11/11/2008

During the enrollment process, you must enable Mobile Device Manager (MDM) Enrollment Server to create or delete computer accounts in an Active Directory® organizational unit (OU) that is dedicated for Windows Mobile devices. During Active Directory configuration, a default MDM organizational unit, SCMDM2008 Managed Devices, is created and delegated to MDM Enrollment Server. It is recommended that you do not rename or move the SCMDM2008 Managed Devices OU. The following steps are optional for administrators who want to create additional OUs for managed Windows Mobile devices.

To create or delete Windows Mobile device accounts, you will create an OU for Windows Mobile devices and then grant MDM Enrollment Server the permissions that are required.

Important:
Use the following steps to create and delete computer accounts from your newly created OU forWindows Mobile devices only after you configure Active Directory for MDM. For more information about how to configure Active Directory, see Step 1: Configuring Active Directory for MDM. You must use the MDM Shell cmdlet, Set-EnrollmentPermissions, to delegate permission for MDM Enrollment Server to create and delete computer accounts in a specific OU. For more information about this cmdlet, see Set-EnrollmentPermissionsin MDM Operations.

To create additional OUs for Windows Mobile powered devices

  1. In Active Directory Users and Computers, right-click the domain name, select New,and then select Organizational Unit.

  2. In the New Object – Organizational Unitdialog box, type a unique name for the OU, for example, Mobile Devices. Choose OK.

To delegate permission to create and delete Windows Mobile powered device accounts

  1. In Active Directory Users and Computers, right-click the OU that you created in the previous step, and then select Delegation of Control.

  2. In the Delegation of Control Wizard, choose Next.

  3. On the Users or Groupspage, choose Add.

  4. On the Select, User, Group or Computerpage, in the Enter the object name to selectbox, type SCMDM2008EnrollmentServers. Choose Check Names, and then choose OK.

  5. In the Tasks to delegatesection, choose the Create a custom task to delegateoption button, and then choose Next.

  6. On the Active Directory Object Typepage, select Only the following objects in the folder. Select the Computer objectscheck box. Select the Create selected objects in this foldercheck box, select the Delete selected objects in this foldercheck box, and then choose Next.

  7. On the Permissionspage, select the Read, Write, Create All Child Object, Delete All Child Object, and Read All Propertiescheck boxes. For the remaining check boxes, keep the default settings and then choose Next.

  8. Choose Finishto close the wizard.