Adding a New OU to the Yale Active Directory

At Yale, complete administrative authority over an OU is delegated to designated individuals EXCEPT the ability to add or remove users from their OU.

The process of creating a new OU and properly delegating the necessary authority is complex so please review these instructions carefully.

The process of creating and delegating authority over an OU is in four phases:

• Creating the New OU
• Creating a group in the OU for the designated administrators
• Delegating the appropriate authority over the OU to the new group.
• Giving the designated users the ability to create a group policy in the AD  (optional)

It is recommended that you WAIT for about five minutes after each phase in order to make sure that information is replicated before proceeding to the next phase.  If you don't do this then, for example, you might not be able to find the group that you just created because the DC's don't all know about it yet.

Below each step is a graphic showing the screens that should appear.

---

Step 1:  Open up "Active Directory Users and Computers", right-click on the container above where you want to create the new OU (usually the domain root, not ITS as in the images), and choose "New -> Organizational Unit".

Step 2:  Enter a name for the New OU

 

Step 3: Make sure the newly-created OU is properly named and in the correct place in the AD structure.

New OU's inherit their administrators from their parent so if the new OU will not have a different administrative structure than the one above it then you do not need to proceed.

---

Step 4: Right-click on the new OU and choose new->Group:

Step 5:  Specify the name and type for the new group.

  The suggested naming format is "<ou name> Admins" like in the example below and the use of a "domain local" group (instead of the default global group) is highly recommended.

Step 6: Open the new group by right-clicking on the group and choosing "Properties" to get this window.

Step 7:  Add the designated administrators to the group.

Click on the "Members" tab and click on "Add" to get the following screen.

Enter the NetID's for the designated users.  It's best to specify the user names in "yale\netid" format.  Once the users are in the group, close the group's windows to get back to the main console.

---

Step 8: Begin delegating control over the OU to the new group.

Right-click on the name of the new OU and choose "delegate control".

Step 9: The Delegation of Control wizard opens.  Click "Next" to continue.

Step 10: Designate the group(s) to delegate control to.

The next screen allows you to designate the group(s) to delegate control to.  Use the "Add" button to select the group that you created to administer the OU.  When the group is listed like the one below, click "Next" to continue.

Step 11:  Choose "Create a custom task to delegate". 

We have to do this because "complete" authority is not delegated over the OU.

Step 12: Select what objects to delegate control of.

  We're giving them everything in their OU and below it.

 

Step 13:  Designate the permissions/rights to be delegated to the OU admins.

THIS IS THE MOST CRITICAL SCREEN.

The easiest way to get the permissions set properly is to, when the next screen comes up, check the "full control" box at the top of the lower (white) pane.  All check boxes in the upper part should then be tagged and  additional check boxes (also tagged) should appear in the bottom part. 

There will be a long list (about 30) of additional check boxes in the open space below. These enumerate all of the various abilities that can be delegated. Scroll through and make sure all appropriate boxes are checked to allow the administrative actions you want to delegate.  When you're sure that everything is set properly, click "next".

Step 14: Review the final screen of the wizard.

  Members of the designated group now have complete authority over everything in the OU.

But we're not done yet!

 

15: Give designated individuals the ability to create new Group Policy Objects

The ability to create a new group policy, for non-administrators, is based on membership in a special group called "Group Policy Creator Owners".  Users in this group are allowed to create new group policy objects in the AD.   Without this permission, users will be able to click on the "New" button on the group policy screen for a container but will get an  "Access is denied" error when they do.

Members can only be added to this group by domain-level administrators, and by default the designated administrators of a top-level OU are placed in this group at the time the OU is created.  If other individuals need to be given this privilege, please email w2k-general@yale.edu.

The group itself is in the "Users" container of the yu domain, buried amongst all of the other users and groups at Yale, so the easiest way to get to it is to use the "Find..." command on the right-click menu and enter "Group Policy" for the name as in the screen below.  Then, bring up the properties for the group and add the NetID's of the proper individuals to the group.