Active Directory FAQ

Overview 

This article contains information regarding common questions and processes for Active Directory that is primarily directed to UO IT staff.  

Information

How do I join a computer to the domain?

To add a computer to the domain, a few short steps must be taken to pre-create the computer object in your unit’s Computers OU. This can be done in the following way:

1. Open Active Directory Users and Computers.
2. Go to your unit’s Computers OU.
3. Create a new computer object with the name of the computer you want to join.

Once complete, you will be able to join the computer to the domain with your admin credentials.

If you’ve tried domain joining a computer prior to creating the computer object, you may have seen the cryptic error message You have exceeded the maximum number of computer accounts you are allowed to create in this domain. This is an indication that the computer object has not been created.

The reason for the pre-creation step stems from an issue with delegation. Without pre-creating the computer accounts, the computer objects would all end up in the top-level Computers OU, where we can’t delegate department access. You would then be able to join the computer to the domain, but it wouldn’t get any of your unit’s policies until it was moved into your OU by an enterprise admin.

How do I add Send As permissions to my users?

To add Send As privileges to a user mailbox, please perform the following steps:

1. Create a group in your OU with a name similar to IS.EXCH.[USERNAME].SendAs or identify an existing group for this purpose.
   • [USERNAME] should match the username of the account you are adding Send As privileges on (like a Duck ID).
2. Submit a ticket via the Email and Calendar Help service.

Unfortunately, we are not able to delegate access to the Send As permission on Managed user objects. However, using a group to define these Send As permissions helps to minimize this added step. This allows you to control who gets Send As access in the future by simply managing the membership of the group.

Additionally, using a group is beneficial in the long term because it will minimize the presence of orphaned permissions set on user objects if a Send As enabled user leaves the university.

A user is not in my department OU. How do I grant access to my services?

Adding access to resources like file shares and printers is as easy as adding the user to one of your groups! Users do not need to reside in your OU for you to grant them access via groups.  Administrators in other departments will be able to grant your users access to their resources without affecting your security settings. You will not be able to apply a regular user group policy to users outside of your OU, but you can set user policies for on your computer objects as described next.

How can I apply Group Policy Objects (GPOs) to users that aren’t in my OU?

Since you can’t necessarily depend on having 100% of your users residing in your OU at any given time, the answer is to apply all of your group policies to your computers. With loopback processing enabled in the GPO, the user settings will apply to any user who logs on to the computer, based on the GPOs attached to the computer. Other Administrators will be able to set their own policies for users logging on to their computers without affecting your environment.

How to enable loopback processing:

1. Select Computer Configuration.
2. Select Policies.
3. Select Administrative Templates.
4. Select System.
5. Select Group Policy.
6. Select User Group Policy loopback processing mode.

How do I change my display name?

For information on preferred names or changing directory information, please see our Updating your Directory Information KB article.