Information Technology Services University of Arkansas
Tech Articles

Active Directory: OU Security Groups

The ability to create security groups is a benefit of using the Active Directory Organizational Unit (OU). Using security groups, permissions can be assigned to a subset of individuals, granting them access to files, workstations, or other resources. Security groups can also be used as email distribution lists. See the Exchange: Distribution Groups Tech Article for more information.

Further training on managing Organizational Units is available upon request. Request training at its-training.uark.edu.

Create an OU

To create a departmental OU, submit an AskIT help request with the subject "Create Organizational Unit for my department." IT Services will contact you for the necessary information to complete your request. If your department has an OU, the existing OU admin can create a new OU within the departmental OU and grant access to it.

Once your OU is created, install the Remote Server Administration Tools (RSAT) for Windows 7 or Vista. Download RSAT by mapping a drive to gizmo.uark.edu\dfs\Microsoft Applications\Miscellaneous Apps and Utilities\Active Directory Apps. If you are running Windows XP, install Active Directory Management Tools.

Activate RSAT

To create and manage security groups, ensure you are logged into a computer that is joined to the UARK domain and that you have permissions to create groups. Please see your OU administrator for details.

  1. Click Start, Control Panel, and Programs and Features.

  2. Click "Turn Windows features on or off."

  3. Expand Remote Server Administration Tools by clicking the (+).

  4. Expand Role Administration Tools.

  5. Check the "AD DS and AD LDS Tools" box. Click OK.

Add a Group

  1. Click Start, Control Panel, Administrative Tools, and Active Directory Users and Computers.

  2. Navigate to your OU.

  3. Click Action, New, and Group. Keep the default options.

  4. Enter the group name and information. Click OK. IT Services strongly recommends that because group names are domain-wide, they start with the 4 letter department code followed by a dash and the basic description. For example, within the domain, there can be a group named "dept1-techs" and another named "dept2-techs," but only one named "techs."

Add Members

  1. Double-click on the group in AD Users and Computers. Click the Members tab and click Add.
    Note: A user might not be able to access the group resources until they log out and log back in.

  2. Grant group access to a resource by choosing the object's Security tab and inputting the group name in the form of gacl\groupname.

Remove Members

  1. Right-click the group and click Properties.

  2. On the Members tab, click the UARK username to remove.

  3. Click the Remove button. Click OK.

  4. Click Yes. Click OK.

Last Reviewed:

Comments