What is Active Directory?
Active Directory is a database of users and network resources that Tier 1's can use to manage security and other functions in a networked computing environment.
SCCM - System Center Configuration Manager
One benefit of having workstations connected to the university domain (Active Directory) is the ability to utilize a system administration suite of tools called "System Center Configuration Manager 2012." The current SCCM client (2007) is scheduled to be updated on 3/15/13. In the following weeks after the upgrade, IT will begin to make the SCCM 2012 console available for tech support personnel to use in their departments.
SCCM is a very complex and large tool. Documentation has been written specifically for the access granted to tech support personnel. This document can be considered an "Administrator Guide" in our environment at the university. This documentation covers the basic usage of the SCCM console utilities. It is enough to get started using the new system. As feedback from the technical community comes in, more documentation will be added for other tasks than what is covered in the guide. If you are interested in utilizing this tool for your group, please review the documentation thoroughly before requesting access.
Announcements will be made when console access becomes available.
The administrator guide can be obtained at this link: SCCMAdminGuide.
Frequently Asked Questions
- How do I reset a password? (t1 accounts)
- How do I unlock a user account? (t1 accounts)
- Maintaining Active Directory groups and permissions
What will I need to manage that Active Directory system in my unit?
The Remote Server Administration tool pack will need to be downloaded from this link: Microsoft Download Page.
After installation of the Remote Server Administration tool completes, please look at this page for configuration of ADUC and GPMC. The two vital tools that will be used for managing your unit.
NOTE: The primary computer used for management will need to be running Windows 7 or Windows 8/8.1.
How do I migrate my organizational unit to Active Directory?
You will need to set up the workstations within your organizational unit to use Active Directory. To get started:
- Review the recommended workstation naming convention.
- Follow the instructions here for adding a machine to the domain: Add Machine
How do I keep my Organizational Units clean?
In most departments, computers are added and removed frequently for various reasons. It is good to try and keep track of these additions and removals. Always try to delete old computer objects from your OU after the machines have been removed. This will prevent problems with authentication as well as management through GPOs and SCCM. Some IT personnel keep an excel spread sheet of all of the machine names and their associated users. The sooner a management system is put in place, the easier the overall management will be as time goes on.
How do I add a non Microsoft workstation to Active Directory
See the following documents
Why have my desktop icons changed?
This will occur if a migrated user tries to login to their local account. Ensure that the user is logging into their domain account.
I recently added a Windows 7 workstation to Active Directory. Why is it logging the user in to a temporary profile?
This is a known issue with Windows 7/Vista. Occasionally, when changes are made to a user profile, the user will not longer be able to log in to their account. To correct this issue, visit http://support.microsoft.com/kb/947242
Why have I lost my File/Folder Permissions?
Occasionally when migrating a user into their domain profile some files and folders will not have the correct permissions applied to a user's new domain account. Most commonly this occurs when the permissions to the files and folders were assigned to specific users and not groups. To correct this select the affected files and folders and manually assign the proper permission via the security tab.
Why am I still getting prompted for my password when logging into SharePoint? My computer is already a member in AD.
Usually this is caused by a user still logging into their local account. Ensure that the user is logging into their domain account. You will also want to ensure that you have the appropriate group policy client side extensions (KB943729) update installed on the machine.
Why can I no longer open files that I encrypted using windows EFS?
This is because as far as windows is concerned you are now logging into a new windows account that does not have permission to these encrypted files. The simplest solution to this problem is to log back in as your local account, decrypt the files then re-encrypt them under your AD account.
What if I have other questions concerning the migration process?
Contact IT's Directory Service team at INFDSIT@LISTSERV.LOUISVILLE.EDU
How do I lock down a workstation so that only specific users can log in?
You will need to remove the domain users group from the local users group and the domain administrators* group from the local administrators group. You will then need to add each user's domain account that will need access to the workstation to either the local administrators group or users group depending on the level of access that is required. Step-by-step instructions for locking down AD workstations.
*It should be noted that removing the domain administrators group will severely limit the amount of assistance that IT can provide at the workstation level.
Why am I experiencing slow logins after being added in AD?
If you experience this problem first try disabling IPV6 if on a Vista or Windows 7 machine. Should the problem persist disable dynamic DNS by linking the IT-DisableDynamicDNS GPO to your OU.
Is Microsoft Active Directory a requirement for Microsoft Exchange?
Microsoft Active Directory is not required to use Microsoft Exchange email services. Users can always use the web client for Exchange. There are reasons why we recommend that users' workstations be added to Active Directory:
- The Exchange client and updates can be pushed by IT to the workstations, making it simpler to set up the Exchange client.
- Other software (Windows updates, etc.) can be pushed by IT to the workstations, making it easier to keep workstations up to date.
- If the users are logged into Active Directory on their workstations, they do not have to input their credentials whenever they log into Exchange or SharePoint.
Will sponsored accounts need Active Directory?
Each sponsored account has different needs, but all sponsored account holders receive Active Directory accounts. The requester of the sponsored account will need to determine if they need a workstation linked to Active Directory or need the Exchange client (Outlook).