U-M Windows Forest
ITS Windows-Based Services
How-To Documents
Frequently Asked Questions
Help
Contact Us
U-M Windows Forest Main

Moving Users in Active Directory

Administrators of delegated OU's can now move users between their AD delegated OU and the People OU using a simplified procedure. This procedure replaces the web based UMWinCA "Move Users" program that has been used since 2005.

As background, new AD user accounts are created in the People OU. OU admins sometimes wish to move users associated with their academic unit from the default People OU to their Accounts delegated OU when an employee joins their unit, or from their delegated OU to the People OU when an employee leaves their unit. This can now be accomplished using the Active Directory Users and Computers snap-in, or ADUC.

Listed at the top of each Accounts delegated OU, you will find three security groups.

_EmailNotificationForMoves
Contains list of accounts to receive email notification of moves.

_MoveToDelegatedOU
Members of this group will be move from People to a delegated OU.

_MoveToPeopleOU
Members of this group will be moved from a delegated OU to People.

Preliminary Setup

As an OU administrator, you may want each move to be confirmed. By adding your U-M uniqname account to the _EmailNotificationForMoves group, you will receive an email each time one or more users is moved to or from your delegated OU. This allows OU admins to customize email notification for their unit.

Questions to ask before moving a user

Before moving a user from the People OU to your unit's delegated OU, be absolutely certain that this user belongs in your unit. Although each move is logged, there are no explicit checks done for unit affiliation, and the user is not notified of the move.

Ask the user if they have a split appointment. If so, contact other units that may have an interest in providing AD resources to the user, to avoid misunderstandings and possible AD complications.

As general practice, consider whether moving users to your delegated OU is still necessary. OU admins can no longer reset a user's AD password, and most Exchange users have migrated to Google email. And as the MiWorkspace effort gains momentum, many AD user accounts will be moved under the MiWorkspace umbrella.

Moving an AD user from People to a delegated OU

To move a user from the People OU to your delegated OU, just add the uniqname of the user to the _MoveToDelegatedOU group, which is located in your Accounts delegated OU. The move should take no longer than 10 minutes, and usually happens within 5. If you have signed up for email notifications, as outlined in the Preliminary Setup section, an email should then arrive in your inbox confirming the move.

Be aware that several user attributes are cleared when moving users back to the People OU. Cleared fields include the delegated OU admin writable fields such as user home folder and profile paths, as well as Microsoft Exchange user attributes (Exchange mailboxes will be disconnected).

Moving an AD user from a delegated OU to the People OU

To move a user from your delegated OU to the People OU, just add the uniqname of the user to the _MoveToPeopleOU group, which is located in your Accounts delegated OU. The move should take no longer than 10 minutes, and usually happens within 5. If you have signed up for email notifications, as outlined in the Preliminary Setup section, an email should then arrive in your inbox confirming the move.

Error Conditions

If the user account to be moved is not in the expected OU, an error message will be generated as part of the notification email. For example, if you add a uniqname account to the _MoveToDelegatedOU group, that account is expected to be located in the People OU before the move. If the account is located in some other delegated OU, the move will fail. To remedy this situation, contact the admins of the delegated OU currently holding the AD user, and ask them to move this user back to the People OU.

In all cases, accounts that have been added as members of the _MoveToPeopleOU or _MoveToDelegatedOU groups will be removed from those groups after the move has been attempted. This prevents race conditions, which could occur when a move fails, and is normal procedure when a move succeeds.

Reporting Problems

If you run into problems moving AD users, please contact the ITS Service Center.