Introduction

An organizational unit (OU) is a container in Active Directory (AD) for storing objects such as accounts, groups, and other OUs. Organizing accounts into OUs allows for easier administration and makes it possible to delegate administrative tasks including Google Workspace storage allotments. Hokies OU admins are assigned users within the Hokies AD that are authorized to administer their OU.

One important idea to keep in mind when using OUs: They are not security principles. This means that they cannot be used to secure resources.

Frequently Asked Question(s)

What Is a Hokies OU admin?

A Hokies OU admin is a Hokies user account that has elevated rights over a specific subset of other Hokies user accounts (technically AD objects) in a container that is called an OU within the Virginia Tech AD. Hokies OU admins are typically departmental IT staff.  A Hokies OU admin is delegated permissions to manage aspects of the Hokies users and groups within the Hokies AD domain and implement Google Workspace storage allocations.  OUs map to departments based on Domain Name Services (DNS) zone naming. In essence, if there exists a DNS domain zone like "x.cc.vt.edu" then there will be a corresponding "CC" OU in Hokies.

How do I become a Hokies OU admin?

This Service Catalog requestable item is used to make this request. You will need the proper permissions from your dean, director, or department head for this action.

How does a Hokies OU admin manage their OU?

Please see the following Knowledge Base article, Using the Collaborative Computing Solutions Admin Tool (CAT). 

What is the difference between an OU admin in Hokies AD and in Central Services AD?

Hokies AD is the root domain of the AD forest. The Hokies domain supports user, contact, and group objects for all faculty, staff, and students. Hokies accounts are the central IT Windows account for systems and services for Virginia Tech.

Central Services AD is a child domain within the Virginia Tech AD. Central Services supports an infrastructure for other types of objects (predominantly Windows computer objects). Being an OU admin for one domain does not automatically make you an OU admin for the other. Also, the existence of a Hokies OU does not automatically assume the existence of a complimentary Central Services OU.

How do I become a Central Services OU admin?

This Service Catalog requestable item is used to make this request. You will need the proper permissions from your dean, director, or department head for this action.

Top of page

What is the Active Directory Users and Computers Tool, and how do I install it?

To administer computer accounts in your Central Services OU, use the AD Users and Computers (ADUC) administrative tool.

1. To install RSAT, run the following command from an elevated PowerShell: Add-WindowsCapability –online –Name “Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0”
2. Follow any instructions or prompts to finish the installation.

How do I view a managed OU in Central Services by using ADUC?

1. Click Start.
2. Type: admin.
3. As you type, results will appear and change. Click Windows Administrative Tools or Administrative Tools.

   

4. Double-click Active Directory Users and Computers.

   

5. Right click on the domain cntrlsrvs.w2k.vt.edu in the left pane.
6. Click Change Domain....

   

7. In the Domain: text box, type: cntrlsrvs.w2k.vt.edu.
   
8. Optionally, place a check in the Save this domain setting for the current console check box.
9. Click OK.

   

10. Navigate to your OU.
    
    1. In the left pane, double-click cntrlsrvs.w2k.vt.edu.

       

    2. Double-click Central.
    3. Click the name of your OU. You can now administer the OU.

Top of page

How do I create computer accounts in a Central Services OU?

You must be the administrator of your OU in Central Services to perform these actions. These instructions pertain to computer accounts in a Central Services OU.

1. Pre-create the computer account.
   
   1. On the OU administrator's computer, start the Active Directory Users and Computers administrative tool.
      (For instructions on installing the tool, see Installing the Active Directory Users and Computers Tool.)
   2. In the left pane, browse to and click your OU to highlight it.
      Example: cntrlsrvs.w2k.vt.edu, Central, ABC (where ABC is replaced with the name of your OU).
   3. In the menu bar, click Action.
   4. Click New.
   5. Click Computer.

      

   6. In the Computer name: text box, type the name of the computer to be added to the OU.
   7. Click OK.

      

   8. Wait 15 minutes for the computer account to replicate to all domain controllers.
2. Add the computer to your Central Services OU.
   
   1. Log on to the computer you want to join to the OU using a local administrator account.
   2. Set the computer's DNS addresses to the appropriate addresses.
      
      1. Click Start.
      2. Type: network connections.
      3. As you type, results will appear and change. Click View network connections.

         

      4. Right-click the appropriate connection.
      5. Click Properties.

         

      6. Double-click Internet Protocol Version 4 (TCP/IPv4).

         

      7. Click Use the following DNS server addresses:
      8. In the Preferred DNS server: text box, type: 198.82.162.237.
      9. In the Alternate DNS server: text box, type: 198.82.174.15.
      10. Click OK.

          

      11. Click OK.
      12. Close the Network Connections window.
   3. Change the computer's domain membership to cntrlsrvs.w2k.vt.edu.
      
      1. View the system properties.
         
         1. Click Start.
         2. Type: system.
            
         3. As you type, results will appear and change. Click System.

            

         4. On the right side of the window, click Change settings.

            

      2. Change the workgroup and domain membership.
         
         1. Click the Computer Name tab.
         2. Click Change....

            

         3. Under Member of, click Domain:.
         4. In the Domain: text box, type: cntrlsrvs.w2k.vt.edu.
            
         5. Click OK.

            

      3. In the Windows Security window that prompts for permission to join the domain:
         
         1. In the User name text box, type: hokies\ABC.
            (Replace ABC with your own Hokies ID.)
         2. In the Password text box, type your Hokies passphrase.
         3. Click OK.
      4. When you see the Welcome to the cntrlsrvs.w2k.vt.edu domain message, click OK.
      5. **Important: If you see "The following error occurred attempting to join the domain 'cntrlsrvs.w2k.vt.edu': Access is denied", verify that you used the MMC to pre-create the computer account as directed above.**
      6. Click OK.
      7. When you see a message saying you have to restart your computer, close all windows, and restart your computer.
   4. The added computer can now be logged on to with a VT username and passphrase.

 Top of page

How do I use ADUC to administer a Central Services managed OU on a computer not in the Central Services AD?

1. Ensure that ADUC is installed. See Installing the Active Directory Users and Computers (ADUC) Tool for details.
2. In the command below, replace {username} with your Hokies account username.
   
   • Command: runas /user:hokies\{username} /netonly "mmc.exe dsa.msc"
   • The "netonly" switch specifies that the credentials you provide are only used for remote access (a user profile should not be created/used on local system).
3. You may receive an error message about "Naming information cannot be located". This is expected, and is safe to ignore. Click OK if you received this error message. (The "Active Directory Users and Computers" window will appear anyway, afterwards.) 
4. In the resulting "Active Directory Users and Computers" window, RIGHT-CLICK Active Directory Users and Computers (the top-most item of the left panel's navigational hierarchy listing) and click Change Domain....
5. In the Domain text box, type
   
   • EITHER - "w2k.vt.edu" (to connect to the Hokies domain)
   • OR- "cntrlsrvs.w2k.vt.edu" (to connect to Central Services domain) 
6. Then click OK.
7. In the left panel, under Active Directory Users and Computers should now appear a triangle pointing to the name of the domain you specified. Click that triangle to expand the OU structure of the domain. 
8. Finally, to find your managed OU: 
   
   • NOTE: in the wording below, "{ou}" represents your managed OU. 
   • EITHER- for Hokies OUs: You should be able to click the triangle and browse to "w2k.vt.edu/vt/{ou}" to view and administer your Hokies managed OU. 
   • OR- for Central Services OUs: You should be able to click the triangle and browse to "cntrlsrvs.w2k.vt.edu/Central/{ou}" to view and administer your Central Services managed OU.  

Top of page