Requesting a delegated OU is a common way of making use of the automatically-provisioned Windows user accounts that correspond to UW NetIDs (hereafter referred to as NETID user accounts).
After successfully obtaining a delegated OU, joining computers, and configuring your resources with the appropriate access controls, you will be able to tell your clients to login with NETID user accounts to obtain access to your Windows-based resources.
Preparing to Make a Decision
- Review benefits of a Delegated OU and decide whether you want one.
- Understand the practices surrounding Delegated OUs.
- Understand the landscape of MI: NETID users, NETID groups, and MI Policy.
- Pay special attention to NETID user limitations and Managing NETID user attributes to understand what user management capabilities you will have.
- Review common ways you might use a Delegated OU.
Requesting a Delegated OU
- Determine the name of the OU you’d like to obtain. We strongly recommend you pick a name 7 characters or less.
- Determine the computer name reservations you’d like to request, after reviewing how MI computer naming works.
- Request your Delegated OU.
- Notable pre-requisites include: the UW NetID for a computing director or equivalent, desired OU name, and desired computer namespace reservations.
- As part of the request process, your OU administrators will need to enroll in Duo 2-factor authentication (2FA) and create an Admin UW NetID.
Using Your Delegated OU
Things to review when you are getting started:
- Adapt your approach to administration by using the right tools and tips.
- Consider requesting a UW NetID Computing Support Org to be able to manage MI user attributes and other delegated OU settings.
- Review the Domain Migration Blueprint to find out how to migrate an existing Windows domain into your new OU.
- If your computers have firewalls, ensure that the firewalls do not restrict access to MI.
- Add computers to the NETID domain the correct way. See Adding a Computer to a Delegated OU and Unix, Linux, and Mac Integration.
- If needed, make use of the Delegated OU Computer Groups to replace Domain Computers.
- If desired, read about Using BitLocker on computers in your Delegated OU.
- For workstations in your Delegated OU that need DDNS services, consider using MI DDNS.
- Consider using Group Managed Service Accounts (gMSAs) for your service account needs.
- If you accidentally delete something in your OU, you can request an Item Level Restore.
- If you accidentally lock yourself out of a computer, you can review this helpful FAQ
- Review the FAQ on Delegated OUs for questions that might help you.
- Enjoy UW NetID based login to your workstations and servers!
Useful capabilities provided to Delegated OU customers:
- Domain migration blueprint
- PowerShell script to add a computer object
- Unix integration guidance.
- Delegated OU Computer Groups, i.e. a group with all computers in your OU.
- BitLocker guidance.
- Dynamic DNS services for workstations.
- Group Managed Service Accounts (gMSAs) for your service account needs.
- Some delegated Service Principal Name privileges.
- AD item Level Restore, if you accidentally delete something in your OU
- Active Directory Certificate Services for automated certificate issuance for use cases internal to the UW
- Domain-based DFS Namespace services for file service publishing