What Are the Frequently Asked Questions (FAQs) about the Organizational Unit Administrator Tool?


Introduction

An organizational unit (OU) is a container in Active Directory (AD) for storing objects such as accounts, groups, and other OUs. Organizing accounts into OUs allows for easier administration and makes it possible to delegate administrative tasks.

One important idea to keep in mind when using OUs: They are not security principles. This means that they cannot be used to secure resources.

Contents

Frequently Asked Question(s)

What Is the Active Directory Users and Computers Tool and How Do I Install It?

To administer your OU, use the AD Users and Computers (ADUC) administrative tool.

  1. To install RSAT, run the following command from an elevated PowerShell: Add-WindowsCapability –online –Name “Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0”
  2. Follow any instructions or prompts to finish the installation.

How Do I View a Managed OU by Using ADUC?

  1. Click Start.
  2. Type: admin.
  3. As you type, results will appear and change. Click Windows Administrative Tools or Administrative Tools.
    Image of the above instructions
  4. Double-click Active Directory Users and Computers.
    Image of the above instructions
  5. Set the domain to cntrlsrvs.w2k.vt.edu.
    1. In the left pane, right-click the current domain name.
      Example: w2k.vt.edu
      Image of the above instructions
    2. Click Change Domain....
      Image of the above instructions
    3. In the Domain: text box, type: cntrlsrvs.w2k.vt.edu.
    4. Optionally, place a check in the Save this domain setting for the current console check box.
    5. Click OK.
      Image of the above instructions
  6. Navigate to your OU.
    1. In the left pane, double-click cntrlsrvs.w2k.vt.edu.
      Image of the above instructions
    2. Double-click Central.
    3. Click the name of your OU. You can now administer the OU.

Top of page

How Do I Create Computer Accounts in an OU?

  1. **Important: You must be the administrator of your OU in Central Services to perform these actions. These instructions pertain to computer accounts in a Central Services OU.**
  2. Pre-create the computer account.
    1. On the OU administrator's computer, start the Active Directory Users and Computers administrative tool.
      (For instructions on installing the tool, see Installing the Active Directory Users and Computers Tool.)
    2. In the left pane, browse to and click your OU to highlight it.
      Example: cntrlsrvs.w2k.vt.edu, Central, ABC (where ABC is replaced with the name of your OU).
    3. In the menu bar, click Action.
    4. Click New.
    5. Click Computer.
      Image of the above instructions
    6. In the Computer name: text box, type the name of the computer to be added to the OU.
    7. Click OK.
      Image of the above instructions
    8. Wait 15 minutes for the computer account to replicate to all domain controllers.
  3. Add the computer to your Central Services OU.
    1. Log on to a **local administrator account** on the computer you want to join to the OU.
    2. Set the computer's DNS addresses to the appropriate addresses.
      1. Click Start.
      2. Type: network connections.
      3. As you type, results will appear and change. Click View network connections.
        Image of the above instructions
      4. Right-click the appropriate connection.
      5. Click Properties.
        Image of the above instructions
      6. Double-click Internet Protocol Version 4 (TCP/IPv4).
        Image of the above instructions
      7. Click Use the following DNS server addresses:.
      8. In the Preferred DNS server: text box, type: 198.82.162.237.
      9. In the Alternate DNS server: text box, type: 198.82.174.15.
      10. Click OK.
        Image of the above instructions
      11. Click OK.
      12. Close the Network Connections window.
    3. Change the computer's domain membership to cntrlsrvs.w2k.vt.edu.
      1. View the system properties.
        1. Click Start.
        2. Type: system.
        3. As you type, results will appear and change. Click System.
          Image of the above instructions
        4. On the right side of the window, click Change settings.
          Image of the above instructions
      2. Change the workgroup and domain membership.
        1. Click the Computer Name tab.
        2. Click Change....
          Image of the above instructions
        3. Under Member of, click Domain:.
        4. In the Domain: text box, type: cntrlsrvs.w2k.vt.edu.
        5. Click OK.
          Image of the above instructions
      3. In the Windows Security window that prompts for permission to join the domain:
        1. In the User name text box, type: hokies\ABC.
          (Replace ABC with your own Hokies ID.)
        2. In the Password text box, type your Hokies passphrase.
        3. Click OK.
      4. When you see the Welcome to the cntrlsrvs.w2k.vt.edu domain message, click OK.
      5. **Important: If you see "The following error occurred attempting to join the domain 'cntrlsrvs.w2k.vt.edu': Access is denied", verify that you used the MMC to pre-create the computer account as directed above.**
      6. Click OK.
      7. When you see a message saying you have to restart your computer, close all windows, and restart your computer.
    4. The added computer can now be logged on to with a VT username and passphrase.

 Top of page

What Is a Hokies OU Admin?

A Hokies OU admin is a Hokies user account that has elevated rights over a specific subset of other Hokies user accounts (technically Active Directory (AD) objects) in a container that is called an OU within the Virginia Tech AD. Hokies OU admins are typically departmental IT staff who manage Microsoft Windows systems and services for their department.  A Hokies OU admin is delegated permissions to manage aspects of the Hokies users and groups within the Hokies AD domain.  OUs map to departments based on DNS zone naming.  In essence, if there exists a DNS domain zone like "x.cc.vt.edu" then there will be a corresponding "CC" OU in Hokies.

Top of page

How Do I Become a Hokies OU Admin?

Contact 4Help by clicking Get Help on the 4Help portal.  You will need the proper permissions from your Dean, Director, or Department Head for this action.

Top of page

How Do I Manage Users in My OU as a Hokies OU Admin?

  1. In a browser, go to OneCampus.
  2. If the page appears dark with text overlaid, click the page to dismiss the overlaid text.
  3. If any OneCampus announcements pop-up, after reading the text, click the appropriate button to dismiss the pop-up.
  4. To the right of the OneCampus logo, in the What would you like to do? search box, type: admin.
  5. On the keyboard, press Enter or Return.
  6. Click ADadmin.
  7. If prompted, log on with your VT username and passphrase.
  8. Complete authentication with your second factor.
  9. At the top of the page, under your username, from the Role: drop-down, click OU Admin – ABC where ABC will be replaced by the name of the OU.
    Image of the above instructions
  10. To perform operations on user accounts in the OU, click the appropriate item(s) in the left menu column. For most menu items, you will first need to click a user account.
  11. To learn about what options you have, at the top of the window, click Help.

Top of page

How Do I Move a Hokies User Account in to or out of My OU?

  1. These instructions only apply to Hokies accounts that are NOT students. If the Hokies account you want to move is a student, the OU administrator must contact 4Help by clicking Get Help on the 4Help portal.
  2. In a browser, go to OneCampus.
  3. If the page appears dark with text overlaid, click the page to dismiss the overlaid text.
  4. If any OneCampus announcements pop-up, after reading the text, click the appropriate button to dismiss the pop-up.
  5. To the right of the OneCampus logo, in the What would you like to do? search box, type: admin.
  6. On the keyboard, press Enter or Return.
  7. Click ADadmin.
  8. If prompted, log on with your VT username and passphrase.
  9. Complete authentication with your second factor.
  10. Determine in which OU the person's account is currently.
    1. In the left menu column, click Persons.
      Image of the above instructions
    2. In the left menu column, click View Other Person.
    3. In the Person: text box, type the VT Username of the person you want to move.
    4. Click Search.
    5. In the search results, to the right of the person's VT Username, in the Distinguished Name column, look for OU=ABC where ABC will be replaced with the OU where the person's account resides.
      Image of the above instructions
  11. In ADadmin, switch to the OU admin role.
    1. **Important**: If you are not an OU admin of the OU where the user account currently resides, you will not be able to modify or move the account, unless the account resides in the unmanaged OU called NOTOU. Contact the OU admin responsible for the account and ask them to move the account into the NOTOU OU.
    2. At the top of the page, under your username, from the Role: drop-down list, click OU Admin – ABC where ABC will be replaced by the name of the OU which you want to move the account into or out of.
      Image of the above instructions
  12. Search for the person's account and move them.
    1. In the left menu column, click OUs.
    2. In the left menu column, click Move to OU.
      Image of the above instructions
      • To move a person's account out of your OU, click NOTOU.From the OU drop-down, click the OU that the person's account is currently in.
      • To move a person's account out of your OU, click ABC where ABC is the name of the OU you are currently logged in as an OU admin.
    3. Type the VT username of the person.
    4. Click Search.
    5. Double-click the VT username of the person.
    6. Click Move to NotOU or Move to ABC where ABC is replaced by the name of the OU.
      Image of the above instructions
    7. To confirm, click OK.

 Top of page

What Is the Difference between an OU Admin in Hokies and in Central Services?

Central Services is a child domain within the Virginia Tech AD whereas Hokies is the root domain of the AD forest. The Hokies domain supports user, contact, and group objects for all faculty, staff, and students. Hokies accounts are the central IT Windows account for systems and services for Virginia Tech. Central Services supports an infrastructure for other types of objects (predominantly Windows computer objects). Being an OU admin for one domain does not automatically make you an OU admin for the other. Also, the existence of a Hokies OU does not automatically assume the existence of a complimentary Central Services OU.

Top of page

How Do I Become a Central Services OU Admin?

Contact 4Help by clicking Get Help on the 4Help portal. You will need the proper permissions from your Dean, Director, or Department Head for this action.

Top of page

How Do I Use ADUC to Administer a Hokies or a Central Services Managed OU on a Computer Not in the Hokies AD?

  1. Ensure that ADUC is installed. See Installing the Active Directory Users and Computers (ADUC) Tool for details.
  2. In the command below, replace {username} with your Hokies account username.
    • Command: runas /user:hokies\{username} /netonly "mmc.exe dsa.msc"
    • The "netonly" switch specifies that the credentials you provide are only used for remote access (a user profile should not be created/used on local system).
  3. You may receive an error message about "Naming information cannot be located". This is expected, and is safe to ignore. Click OK if you received this error message. (The "Active Directory Users and Computers" window will appear anyway, afterwards.) 
  4. In the resulting "Active Directory Users and Computers" window, RIGHT-CLICK Active Directory Users and Computers (the top-most item of the left panel's navigational hierarchy listing) and click Change Domain....
  5. In the Domain text box, type
    • EITHER - "w2k.vt.edu" (to connect to the Hokies domain)
    • OR- "cntrlsrvs.w2k.vt.edu" (to connect to Central Services domain) 
  6. Then click OK.
  7. In the left panel, under Active Directory Users and Computers should now appear a triangle pointing to the name of the domain you specified. Click that triangle to expand the OU structure of the domain. 
  8. Finally, to find your managed OU: 
    • NOTE: in the wording below, "{ou}" represents your managed OU. 
    • EITHER- for Hokies OUs: You should be able to click the triangle and browse to "w2k.vt.edu/vt/{ou}" to view and administer your Hokies managed OU. 
    • OR- for Central Services OUs: You should be able to click the triangle and browse to "cntrlsrvs.w2k.vt.edu/Central/{ou}" to view and administer your Central Services managed OU.  

Top of page

Using ADUC to administer a Hokies or a Central Services Managed OU on a computer not in the Hokies AD