Skip to Main Content

Menu

Contact Us

Information Technology

Phone: (307) 766-HELP (4357)

Email: userhelp@uwyo.edu

Active Directory Organizational Unit Domain Services

In the past, many UW departments have implemented their own Microsoft domain servers to self-manage departmental computers, accounts, and software.

A service is available that allows departments to manage their own resources and participate in the university-wide Active Directory domain, UWYO. This service allows departments to maintain control of departmental resources and offload the technical and financial burden of implementing their own domain services.

UW departments that have technical staff available can submit a request to have an Organizational Unit (OU) created for their department in the Active Directory. Departments can then create and manage group and computer hardware objects within their assigned Organizational Units.

In order to sign up for ADOU Domain Services, simply read this agreement and submit the TeamDynamix request. Each individual responsible for managing an OU will need to submit the required information. Once a request is approved, applicants will receive from their Departmental User Consultant instructions explaining how to access their OU and the assigned prefix.

Please note that no additional documentation is made available from Information Technology. Individuals responsible for managing the ADOU are expected to have sufficient technical knowledge to manage the ADOU on their own. Technical resources and primers may be found by browsing the Internet, but IT does not endorse any reference materials or provide support for ADOU management.

Organizational Unit managers will need to install Active Directory users and computers to access Active Directory.


Active Directory Organizational Unit Domain Services Agreement

This agreement is for Information Technology to provide an Active Directory Organizational Unit for UW departmental use. "Active Directory Organizational Unit" will hereby be abbreviated to ADOU. Information Technology will provide departments with an ADOU for the purpose of domain service organization under the following requirements:

Department Requirements

The department must maintain Support Personnel with knowledge of the features and implementation of ADOU objects utilizing the Microsoft Management Console (MMC): The department must have personnel with sufficient knowledge about Active Directory, Computer Objects, Security Objects, and the Microsoft Users and Computers MMC Snap In to manage and maintain the ADOU; including creation, deletion, and modification of objects.

The department agrees to abide by the rules set forth in naming convention for ADOU objects: To maintain the integrity of other objects on the domain, Information Technology will require that groups and Group Policy Objects created be prefixed by an assigned abbreviation.

Who is eligible? Any department designated by UW Human Resources under the current DDU (department, division, unit) definitions. 

Scope of Service

Organizational Unit Creation and Security: Information Technology will create and set security on an OU within the WINDOWS.UWYO.EDU Active Directory domain with sufficient privileges to allow for departments to create, delete and populate security groups, create and https://uwyo.teamdynamix.com/TDClient/1940/Portal/Requests/ServiceDet?ID=8967 delete computer accounts, and create, delete and populate sub-OU’s.

Organization Unit Management:  The department will have the ability to create, delete and populate Organizational Units within their designated ADOU to aid in the organization of Security Groups and Computer Hardware Accounts as the department deems appropriate.

Security Group Management: The department will have the ability to create, delete, and populate security groups within their designated ADOU to aid in access control of online resources as the department deems appropriate.

Computer Account Management: The department will have the ability to create and delete computer accounts within their designated ADOU. Computer accounts are accounts on the Windows Domain for a physical piece of hardware, such as a desktop system. Computer accounts are NOT the accounts individuals use to login to a computer. See important information about Computer Accounts in the Notes section, below.

Notes

  • All Security groups and Group Policy Objects must use the designated prefix in the object name. To ensure the integrity of the main AD structure, Information Technology reserves the right to rename any object that doesn’t follow the naming convention.
  • Information Technology Computer Support Specialists will have no access to departmental ADOU structures and therefore, cannot help with Computer Account problems if they reside in the department’s designated ADOU structure. 

Explanations

Prefix Requirement: Information Technology requires the use of assigned prefixes to ensure that objects under departmental control are unique and don’t conflict with other objects on the domain. This is also required for future scalability of the service – i.e., additional tools may be implemented that will depend on the prefix being present on all objects within the department designated ADOU.

User Accounts: Since the University has implemented a centralized account management solution that spans multiple systems that includes pre-creation of accounts, all user accounts must go through this system for account creation. This includes service accounts and special accounts. These accounts must be processed through the central system to ensure account uniqueness and integrity. This being the case, Information Technology will not grant the ability to create user accounts within a department designated ADOU. Departments should contact their Information Technology Computer Support Specialist for more information about special user accounts. 

Group Policy: The standard ADOU configuration will not include the ability to create and set Group Policies on objects within a departmental designated OU. Departments that need Group Policy access must complete an additional GP Access request form using the button below to request access.

Department Managed OU Group Policies Agreement

Upon request access will be granted to Department-Managed OU Administrators to create and manage Group Policy Objects (GPO’s) for their OU. For access to be granted individual administrators must agree to specific terms and conditions related to Group Policy.

Terms and Conditions

  • I acknowledge that Information Technology does not provide support for managing Group Policy Objects. Information Technology assumes that an administrator requesting and utilizing Group Policies has a thorough understanding of the concepts, interactions and implications associated with applying group policies to multiple domain objects. In addition, IT assumes that adequate backup will be maintained with sufficient understanding of the Group Policy to maintain it in the event that the primary administrator is not available. 
  • I understand that excessive numbers of group policy objects can negatively impact campus users of Active Directory. I agree to limit the number of group policy objects that I create to a reasonable number. 
  • I understand that the ability to create group policy objects also allows me to write files to the domain controllers. These files are normally used for logon or logoff scripts etc. I understand that the domain controllers have limited disk space and if they are overloaded it will negatively impact all campus users of Active Directory. I agree not to upload an excessive volume of data to them. 
  • I agree to prefix the names of any group policy objects that I create with the name of my department managed OU. 
  • I understand that some changes made via Group Policy may break applications or the OS itself and render all systems under the OU inoperable pending a complete system rebuild. Also, due to the multitude of possible scenarios IT’s Support for machines in Domain Managed OU’s using Group Policies may be limited. I understand that Information Technology may require me to deactivate some Group Policies and/or move systems to the default central computer account container as part of the initial troubleshooting steps for individual computers. 
  • Information Technology sets a very limited number of group policies on a domain level. Those that are set have a very specific reason. I agree not to block inheritance of these global policies. Instead, if there is a specific reason to have a policy that differs from a global one I understand that I can simply set the same policy in my OU with an updated value and it will supersede the Information Technology created policy. I agree not to take that action without careful consideration and an understanding of the risks. I understand that while IT does not currently have any mandatory policies set that can’t be blocked, the time may come that they may implement mandatory policies that cannot be overwritten. 
  • I understand that IT reserves the right to perform any action necessary to maintain IT policies and procedures if an applied Group Policy negatively impacts objects outside of the Department Managed OU.

Contact Us

Information Technology

Phone: (307) 766-HELP (4357)

Email: userhelp@uwyo.edu