Active Directory Users, Groups, and OUs

This document describes the basic components in Active Directory (UMROOT) and how to work with them.


Organizational Units (OUs)

OUs are Active Directory (AD) containers that hold other AD objects. They have three main functions:

  • To visually organize objects
  • To group objects so Group Policies can be assigned to them
  • To group objects so permissions can be delegated to them so they can be managed by a subset of administrators

Unlike in some other systems, Active Directory OUs are not security principals; you cannot assign a common set of permissions to all the users in an OU. You can only assign permissions to users and groups.


People OU

People with profiles in the MCommunity Directory are provisioned to the People OU, so you won't need to create any uniqname user accounts. There are several ways to manage these users (see Managing Users below).

Organizations OU

Each unit that joins the Active Directory will have an Organizations OU.

Unit administrators can create additional OUs, computers and server objects, groups, and non-uniqname users in their Organizations OU. All objects except OUs must conform to the naming conventions of dept-whatever.

You are not allowed to create user objects with uniqnames or using the uniqname naming convention of 3-8 alphabetic characters. You must create user objects that follow the above naming convention. For administrative accounts, there is an exception that allows you to add a number to the end of a uniqname to create a user name.

Group Policies can be applied to your Organizations OU or any of the sub OUs.

Accounts OU (Optional)

Each unit that joins Active Directory will have an Accounts OU. Using this OU is optional and many units will choose not to use it in order to simplify their administration. You may choose to fully manage your users and their attributes, but this is generally unnecessary. See the Active Directory Central Accounts Service page for an explanation.

Managing Users

All users with uniqnames are already provisioned in the People OU of Active Directory. You can manage many aspects of these users without needing to manage the users in your Accounts OU.

  • Users can be added by OU administrators to groups you create in your Organizations OU.
  • Permissions can be assigned by OU administrators to your resources for any users, although we recommend always applying permissions to groups.
  • Group Policies can be applied by OU administrators to any users logging onto your computers by using Loopback Policies.
  • ITS Exchange mailboxes can be assigned to any user by ITS Admins if you are a Full Serve Exchange unit.

Managing Groups

It is best to assign permissions to groups rather than to individuals. As an OU admin, you can create Security Groups, add users, and then assign permissions to resources.

To create groups:

  1. Using Active Directory Users and Computers, navigate to your OU and then to the Groups OU.
  2. Right-click and select New Group. The default Global Security Group is fine for most purposes.
  3. Enter the group name, which must follow one of these two naming conventions:
    • unit-anything
      (using the AD prefix assigned to your unit when you requested your OU)
      example: hsg-assistants
    • UnitAnyThing
      example: HousingAssistants
      This type of group is more appropriate if you plan on using Exchange and want to use the group as a distribution list and have it show up in the Global Address List.
  4. Don't mail enable the group unless you are using the ITS Exchange service. See the ITS Exchange Service website for more info.
  5. Open the newly created group and add members.
  6. Assign permissions to the group.
Last Updated: 
Tuesday, February 12, 2019