This document describes the prerequisites and process for administrators of delegated Organizational Units (OUs) in Active Directory (AD) to move the uniqname accounts of users from the People OU (where they are created by default) to the Accounts OU that is associated with their unit or organization. This allows administrators to control user and computer settings in their group's Windows environment.
See Joining the Active Directory (UMROOT) Forest as a Delegated Organizational Unit (OU) for information on getting a delegated OU for your group or unit.
Before Moving A User Account
As a general practice, consider whether moving a user to your delegated OU is necessary, since moving users can adversely impact their use of other computer resources at U-M if an account is moved by mistake. Before moving a user, you should always:
- Check to be certain that a user belongs in your delegated OU before you begin the process to move them. Each move in AD is logged, but are no explicit checks done for unit affiliation, and user's are not notified of account moves.
- Ask the user if they have a split appointment. If they do, contact the other unit(s) that may have an interest in providing AD resources to the user.
- Be prepared to move users from your delegated OU back to the People OU when they are no longer associated with your unit. If you determine that you need to move users to your OU, you should familiarize yourself with the process of moving users back to the People OU, and have a process in place for "off-boarding" users when they move to another unit or leave the university.
Security Groups and Preliminary Setup
In each delegated OU you will find an Accounts OU containing three security groups:
Contains list of accounts to receive email notification of moves to and from your Accounts OU.
Members of this group will be moved from People to a delegated OU.
Members of this group will be moved from a delegated OU to People.
Delegated OU administrators should add an email group or their U-M uniqname account to the _EmailNotificationForMoves group to receive an email each time user accounts are moved to or from their delegated OU.
Move an AD Account to a Delegated OU
To move a user from the People OU to your delegated OU add the uniqname account of the user to the _MoveToDelegatedOU group located in your Accounts delegated OU. The move should take no longer than 10 minutes, and usually happens within 5 minutes.
Move an AD Account from a Delegated OU to the People OU
To move a user from your delegated OU to the People OU, add the uniqname of the user to the _MoveToPeopleOU group located in your Accounts delegated OU. The move should take no longer than 10 minutes, and usually happens within 5 minutes.
Be aware that several user attributes are cleared when moving users back to the People OU. Cleared fields include the delegated OU admin writable fields such as user home folder and profile paths, as well as Microsoft Exchange user attributes.
If the user account to be moved is not in the expected OU, an error message will be generated as part of the notification email.
For example, if you add a uniqname account to the _MoveToDelegatedOU group, that account is expected to be located in the People OU before the move. If the account is located in another delegated OU, the move will fail. To remedy this situation, contact the admins of the delegated OU currently holding the AD user, and ask them to move this user back to the People OU.
In all cases, accounts that have been added as members of the _MoveToPeopleOU or _MoveToDelegatedOU groups will be removed from those groups after the move has been attempted. This prevents race conditions, which could occur when a move fails, and is normal procedure when a move succeeds.
If you run into problems moving AD users, please contact the ITS Service Center.