Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


OU, with Global Groups inside Right or Wrong >> Best Practices for Small Biz

Posted on 2003-02-18
Medium Priority
Last Modified: 2011-09-20
Do you need to use Global groups inside of an OU or can you just use several OUs and put only user accounts into the OU and assign permissions for user access at the OU level? Or should I create OU-Global Group-and add users to the global group, and then assign permissions at the Global group level. Looking for best real world practices books only define.. What are the best strategies going forward for the real world?

For example is this correct.  Create an OU called CompanyA and create user accounts inside this OU called CompanyA, and right click the OU and set user permissions,  that way without using Group Policy. Or would it be better to create a OU called CompanyA and create a global group inside the CompanyA OU called Users and create the users inside the Global group, assign permissions at the Global group level, so it would look something like this OU-Global Group-User Accounts sitting inside global group.  I will be supporting other companies in the network,  separate entities, so I was thinking about creating OUs for the separate companies and assigning Group Policies later, but I want to do it right from the ground up. I read you should not get to granular with the OUs but I am not sure if I am going about the Active Directory structure the correct way by not using global groups and creating user accounts directly into the OU and right clicking the OU and adding member groups like domain users, administrators, etc. to the OU, maybe this is why my domain user account with Admin rights was being declined access to my device manager, denying changes, error insuffient rights. Please Help with OUs....

Thanks in advance....

Question by:lgr
  • 2
LVL 43

Accepted Solution

Steve Knight earned 80 total points
ID: 7980639
You can't set file system permissions at the OU level, only to groups (Novell NDS wins hands down here...) so you generally need both OU structure and groups.

Groups are best for non OU based control and file permissions

OU's are best for Group Policy assigments, delegating authority and.... not much else other than organising users and groups into manageable lists.

i.e. I tend to create OU structure for each company/department and another OU at a relevant level for groups, e.g.:

    CompanyA groups
    CompanyA Application Groups
    CompanyB groups

If the companies are on different physical networks connected with routers etc. then make sure you set each of the subnets up that are connected with each site and assign each DC to their site.

Of course if the companies are totally seperate it might be worth creating each as a sub-domain to the parent.

hth a little.... talked too much already for 20 points :-)


Author Comment

ID: 7981530
Thanks for the info.  Very informative. Thanks again. I am going to go recreate the structures. Thanks
LVL 43

Expert Comment

by:Steve Knight
ID: 7981977
No probs.  Good luck!


Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A brief overview to explain gateways, default gateways and static routes OR NO - you CANNOT have two default gateways on the same server, PC or other Windows-based network device. In simple terms a gateway is formed when a computer such as a serv…
Are you one of those front-line IT Service Desk staff fielding calls, replying to emails, all-the-while working to resolve end-user technological nightmares? I am! That's why I have put together this brief overview of tools and techniques I use in o…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Kernel Data Recovery is a renowned Data Recovery solution provider which offers wide range of softwares for both enterprise and home users with its cost-effective solutions. Let's have a quick overview of the journey and data recovery tools range he…

581 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question