WPaaS Active Directory Considerations

Owned by Terrence S Miller
Last updated: Nov 15, 2021
2 min read

This page describes the Active Directory design for Windows Platform as a Service (PaaS).

Active Directory Design

Active Directory Naming Conventions

Use of Active Directory should conform to the naming standards for the Naming Standards for the U-M Windows Forest. All computer names should be prefixed with a registered unit organization prefix. and a "-" character. The use of a unit prefix aids in identifying the support group responsible for a device and it helps ensure that device names are unique. Units with a long organization prefix may consider registering a short prefix to make it easier create computer names that are compatible with the 15 character limit imposed by Windows. Please consult the U-M Windows Organization Prefixes U-M Windows Organization Prefixes table to see which prefixes are available.

Organizational Unit Structure

Computers managed in Windows Platform as a Service are created in the UMROOT domain in the UMICH.EDU. Each Windows PaaS unit has an organizational unit (OU) in the following Active Directory path:

adsroot.itcs.umich.edu/UMICH/Products/EUC/PAAS/Computers/Win10

Administrators may create sub-OU's under the unit OU.

Active Directory Groups

Several Active Directory groups are created by ITS for each PaaS unit:

  • EUC-PaaS-<unit>-Catalog-Users:Members of the Catalog Users group can install software from the self-service catalog via the Software Center application. Adding accounts to the Catalog Users group is an easy way to give users control of application installs for their devices.
  • EUC-PaaS-<unit>-OUAdmins: Members of the OUAdmins group can manage objects in the unit's PaaS OU(s). Members of the OUAdmins group can also link Group Policy Objects (GPO) and create sub-OU's.
  • EUC-PaaS-<unit>-Admins: Members of the Admins group have administrative access to all of the unit's Windows PaaS computers. The EUC-PaaS-<unit>-Admins group is added to the local administrators group on each computer.

Group Policy Considerations

A set of standardized settings managed by ITS are deployed to all PaaS computers via GPO's that are linked to the PAAS/Computers/Win10 OU.

Units may link GPO's to the unit OU or to any sub-OU's. Blocking group policy inheritance to systems is discouraged. There are multiple settings deployed in the ITS-managed GPO's that are required for proper function of the SCCM client.