U-M Windows Forest
ITS Windows-Based Services
How-To Documents
Frequently Asked Questions
Help
Contact Us
U-M Windows Forest Main

U-M Windows Central Accounts

What is the U-M Windows Central Accounts Service?

User accounts can reside in several places within Active Directory, including OUs in the root domain and in a special OU of the root domain called the "People" OU. U-M Windows Central Accounts gives departmental Windows admins the ability to manage users in the U-M campus Active Directory that have been automatically provisioned as they are created in the campus directory and campus MIT Kerberos realm.

In order to manage their own user accounts in the root domain, departments must have a delegated OU. To request a new delegated OU, see Joining the U-M Windows Forest as a Delegated Organizational Unit.

For more information and background on this service, see U-M Windows Central Accounts Service Purpose.

User Account Attributes

A key task in developing the service was to determine the appropriate set of Active Directory attribute values that departmental admins may modify without impacting users' use of central campus resources, such as the Campus Computing Sites and Libraries. A table of attributes for which departmental admins are granted and denied access to modify permissions is available at Description of Attributes ACLs Assigned to Accounts OU.

Moving Users to/from Delegated OUs

AD administrators of delegated OUs can move qualified accounts from the People OU to their delegated OU by following these directions.

Passwords and Authentication

Department admins have the ability to set Windows passwords, but may decide to have users log in with their Kerberos credentials (users may also set their own Windows passwords to match their UMICH passwords via the U-M Password Change web page). Some Windows services—such as mapping a remote drive from a non-Kerberos authenticated computer—requires the Windows password. Department administrators may choose to set the campus Kerberos and Windows passwords the same. In order to log into Windows with campus Kerberos credentials, each computer must be configured for pass-thru authentication.

Windows workstations can be configured so that users can log in with their campus Kerberos uniqname and password rather than their Windows password. Information on how to do this is available at: