U-M Windows Forest
How-To Documents
Get Help

U-M Windows Central Accounts

What is the U-M Windows Central Accounts Service?

User accounts can reside in several places within Active Directory, including OUs in the root domain and in a special OU of the root domain called the "People" OU. U-M Windows Central Accounts gives departmental Windows admins the ability to manage users in the U-M campus Active Directory that have been automatically provisioned as they are created in the campus directory and campus MIT Kerberos realm.

In order to manage their own user accounts in the root domain, departments must have a delegated OU. To request a new delegated OU, see Joining the U-M Windows Forest as a Delegated Organizational Unit.

For more information and background on this service, see U-M Windows Central Accounts Service Purpose.

User Account Attributes

A key task in developing the service was to determine the appropriate set of Active Directory attribute values that departmental admins may modify without impacting users' use of central campus resources, such as the Campus Computing Sites and Libraries. A table of attributes for which departmental admins are granted and denied access to modify permissions is available at Description of Attributes ACLs Assigned to Accounts OU.

Moving Users to/from Delegated OUs

AD administrators of delegated OUs can move qualified accounts from the People OU to their delegated OU by following these directions.