Examples: chem-babsjensen, math-EventsCalendar
  • uniqname-anything (A uniqname, followed by a hyphen and a description.) This form is preferred for test accounts, if the user has a uniqname.
    • Example: bjensen-test

Security and Distribution Groups

A Windows Active Directory group may be one of six types. Two broad categories, "security" and "distribution," define the general type of the group. Each of these two types is further defined as either "domain local," "global" or "universal". See the Microsoft paper Active Directory User, Computers and Groups for a more detailed explanation of Active Directory groups. In practice, most groups created are of the default "global security" type. Because "universal" groups are replicated across the network to each domain in the forest, they should only be used in cases where cross-domain membership is needed. Try to use global and domain local groups wherever possible.

The U-M naming standard for Active Directory security and distribution group names is a suggested standard, and not enforced. After some initial experience with an overly complicated group naming standard, we've now settled on a simple two-part standard:

OrgPrefix-DescriptiveName

  • OrgPrefix
    ​An official organization prefix, or some other prefix indicating the scope of the group. Examples: chem, psyc, umroot, forest, all
  • DescriptiveName
    ​Any text which describes the group. Consider not using spaces in the name, since they must be "quoted" when referring to the group name in certain contexts. Examples: web-admins, ClassCalc101

OrgPrefix-DescriptiveName Examples:

  • chem-professors
  • lsa-mailbox-admins
  • forest-web-admins
  • all-ouadmins

Group Policy Objects

The naming convention for Group Policy Objects is to use a departmental prefix for all Group Policy names. For instance, "math staff policy," or "psyc lab 460 policy." Using Group Policy names prefixed with your U-M Windows Organization Prefix will reduce the likelihood that similarly named Group Policy objects will be confused with one another. Departmental prefixes should be chosen from the U-M Windows 2000 Organization Prefixes section below.

U-M Windows Organization Prefixes

A large number of U-M organizations, large and small, participate in the U-M Windows forest. Most of the administrative responsibilities in the forest are delegated to administrators around campus, who create Windows resources, with their associated names. The purpose of the U-M Windows naming standard for organization prefixes is to maintain an orderly forest, to ease the recognition of Windows resources, and to avoid the chaos of naming collisions. Please note that these U-M Windows organization prefixes are completely independent of any other list of organization codes on the U-M campus.

A U-M Windows organization prefix is just a 2–8 character string. The string must start with a letter, A–Z, and all other characters must either be letters, A–Z, or numbers 0–9. A campus organization may request multiple prefixes, which may be used for sub-units, or for other purposes. Each organization prefix must be registered with the U-M Windows forest administrators to ensure that the same prefix is not being used by two separate units.

The table linked below lists current, registered U-M Windows organization prefixes. When a department joins the forest as a delegated OU, they choose an organization prefix. To register a new prefix, contact the ITS Service Center, stating the requested prefix(es) and the name of your U-M organization.

See the U-M Windows Organization Prefixes table for easy reference.