As you all hopefully know, the university is working on unifying all Active Directory accounts as a part of the identity management initiative. Here are a few things you should know in order to support our customers during and after this transition.
Look in RefTool to see if an account is unified.
Unified means they have ONE account, in ONID.
Password resets are via the ONID password reset tool.
Directory updates happen via Banner data.
What is Account Unification?
From the customer’s perspective, account unification means they have one set of credentials to login to most university services. They will use the same username and password to login to email, VPN, OSU Online services, etc.
From an IT perspective, a unified account means the following:
- It is like a traditional “ONID” account:
- It is automatically created via scripts from Banner data.
- The customer activates their account when they become a new student or employee.
- It is synchronized between ONID LDAP, the ONID Active Directory domain, Google, and Office 365 (same username and pass for all of these).
- Directory information such as name, phone number and office are populated from Banner (and need to be updated there if they are wrong).
- Password resets are self-service via the ONID password reset tool.
- An IT unit on campus has claimed the account, and has administrative access to it.
- The AD account may or may not have an Exchange mailbox attached to it. If it does, the ONID email address will not be listed in the Exchange Global Address List (GAL).
Note: for undergraduate students, account unification doesn’t have any particular meaning, because they typically only had one AD account to begin with (the ONID one).
Is This Account Unified?
In RefTool, you can see whether an account has been unified. Because unification has no impact on undergraduate students, nothing will be listed for them.
So far, the following groups have been unified: Library, Information Services, College of Ag Sciences.
All units should be unified by January 2016.
User Principal Name (UPN)
We are requiring everyone to set their UPN to the new standard as part of the account unification process. People might be confused about how to login after this.
The UPN is another account logon type, in the format email@example.com.
The UPN is unique in the AD forest, whereas usernames can be repeated (i.e. you can have forestry\bob and onid\bob and they can be different people, but there is only one firstname.lastname@example.org).
Because the UPN looks like an email address, we decided to make sure that everyone also has an email alias that matches their email@example.com UPN. However, that email alias may not be the person’s primary alias, the one they send email from.
For example, my attributes are as follows:
additional SMTP: firstname.lastname@example.org
SIP address: email@example.com
In many places you can login either as domain\user or firstname.lastname@example.org. Office 365 requires you to login with the UPN.
The SIP address is used for Lync, and does not have a standard format yet (unfortunately). Changing the SIP address is a problem – it causes the person to disappear from other people’s contact lists.