University Active Directory (AD) Service

University Active Directory (AD) Service

University AD Service is an implementation of Microsoft Active Directory.  It gives participating departments the benefits of using centralized authentication and authorization using CUHK accounts (a.k.a. CUHK Login with @cuhk.edu.hk, @link.cuhk.edu.hk as login ID and Onepass Password) to access computers on campus while allowing for delegated administration of local computing resources.

Available to

Departments

Service Charge and Application

The use of the service is free of charge as the Windows AD infrastructure is centrally funded. However, departments are responsible for the setup and operation cost of the Privileged Access Workstations (PAW) which are required for department IT to do AD administrative works for the department.

Service Availability

24 X 7

 

1. Features

ITSC manage the University Active Directory (CUHKAD) and provide the following key features:

  • Managed Infrastructure: ITSC manage and support the Windows AD infrastructure including domain controllers and ADFS. They also monitor the environment 24/7 and provide a secure environment for domain controllers. The savings for departments in asset costs and support staff overhead can be significant.
  • Centralized and Automated Account Management: Staff and student accounts creation and termination are based on Human Resources (CUPIS) and Student (CUSIS) records data. Account passwords integrate with OnePass passwords. Groups created and maintained are for common use.
  • Authentication and Authorization: It supports the use of CUHK accounts, including accounts of all staff and students, for authentication and authorization.
  • Consistent experience provided across campus: Staff and students can use the same CUHK accounts to login to University AD joined computer laboratory. For example, a student can use the same CUHK account to login the PC systems in User Area (1/F Pi Chiu Building), Learning Commons (6/F Wu Ho Man Yuan Building) and also the University AD joined computers provided by her department.
  • Delegation of Administration: Once participated, department IT administrators will have control on their departmental AD OU. They can create local groups, assign group policies, deploy software, and apply updates to their computers participating in AD.
  • Increased Security: Participating departments are required to follow best security practices in using and managing the domain-joined systems. These include granting CUHK accounts with a normal user right without admin privilege, randomization of the password of local admin account and the use of Privileged Access Workstation (PAW) for AD administrative works.

 

2. Documents