The Customer Active Directory OU Tool
This tool on your server's desktop will give you access to your MiServer Managed Windows customer OU in Active Directory.
OU admins have the ability to:
- Create AD service accounts
- Create AD service groups
- Create and link GPOs to the “Servers” sub-OU
OU Administrators
By default, the user accounts in the MCommunity group you selected when requesting your MiServer are OU Admins. The best practice for OU administrative accounts is to replace the stock membership of this OU Administrators group with non-uniqname administrative accounts. You can use pre-existing AD service accounts for this purpose or create new AD service accounts in the “Users” sub-OU of your MiServer Active Directory delegation.
In the Customer Active Directory OU tool, add the AD account to the M-<Mcommunity.group>-OUAdmins group.
Any account that is added to the OUAdmins group is automatically given local administrative access to your MiServer Managed Windows servers. You can change this by removing the OU Admins group from the local Administrators group on your server, but make sure a working account is in this group.
Server Administrators
Should you wish to make a person and administrator on your server(s) without making them an OU administrator, you can either create a new AD group in the “Groups” sub-OU, then add this group to the local Administrators group on your server via the Computer Management console, or you can add the account directly to the local Administrators group. Again, best practice is to use or create an AD service account rather than use standard AD desktop accounts.
Server administrators are given full control over the server itself, but they are not able to do any administrative tasks in Active Directory.