University of Oregon

Systems - FAQ - Active Directory

How do I join a computer to the AD domain?

To add a computer to the domain, a few short steps must be taken to pre-create the computer object in your unit’s Computers OU. This can be done in the following way:

  1. Open Active Directory Users and Computers
  2. Go to your unit’s Computers OU
  3. Create a new computer object with the name of the computer you want to join.

Once complete, you will be able to join the computer to the domain with your admin credentials.

If you’ve tried domain joining a computer prior to creating the computer object, you may have seen the cryptic error message “You have exceeded the maximum number of computer accounts you are allowed to create in this domain.” This is an indication that the computer object has not been created.

The reason for the pre-creation step stems from an issue with delegation. Without pre-creating the computer accounts, the computer objects would all end up in the top level Computers OU, where we can’t delegate department access.  You would then be able to join the computer to the domain, but it wouldn’t get any of your unit’s policies until it was moved into your OU by an enterprise admin.

How do I add Send As permissions to my users?

To add Send As privileges to a user mailbox, please perform the following steps:

  1. Create a Group in your OU with a name similar to ‘IS.EXCH.[USERNAME].SendAs’ or identify an existing Group for this purpose. The [USERNAME] should match the username of the account you are adding Send As privileges on.
  2. Submit a ticket to adhelp@ithelp.uoregon.edu specifying the user you want changed and the group that will get access to Send As that user.

Unfortunately, we are not able to delegate access to the Send As permission on Managed user objects. However, using a group to define these Send As permissions helps to minimize this added step. This allows you to control who gets Send As access in the future by simply managing the membership of the group. Additionally, using a group is beneficial in the long term because it will minimize the presence of orphaned permissions set on user objects if a Send As enabled user leaves the university.

A user is not in my department OU. How do I grant access to my services?

Adding access to resources like file shares and printers is as easy as adding the user to one of your groups! Users do not need to reside in your OU for you to grant them access via groups.  Administrators in other departments will be able to grant your users access to their resources without affecting your security settings.  You will not be able to apply a regular user group policy to users outside of your OU, but you can set user policies for on your computer objects as described next.

How can I apply Group Policy to users that aren’t in my OU?

Since you can’t necessarily depend on having 100% of your users residing in your OU at any given time, the answer is to apply all of your group policies to your computers.  With loopback processing enabled in the GPO (Computer Configuration > Policies > Administrative Templates > System > Group Policy > User Group Policy loopback processing mode), the user settings will apply to any user who logs on to the computer, based on the GPOs attached to the computer.  Other Administrators will be able to set their own policies for users logging on to their computers without affecting your environment.

After migration, my name changed in the Global Address Book. How do I change it back?

See "How do I change my display name?" below.

I received a non-conforming object name report and I have non-conforming (users/computers/servers/groups/GPOs). What do I do?

To avoid naming conflicts between the numerous campus departments and systems that utilize Active Directory, we have developed a section in our administration guide regarding object naming conventions for OU Administrators to follow. The AD Administrators guide can be found at https://it.uoregon.edu/system/files/UO_AD_Admin_Guide_v2.2.pdf.

If you receive a report alerting you to non-conforming objects, these should be fixed as soon as possible. What you can do to fix an object that does not conform to the naming conventions depends on the type of object.

For Unmanaged Users, Groups, Computers, Servers and GPOs, changing the object’s name to start with your OU prefix and a dash or period will satisfy minimum requirements.

Unmanaged User accounts also have the option to request a DuckID account matching the username of the unmanaged account. To make this request, send an email to adhelp@ithelp.uoregon.edu as this process requires coordination of several groups to complete successfully.

Changing the object name of GPOs will not affect their application and can be done at any time.

Changing the object name of a Group will not affect any existing permissions set with this group though may cause issues with some systems.

Changing Unmananged usernames or server names may require significant planning to avoid service outages.

How do I change my display name?

Display Name changes (example: Robert Smith -> Bob Smith), displayed in the Global Address List / Outlook / Offline Address Book, must be done by Payroll via the following form: http://ba.uoregon.edu/sites/ba.uoregon.edu/files/forms/pfn.pdf

Note: Users that require an account name change, most commonly due to marriage, should coordinate the process through their departmental IT office to ensure all changes needed to the AD object are made. Failure to make appropriate changes will interrupt mail flow for the specified user.

How do I change my Managed Account (duckid) Name?
  1. Contact Account Administrators (account@ithelp.uoregon.edu) to request the name change
  2. Immediately following the completion of the change in IDM the Organizational Unit (OU) Administrator will receive an automatically generated message from the Account Administrators entitled "University of Oregon Username Changed" which will contain both the old and new account names
  3. In Active Directory Users and Computers (ADUC), search for the user and display its properties.
    • If the Home folder value is populated in the profile tab, change the home folder to match the username.
      • This step creates a new directory, so be sure to migrate files after creation.
  4. An alias will be setup to route mail from the user's previous duckid to the new one. This will remain in place for 90 days.
  5. If user has an Exchange Mailbox follow Exchange Steps (below)
How do I Change an Un-Managed Account to a Managed Account (duckid)?
  1. Rename the existing AD object to avoid conflict with the new account (example: bsmith -> bsmith01)
  2. Request creation of a managed DuckID (with Active Directory access) with the original name (example: bsmith) by contacting the Account Admins (account@uoregon.edu)
  3. Delete new DUCKID in AD that was provisioned in Step 2 (example: bsmith)
  4. Rename Un-Managed account to the Managed account's name (example: bsmith01 -> bsmith)
  5. In Active Directory Users and Computers (ADUC), move the renamed account into the appropriate managed OU
  6. Follow Exchange Steps (below) if Exchange mailbox is present
Exchange Account Rename Procedure
  1. Open up the Exchange Management Console, expand Recipient Configuration, click Mailbox
  2. In the right pane, choose Find. Search for the user, using the old account name and open the user's properties
  3. In the General tab, change the Alias to the new account name
  4. In the Account tab, change both the "User Login Name" and the "User Login Name (Pre-Windows 2000)" fields to the new account name
  5. In the Email Addresses tab you should see entries for the new account name that look like the following:
    • <newaccountname>@uoregon.edu
    • <newaccountname>@ad.uoregon.edu
    • <newaccountname>@legacy.uoregon.edu
    • <newaccountname>@forest.uoregon.edu
    • ** Primary SMTP address (bold) should be newaccountname@uoregon.edu **
  6. Delete all old Email Addresses that point to the old User Name as they are no longer needed
    • Within Exchange, the X400 LegacyDN account information maintains mail flow as intended.
    • On the border between the Unix mail system and the public Internet, mail flow is handled with a temporary mapping entry (virt table entry). This temporary entry maps the old mail account address (e.g. oldname@uoregon.edu) to the new mailbox address (newname@uoregon.edu). This mapping preserves delivery of mail bound for the old address. This mapping is usually left in place for three (3) months.
  7. Close the Exchange Management Console
  8. Send test emails to the old and new addresses to make sure that mail flow works as expected.