Division of Science

Active Directory

Key points regarding Active Directory at Brandeis

  • Brandeis user accounts are all members of the brandeis.edu domain in Active Directory ("AD"). For abstruse historical reasons, this is also known as the USERS domain
  • Many Windows PCs, linux boxes, and even a few Macs in the Division of Science use AD for logins
  • Some groups are maintained in AD.

Administrator notes on OUs in the Sciences

Delegating administration of an OU

Use the "Delegate Control" wizard in the Active Directory Users and Computers mmc snapin (e.g.  delegate control of the joesmith-lab ou to joesmith-lab-admins)
In the dialog you can choose what privileges to delegate. I think the two that are crucial are:
  • Create, delete, and manage groups
  • Modify the membership of a group

Do NOT delegate the tasks:

  • Create, delete, and manage user accounts
  • Reset user passwords and force password change at next logon

We don't want people creating user accounts in AD.

Delegating Administration Rights in OUs

Problem: We want to be able to make a small number of users Administrators on every Windows machine in lab.

One way to do it using Active Directory:

  1. Create an organizational unity (OU) for the lab (einstein-lab). Move (or create) computer accounts for each to the computers into the OU. 
    • Use the Active Directory Users and Computers mmc tool  to create and modify OUs and groups
    • See How To Join USERS for more information on associating a computer with an account in AD.
  2. In OU einstein-lab create a group for the admins, say einstein-lab-admins
    • edit einstein-lab-admins using the Active Directory Users and Computers tool
  3. Create a group policy object (GPO) to associate with einstein-lab (say, einstein-lab-policy)
    • None of us in the sciences have permission to do this - ask someone in Netsys
  4. Link the einstein-lab-policy GPO to the einstein-lab OU. 
  5. Edit einstein-lab-policy using the Group Policy Management Editor.
    • Find: Computer Configuration > Policies > Windows Settings > Security Settings > Restricted Groups
    • Right-click Restricted Groups and choose Add Group...
    • In the dialog ensuing, enter the name of the group you want  (einstein-lab-admins) – it should exist already
    • In the next dialog, next to the section labeled This group is a member of:, click Add...
    • in the next dialog, type Administrators
  6. review your work, it should appear as follows:

Screen shot

Having followed this recipe, make sure that the GPO is refreshed on each computer that is a member of einstein-lab.

You should be able to confirm, using Computer Management > System Tools > Local Users and Groups > Groups, that einstein-lab-admins is now a member of the local group Administrators.

Group Policy Management

Group Policy Management Console (GPMC) snap-in
  • there is a copy in \\BIO\PUBLIC or download from microsoft
  • it requires .NET framework 1.1
Windows Vista
  • the GPMC snapin comes with the OS
  • you may need to launch MMC using "Run As Administrator" to use it.
    1. Open Command Prompt using "Run As Administrator"
    2. type mmc -a
    3. add whatever snapins are useful
      • I use Computer ManagementActive Directory Users and ComputersGroup Policy Management ConsoleGroup Policy Object Editor, and Resultant Set of Policy.
    4. Save As my_custom_console.msc
  • you can just launch my_custom_console.msc

How to bind a Mac to USERS

Adding a MacOS computer to the brandeis.edu Active Directory domain 

Create an account in Active Directory with the name of the computer. The Mac is not actually going to be able to pull group policies from AD, but you really need to make sure there aren't mulitple computers with the same name. This should match the computer name listed in the Sharing tab in System Preferences. You should do this from a Windows computer using the Active Directory Users & Computers mmc tool 

  1. for the Control Panel.  Make sure to give whoever is going to do step 2 the power to join the account. 
  2. Once that is done, on the Mac, go to the Users & Groups tab in System Preferences. Next to Network Account Server:, click Join.
  3. at the next prompt, click Open Directory Utility...
  4. in the Directory Uitlity dialog, click the lock and authenticate with an account that is an administrator on the Mac. Choose Active Directory and double click, 
  5. For Active Directory Domain, enter brandeis.eduClick Bind...
  6. authenticate with your UNet username and password. If this works, you should see an "Unbind..." button as you are now bound. Click OK. 
  7. You can click the little triangle at left to show other settings. The only one I might set is under Administrative I might define a group that is allow to administer the computer
  8. Now, when you go back to the  Users & Groups tab in System Preferences, you should see a new option Allow network users to log in at login window. Check that box.
  9. Next to it, under Options... you might want to specify groups that are allowed to log in.

How to create a Role Account in AD

If a role account needs to be created Active Directory, follow the steps outlined below.

Step-by-step guide

In Active Directory, the user account needs to be created in the "Role Accounts" OU as follows:  

Open Active Directory

  • Expand the root directory "Brandeis.edu".
  • Expand "Prime".
  • Right click on "Role Accounts".
  • Click on New
  • Click on User