Frequently Asked Questions

This document is intended as an index of all the frequently asked questions.

Directly below you’ll find links to topical documents which cover different categories of questions. Under each topic, you’ll find every question addressed in the document for that topic. Each question is linked directly to the location where the question is addressed. We welcome suggestions as to additional questions that should be added.

AD Terminology

• What is a domain?
• What is an OU?
• What is a tree?
• What is a forest?
• What is a site?
• What is a schema?
• What is Active Directory?
• What is a global catalog server?
• What is the top-level domain or forest root domain?
• What is group policy or a GPO?
• What is the group policy loopback feature?
• What is an ACL or access-control list?
• What is an ACE or access-control entry?
• What is a SID?

Entra ID Terminology

• What is a tenant?
• What is an Entra ID directory?
• What is an Entra ID domain or accepted domain?
• What is the Entra ID Security Token Service (STS)?
• What is Entra ID B2B?
• What is Azure AD B2C?
• When signing in, why do I get a question about which account I want to use? What is a Microsoft account? What is a ‘Work or school account’? Which do I use?
• What is Entra ID External Users or Guests?
• What is Azure RMS?
• What is Azure MFA (AzMFA)?
• What is Entra ID Application Proxy (AAD-AP)?
• What is Entra ID Roles Based Access Control (RBAC)?
• What is Entra ID Administrative Units (AUs)?
• What is Entra ID Roles?
• What is Microsoft Graph API?
• What is Entra ID Workplace Join?
• What is Entra ID Device Join?
• What is the Entra ID Device Registration Service?
• What is Mobile Device Management (MDM)?
• What is Entra ID Cloud App Discovery?
• What is Microsoft Enterprise Data Protection (EDP)?
• What is Entra ID Privilege Identity Management (PIM)?
• What is Microsoft Passport?
• What is Entra ID Applications?
• What is the difference between an Entra ID Application and an Entra ID Service Principal?
• What is Entra ID Conditional Access?
• What is the difference between an Organizational Account and a Microsoft Account?
• What is password vaulting?
• What is ADAL, Katana, or OWIN?

Cross Forest or Trust Scenarios

• How does a cross-forest trust work?
• What happens with global catalogs cross-forest?
• What happens with group memberships cross-forest?
• How does Group Policy and Logon Scripts work cross-forest?
• How does the Windows Address Book work cross-forest?
• Is SID Filtering relevant to forest trusts?
• For cross-forest trusts, on which DCs does auditing occur? i.e. when I log in, what security events are logged where?
• For trusts, how does the selective auth functionality work & is it useful for us?
• How do I enable the @uw.edu UPN across a forest trust to the NETID domain?
• I’ve emptied my Windows domain, except for the domain controllers. How should I remove my Windows domain?
• I want to setup a Windows-based VPN server for NETID users in my Windows domain using a trust. How do I do that?
• How do I make use of NETID groups across a trust?
• I’m having problems connecting to the NETID domain controllers (or some other system). What do you suggest?

End User Help

• How can I remotely access my Windows computer?
• I recently changed my name.  Why hasn’t my new name shown up in the NETID domain, the Exchange Address Book, Sharepoint, Sharepoint Online, OneDrive for Business, Skype for Business, or our Entra ID tenant?
• Why can’t I see what groups my friends and co-workers are in?
• My password doesn’t seem to work.  How can I fix this?
• I changed my UW NetID password but only my old password works on my computer at home. What is going on?
• How do I configure my workstation so I can login interactively with my NETID user account?
• I can login on some computers but not others. Why is this happening?
• I can login with my NETID user account, but I can’t access resources on a server even though I’ve granted that account access. What’s wrong?
• What should my LmCompatibilityLevel settings be?
• How do I limit access to a share or folder to students in a particular course?
• How do I limit access to a Web page to just faculty and staff?

OU Guidance

• What can I do with a delegated OU? Why should I use it? What are the benefits?
• What groups don’t I want to use anymore?
• What things should I be aware of if my existing departmental domain has trusts to another domain?
• My existing departmental domain has a password policy. How can I use the NETID domain without that?
• How do I recover local admin privs on a computer in a delegated OU?
• Can OU Admins create arbitrary users in their delegated OU? Don’t UW NetIDs cost money?
• Can UW NetIDs for people not formally affiliated with the UW, like visitors, be created?
• Aren’t UW NetIDs limited to 8 characters? Doesn’t that mean NETID users are limited?
• When do the NETID user accounts for students go away? How do I deprovision access to our computers?
• Can a user have more than one support org? Can IT staff be assigned to more than one support org? Can students choose support orgs?
• How do I create Group Policy Objects for users? Can I edit GPOs? Are there any GPO restrictions?
• What if we need help with a delegated OU outside business hours?
• Can we still get audit data? Can we find out who added a user? How about notification of user compromise?
• How do we find out when an employee leaves the university or changes departments and incorporate it into our OU?
• We need a temporary extension on these automated affiliation processes. How do we go about that?
• If we want to write our own scripts to modify user settings, is this supported?
• What group namespace do we use?
• As domain administrators, can you agree to not give yourself access to files without notifying the legally authorized users?
• Can NETID users and groups be used as SQL server logins?
• Will you support Read Only Domain Controllers?
• I don’t seem to be able to create a GPO in our delegated OU. I right-click on the OU and go to properties, Group Policy, and get an error: Access denied. Is this not the way to create GPOs in our delegated OU?
• How do I get mycomputer.netid.washington.edu registered in DNS?
• How do I get my computer’s DNS name correctly configured in the NETID domain?
• How do I use group policy to set primary DNS suffix?
• After trying to fix my DNS suffix value, upon boot some of my computers report the following error: “The security database on the server does not have a computer account for this workstation trust relationship.” What should I do?
• Why can’t I use my Admin UW NetID with the Groups Service? How do I administrate groups that need a higher level of security?
• What is recommended for a service account for an application running in NETID Active Directory?
• What is the order of group policy processing?

Services and the NETID domain

• Can Sharepoint be run in the NETID domain? Or run cross-forest with the NETID domain?
• Should I use Entra ID, Shibboleth, Pubcookie, or NETID domain-based Integrated Windows Authentication with my Windows web application?
• Where can I find NETID user accounts or groups? Will it always be in that location?
• How do I get a Windows Server cluster setup in the NETID domain? I keep getting errors …
• How do I get a SQL Cluster setup in the NETID domain? I know you’ve got a general cluster FAQ, but what about allowing the cluster services to manage the cluster node object (CNO)? Can you just grant me the ability to modify permissions?
• Why do we have an expired cert for EFS, Encrypting File Services?
• How can we use RDS (Remote Desktop Services) in the NETID domain?
• Who can use RDS or connect to virtual desktops?
• How can we use DFS (Distributed File System) in the NETID domain?

System Center

• How is the System Center suite licensed at the UW?
• Can I install System Center Configuration Manager (SCCM) in NETID?
• Is or will SCCM be available in NETID?
• Will I be able to get delegated permissions in SCCM over my computers?
• Doesn’t <insert name of some university here> have a delegated SCCM model?

Windows Security

• How does the Windows authentication mechanism work? And how does Windows authorization work?
• Are other types of authentication allowed besides Kerberos?
• How does the authentication mechanism get chosen?
• What’s the LmCompatibilityLevel setting and what do I set it to?
• How do I reconfigure NTLMv1 on my computer so it will work with the NETID domain?
• How does someone in my department get access to files on someone else’s computer in another department?
• Can I restrict everyone except members of my department from logging into our department’s workstations?
• How do we handle students who walk away from public workstations leaving themselves logged on? Can we set kerberos ticket lifetimes?
• How do I prevent users from running certain applications on my computers?
• How do I make use of NETID groups across a trust?
• What is SDDL?