Skip Navigation

Active Directory Services

Enterprise Active Directory Forest (AD)

The Enterprise Active Directory Forest (AD) is open to all Johns Hopkins Institutions.  A delegated administrative model is in place which enables the IT departments to continue providing support for their customers, applications, and resources.  The user accounts in the directory are automatically provisioned and de-provisioned from the Johns Hopkins Enterprise Directory (JHED).

Accounts in AD use the JHED ID (LID)

The format used to create a LID is as follows: the first character in the first name, up to the last six characters in the last name followed by a number.  The JHED ID's take the format of jdoe112. 

  • First Name : John
  • Last Name: Doe
  • JHED ID = Jdoe112
AD passwords follow the Institutional Password Policy
  • Password cannot contain the user's account name or parts of the user's full name that exceed two consecutive characters
  • Passwords must be at least 8 characters long
  • Password must contain characters from three of the following four categories:
    • Alphabetic uppercase characters (A through Z)
    • Alphabetic lowercase characters (a through z)
    • Numeric characters (0 through 9)
    • Non-alphabetic characters (Example: !, $, #, %)
  • Password must be different from your four most recent used passwords.
  • Passwords expires in 182 days.
  • Password can be changed at any time.

What is needed to participate?

Typically, IT organizations have their own Windows Active Directory Forest. Since user ojects are automatically synchronized from JHED into AD, ALmost all of your user ojects are already in AD but a migration of the workstations and servers are required.

Where can I get more information?

The Enterprise Services Group holds a monthly meeting on the second Wednesday of the month from 11 am until noon. Phone and video conferencing is available. You can e-mail the Active Directory Support Team at to request to be added to the OU Admins distribution list. The monthly AD meeting agenda, changes affecting the AD Forest and general info are sent to this distribution list.


The Windows 2003 Enterprise Active Directory design follows Microsoft recommended best practices.  The basic design contains a three domain structure:

  • AD.JHU.EDU - dedicated empty forest root
  • WIN.AD.JHU.EDU - “working” Domain

AD.JHU.EDU is the first domain created in the forest that does not contain user or computer objects.

WIN.AD.JHU.EDU is located directly below the Dedicated Forest Root Domain (AD.JHU.EDU).  It is used to store all user objects in a single, flat People Organizational Unit (OU). 

History of Enterprise Active Directory at Johns Hopkins

In January 2001 the Institutional Computing Standards Committee (ICSC) Windows 2000 sub-committee decided to initiate a centrally managed Enterprise Single AD site at Johns Hopkins.  In March 2001 the sub-committe determined the basic design principles for the AD site; a flat structure, using a “people” container.  This design would aid in future Directory Integration projects with the Identity Management system provided by the Enterprise Group called Johns Hopkins Enterprise Directory or JHED.

Funding for the initial Active Directory site was obtained from Network and Telecommunications Services in April 2001.  The initial proposal for funding was designed to support up to 20,000 users across Homewood Campus, Bayview Campus, and East Baltimore Campus.

In June 2001, with the assistance from Microsoft Active Directory Support Engineers, additional changes were made to the Active Directory design.  The AD site currently exists in that design.

Contact Information

E-Mail the Active Directory Team for more information at or contact
Ibrahim Njai at (410) 735-4779 or e-mail at