Step 1d: Creating Mobile Device Organizational Units (Optional)

  • Article

2/9/2009

During the enrollment process, you must enable Mobile Device Manager Enrollment Server to create or delete computer accounts in an Active Directory organizational unit (OU) that is dedicated for Windows Mobile devices. During Active Directory configuration, a default MDM organizational unit, SCMDM Managed Devices, is created and delegated to MDM Enrollment Server. It is recommended that you do not rename or move the SCMDM Managed Devices OU. The following steps are optional for administrators who want to create additional OUs for managed Windows Mobile devices.

To create or delete Windows Mobile device accounts, you will create an OU for Windows Mobile devices and then grant MDM Enrollment Server the permissions that are required.

Important

Use the following steps to create and delete computer accounts from your newly created OU forWindows Mobile devices only after you configure Active Directory for MDM. For more information about how to configure Active Directory, see Step 1: Configuring Active Directory for MDM. You must use the MDM Shell cmdlet, Set-EnrollmentPermissions, to delegate permission for MDM Enrollment Server to create and delete computer accounts in a specific OU. For more information about this cmdlet, see Set-EnrollmentPermissions in MDM Operations.

To create additional OUs for Windows Mobile devices

  1. In Active Directory Users and Computers, right-click the domain name, select New, and then select Organizational Unit.

  2. In the New Object – Organizational Unit dialog box, type a unique name for the OU, for example, Mobile Devices. Choose OK.

To delegate permission to create and delete Windows Mobile device accounts

  1. In Active Directory Users and Computers, right-click the OU that you created in the previous step, and then select Delegation of Control.

  2. In the Delegation of Control Wizard, choose Next.

  3. On the Users or Groups page, choose Add.

  4. On the Select, User, Group or Computer page, in the Enter the object name to select box, type SCMDMEnrollmentServers. Choose Check Names, and then choose OK.

  5. In the Tasks to delegate section, choose the Create a custom task to delegate option button, and then choose Next.

  6. On the Active Directory Object Type page, select Only the following objects in the folder. Select the Computer objects check box. Select the Create selected objects in this folder check box, select the Delete selected objects in this folder check box, and then choose Next.

  7. On the Permissions page, select the Read, Write, Create All Child Objects, Delete All Child Objects, and Read All Properties check boxes. For the remaining check boxes, keep the default settings and then choose Next.

  8. Choose Finish to close the wizard.