How-to Organizational Units (OUs)

In this how-to, you will learn how the University Computing Centre sets up organizational units within the domain ad.uni-heidelberg.de for EDP representatives. It will also explain how to log a computer onto the domain once an account has been created.

The University Computing Centre can set up institute organizational units (OU) within the domain ad.uni-heidelberg.de. The institute itself is responsible for this OU, all objects that fall under it and any group policy objects that may be linked to it; however, user accounts must comply with the conventions outlined below.

Target group

EDP representatives who need their own connection as an organizational unit (OU) to the Windows active directory domain

Use

The URZ will set up the institute OU with the name institute abbreviation under the OU institute by request via the IT Service. The request should include the institute abbreviation and the user identification that will be given to the OU administration. This user identification must correspond to the name of the EDP representative. The institute OU administrator ID is then issued by the URZ with all the rights required for OU administration. In addition, the associated email address will be used by the URZ for all notifications concerning the OU.

The institute OU is accessed through a console provided by the URZ, which runs on the terminal server ts-mita.ad.uni-heidelberg.de (log in with the institute OU administrator's ID via Remote Desktop Connection). The institute OU administrator can create additional OUs under the institute OU.

Conventions for user accounts

Institutes can create their own user accounts in their institute OU, e.g. for guests. These users are not authorized to use URZ resources. Specifically, they are not allowed to print on URZ printers and do not receive disk space (no home directory), a profile or an URZ email address. Therefore, if you anticipate that the user will need URZ resources, we recommend applying for a regular user ID.

The following must be applied to user accounts:

  1. They must have at least 4 characters.
  2. Legally protected names may not be used.

Computer accounts

Computers can be incorporated into the domain. However, an account for the computer must first be created in the domain. You will find the menu item to set this up in the console provided by the URZ.

Please ensure that all PCs are registered in the name service, with a name following the form: computer name.suffix, where the suffix is the institute abbreviation.uni-heidelberg.de. If you want to register a PC, please send a request to the IT Service.

After the accounts have been created, each computer still needs to be registered to the domain:

1. Computer  -> right click -> Properties -> Computer Name -> Change...

2. Enter the computer name. It is important that the computer name be identical to the computer name you provided above when creating the computer account.

3. Restart, so the name change will take effect.

Screenshot: Anleitung_OrganisationalUnits_Schritt1

4. Again to Computer -> right click -> Properties -> Computer Name -> Change... Now click the “Domain” button and enter ad.uni-heidelberg.de.

Screenshot: Anleitung_OrganisationalUnits

5. Under More... enter the suffix and uncheck the box next to Change primary DNS suffix when domain membership changes. As of Windows 7, PCs can only log on to the domain with the default suffix. This means that you must first log on, reboot and then change the suffix and remove the checkmark.

6. Click OK.

7. You will be asked for a user ID (the institute OU administrator ID) and password.

8. After a moment, you will be greeted by the domain and prompted to restart.

Screenshot: Anleitung_OrganisationalUnits

Group policies are set by the institute administrators themselves. However, standard policies, e.g. the automatic download of Windows updates, can also be set up by the URZ after consultation. In addition, the existing policies in the AD can be adopted by the institute OUs. However, we recommend that you carefully test how these policies affect the institute PCs. Please note that group policies work as follows: they are connected to an OU. This means that they apply to the objects contained in the OU. Therefore, they have nothing to do with groups.

There are different policy templates for computers and for users. The former can be found under Computer Configuration, the latter under User Configuration. Therefore, if you set one of the policies in User Configuration, it will affect all users in the OU that you link to it (or the Group Policy Object). If there are only computers in the OU in question, the policy will have no effect.

Screenshot: Anleitung_OrganisationalUnits