Active Directory Data

Administration
User Creation & Maintenance

Contents
Creating a User Account with AD Users and Computers.............................................3
To create a new user account..................................................................................... 3
User Logon Name (user principal name).................................................................4
Pre-Windows 2000 logon name (samaccountname)................................................4
Account Password.................................................................................................... 5
Password never expires........................................................................................ 6
User Properties or Attributes...................................................................................... 6
General Tab............................................................................................................. 7
Display Name....................................................................................................... 7
Description........................................................................................................... 7
Office.................................................................................................................... 8
Telephone Number............................................................................................... 9
E-mail................................................................................................................... 9
Web Page............................................................................................................. 9
Address Tab........................................................................................................... 10
Account Tab........................................................................................................... 10
Profile & Member Of Tabs...................................................................................... 11
Telephone Tab........................................................................................................ 11
Organization Tab.................................................................................................... 12
Company............................................................................................................ 12
GroupCompany.................................................................................................. 12
EmployeeID........................................................................................................ 16
Terminal Services Profile Tab................................................................................. 16
Environment Tab.................................................................................................... 16
Sessions & Remote Control Tab.............................................................................16
COM+, Security, Published Certificates, Password Replication, Dial-In, Object &
Attribute Editor Tab............................................................................................... 16

Creating a User Account with AD Users and Computers

Failure to follow the following standards will result in broken processes, failed
authentications, and a poor user experience for this person, and a substantial
amount of work for IT to fix it. Please comply with the standards from the start to
avoid these difficulties.
Please also note that the data standards for users here also apply when a users
data changes, for example a name change or a company change. IT is responsible
for keeping the data in the user object up to date.
If any of the data required below conflicts with any local privacy laws, please
contact I&O.
The Active Directory User & Computers MMC tool will be available to you if you build
an admin workstation according to our GroupM guidelines which are documented
here. Once installed and configured properly it should be available under
Administrative Tools.

To create a new user account

Right-click the appropriate Users organizational unit, choose New, and then
click User, or click New User on the snap-in toolbar.
1.

2.

Type user information as below:

The First and Last name fields should correspond to the users official business
identity. Only the ASCII Standard Character set can be used. Characters
containing accents cannot be used. The names used here must be consistent
through the e-mail address and logon names. Note that the Full name is
automatically filled in after you enter the First and Last names. The Initial field
should only be filled in if the users email address includes the initial. If the users
initial field is filled in the email address should be
firstname.middleinitial.lastname@company.com, for example
john.f.kennedy@wppgts.com.

User Logon Name (user principal name)

The User Principal Name or UPN is the logon name that began to be used with
Active Directory and Windows 2000. For compatibility sake the old NT4 style logon
is still supported, but this logon name is often more intuitive for the user. This is
because the format of the UPN is very similar to the e-mail address. Because of this
we are making it a requirement to set the User logon name to the users e-mail
address, which should be firstname.lastname. From the dropdown list that says
@ad.insidemedia.net, select the users e-mail domain, such as groupm.com.
This is critical! If the users UPN does not match the email address then their
authentication to the email service will be a problem. The users domain name
must match the company they are assigned to. This is used for determining access
to certain company resources. The user principal name must be unique in Active
Directory, so for example you can have one account with the UPN of
John.Smith@groupm.com and another with John.Smith@maxus.com, but you cannot
have 2 accounts with a UPN of John.Smith@maxus.com.
The Exchange Online Service uses this field for identifying and authenticating the
user.

Pre-Windows 2000 logon name (samaccountname)

This is the old NT style logon name, it is often used with the domain name, for
example AD\Jim.Katoe. This field is used by many legacy applications. Global IT
uses it in many infrastructure processes such as mail migration. Adhering to these
standards ensures that you will minimize problems for your users.
The user logon name (pre-Windows 2000) should be:
Firstname.Lastname
First (given) name, separated by a period, followed by the Last (sur)name =
jim.katoe, Vincent.fusco, sutthisin.sirachotes (Sutthisin's surname is Sirachotesophol
but this exceeds the 20 character limit)
Conflicts will be handled by using a unique number as the last or 20th character. =
jim.katoe1, Vincent.fusco1, sutthisin.sirachote1 (the 20th character is changed to a
unique number). Alternatively a middle initial can be used.

Compound Names
If the user has multiple first names or multiple last names, and they are part of the
email address, then they should be included in the appropriate field. For example,
Billy Bob Thornton would have Billy Bob in the firstname field (notice the space).
Ernest van den Haag would have Ernest in the firstname field, and van den
Haag in the lastname field. This is very important. For the E-mail Address, User
Principal Name, and pre-windows 2000 logon name a space is not allowed for
compound names. Remove the space in this situation. So Billy Bob Thorntons
Email address would be billybob.thornton@media.com, his user principal name
would be the same, the pre-windows 2000 logon name would be billybob.thornton.

Note: All user accounts must correspond to an actual person. Generic

accounts are not allowed, test accounts must be strictly documented.
Service accounts are a strictly controlled and documented exception in
certain cases. Any accounts that do not conform to these rules may be
deleted on the spot.
Click Next to proceed.

Account Password
Type a password in both the Password and Confirm password boxes and click
Next. It must meet Password Complexity mentioned above. NEVER use Password
never expires! This is against our security and compliance policies and we do run
audits for this condition.
Now you can input a password for the new user. It must meet the password
complexity requirements set up for the domain.
The Password must be at least 8 characters long and meet 3 out of the following 4
requirements:

Uppercase letter
Lowercase letter
Number
Special characters

User must change password at next logon should remain checked.

User cannot changed password should not be checked
Password never expires
This should NEVER be checked. This will flag the account on Sox audits. The entire
domain is checked by automated script every month. Before audits the entire
domain is checked by 3rd party service. If you set a password to not expire, and it
causes a problem on that audit, our Quest ChangeAuditor product records who took
what action in Active Directory and you will have to explain to the auditor and to
business management why you did not follow the documented standards and
endangered the company.
Account is disabled should not be checked for active accounts as this will prevent
the user from logging in.
Click Next when these fields are complete.

4.

Accept the confirmation in the next dialog box by clicking Finish.

User Properties or Attributes

You have now created an account. But additional information about this user is
required to function properly:
Select Users in the left pane of the AD U&C windows, right-click the user you just
created in the right pane, and then click Properties.
5.

Add more information about the user in the Properties dialog box on the
General tab as shown in Figure 5 below, and click OK. You are provided with this
selection of optional entries. Click each tab you want to go to and enter the
appropriate info.
6.

General Tab
Display Name

On the General tab you see many of the fields you just entered, such as the names.
You will also notice the Display Name. This is generated initially by taking the
contents of the First name field adding a space and then adding the Last name
field. If there are any changes to the first or last names later, make sure you
change the Display Name as well. Just like the First and Last Name fields, only the
ASCII Standard Character set can be used. Characters containing accents
cannot be used.
Description
This field is free to be updated as you like. However it is used for essential system
processes as well. SecureClient VPN Groups are automatically created by adding
any user that has |SecureClient| in this field. We also have an automated process
that cleans up AD as shown below.
If any user account that has not had its password changed within 90 days (39 days past our
requirement) it will be disabled.
If any computer account has not contacted the domain in over 120 days it will be disabled.
If any user account that has not had its password changed within 120 days it will be
deleted.
If any computer account has not contacted the domain in over 150 days it will be deleted.

Exceptions
It is possible to circumvent this process. However if you choose to circumvent this process
please understand you may be required to explain or provide documentation for why you are
circumventing a security process that your company is depending on for regulatory
purposes. Circumventing the process would be understandable if the user is on extended
leave for Maternity, sabbatical, etc.
Here is how you prevent the process from disabling or deleting a user or computer account:
Modify the description field of the user or computer account in AD to contain this term
EXACTLY - "|nodisable|", additionally please include your reason for not disabling or deleting
the user.
Note:
Once a computer account is disabled, users on that computer can no longer log into AD, and
the computer will no longer process GPO's. But since this computer was not contacted AD,
this should not matter.
Any account disabled by this process will have its description updated to denote it was
disabled by the automatic process.

Office
The Office field is important for the Office Directory and our Software Licensing
procedures. Only specific values should be entered here and no typos are allowed.
Those values are visible in AD U&C under the Offices OU. This value must be added
by Local IT to the user account or the software reporting functions will fail and the
user will not show up in the office directory.

Telephone Number
The telephone number field is Crucial for GroupMs Global Directory. If it has the
wrong value the users phone system will not work properly! The value in this field
must be the users direct office telephone number. The number format used by this
field is the E.164 telephone number standard. This means it must begin with the +
sign, followed by the 1,2 or 3 digit country code, followed by the phone number.
Any international phone should be able to dial this number. Even if you are not on
the Cisco IPT solution it is essential for your number to follow this format so that you
can be dialed by users which are. It will also be used by other systems such as
SharePoint, Jive and Unified Communications. The number must not contain spaces,
brackets or hyphens. A valid number would be +442079693400.
+44 20 7969-3400 or +44 (0) 20 7969 3400 are not valid values.
E-mail
This field is also important. This MUST match the users current e-mail address and
UPN. It will be used by many applications and Exchange. When the UPN or E-mail is
changed, this field must be updated as well.

Web Page
Leave this field alone, SharePoint will use it for mySites.

Address Tab

The Street, P.O. Box and State/province values should be (but do not have to be)
filled out to the correct values. Some of these values are managed by the
Whitepages process.
City
This field is mandatory. The City names are predefined and must be entered exactly
as defined in this SharePoint List. Any other value will result in problems with Jive.
Email archiving and message cleansing will not function correctly for the user. The
Country field must also be filled out.
Country
This field is mandatory. This field is also used for Jive, Email archiving and
Automating functions within Exchange and AD. This is a drop down list on the
Address Tab

Account Tab
This tab is used for general administration. Please see the Password Not Expires
section above.

Profile & Member Of Tabs

These tabs can be edited at the discretion of the local administrator. Please read
the GroupM Server Implementation Guide for requirements for scripts.

Telephone Tab
The telephone tab can be edited at the discretion of the local administrator,
however please keep in mind two issues. The phone numbers must all follow the
E.164 format. Be sensitive to our employees privacy concerns and the local
government and work council requirements.
The Notes field is for the user, not for IT.

Organization Tab
The Department and Company attributes should be managed by the Local
Administrator. The company value is critical to security and proper operations. If
this is improperly set, you will be providing this user access to the wrong companys
resources!
Company
The proper values for this field are saved in this Sharepoint List. Any other value
will result in problems with the mail and application systems.

GroupCompany
If this user is a member of a smaller company that is not on the Approved
Company Values Sharepoint List above, they you must determine whether that
users company is closely associated with one of the brands in the Approved
Company Values list. If they are close enough so that this sub company should be
allowed access to all the broadcast emails, the intranet and even file security for the
entire top level company then you should obtain approval from local business
management and the global communication director of that brand. Once that
approval is obtained, record it in this list. The Approved Group Company Values
list can be used for sub brands, affiliates and JVs after following this process. But
these values cannot go in the Company attribute. They can be used in the
groupmcompany attribute.
Unfortunately the groupmcompany attribute is not available via the Active Directory
Users and Computers tool usually. It is not on the organization tab. To access it in
ADUC, you must turn on advanced features, by clicking on the view menu and then
selecting advanced features.

This will add additional tabs to the properties view of the user object. Select the
Attribute Editor Tab.

Under the attribute editor tab, scroll down until you can find the GroupMcompany
attribute.
Select it and click Edit

At the edit screen enter the Approved Group Company Value.

Do not use this feature on other values. You risk destroying the user account.
If you are confused or the user is a member of an affiliate or JV, contact the Global
Infrastructure and Operations Team.
EmployeeID
Certain Countries are using the EmployeeID for use with applications. To do this,
please register this application with Global IT so we can avoid conflicts and ensure

performance. For example, the US uses this with Concur for authentication, GTS
uses it for Timesheets, and Russia is using it as well. This field is hidden and has no
interface for editing. SO you can use the attribute editor as shown above or we
have built a small applet to manage this for you on a user by user basis. Contact
Global IT to request it.
We do have a standard for using this field. The EmployeeID should be the HR
number assigned to the user. Do NOT use this field if the HR number cannot be
publicly known, because this value will be available to anyone with access to AD.
However because we typically have different HR systems in each country, we would
face conflicts eventually. To avoid this we reserve the 1 st two characters for the
country. We use the ISO-3166-1 codes for the country. In the instance where there
are more than 1 HR system in a country, the 2 nd HR system would use a 0 in the
third character, the third would use a 1, and so on. SO my employeeID field should
be US for United States & then my HR number for example US00001.

Terminal Services Profile Tab

This tab can be edited at the discretion of local IT, but should be used rarely.

Environment Tab
This tab can be edited at the discretion of local IT, but in general should not be
used.

Sessions & Remote Control Tab

These tabs can be edited at the discretion of local IT, but in general it is better to
manage this on the Terminal Server where the settings can be uniformly applied to
all users.

COM+, Security, Published Certificates, Password Replication,

Dial-In, Object & Attribute Editor Tab
These tabs should not be adjusted without contacting Global IT.