OU, with Global Groups inside Right or Wrong >> Best Practices for Small Biz

Posted on 2003-02-18
Medium Priority
Last Modified: 2011-09-20
Do you need to use Global groups inside of an OU or can you just use several OUs and put only user accounts into the OU and assign permissions for user access at the OU level? Or should I create OU-Global Group-and add users to the global group, and then assign permissions at the Global group level. Looking for best real world practices books only define.. What are the best strategies going forward for the real world?

For example is this correct.  Create an OU called CompanyA and create user accounts inside this OU called CompanyA, and right click the OU and set user permissions,  that way without using Group Policy. Or would it be better to create a OU called CompanyA and create a global group inside the CompanyA OU called Users and create the users inside the Global group, assign permissions at the Global group level, so it would look something like this OU-Global Group-User Accounts sitting inside global group.  I will be supporting other companies in the network,  separate entities, so I was thinking about creating OUs for the separate companies and assigning Group Policies later, but I want to do it right from the ground up. I read you should not get to granular with the OUs but I am not sure if I am going about the Active Directory structure the correct way by not using global groups and creating user accounts directly into the OU and right clicking the OU and adding member groups like domain users, administrators, etc. to the OU, maybe this is why my domain user account with Admin rights was being declined access to my device manager, denying changes, error insuffient rights. Please Help with OUs....

Thanks in advance....

Question by:lgr
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
LVL 43

Accepted Solution

Steve Knight earned 80 total points
ID: 7980639
You can't set file system permissions at the OU level, only to groups (Novell NDS wins hands down here...) so you generally need both OU structure and groups.

Groups are best for non OU based control and file permissions

OU's are best for Group Policy assigments, delegating authority and.... not much else other than organising users and groups into manageable lists.

i.e. I tend to create OU structure for each company/department and another OU at a relevant level for groups, e.g.:

    CompanyA groups
    CompanyA Application Groups
    CompanyB groups

If the companies are on different physical networks connected with routers etc. then make sure you set each of the subnets up that are connected with each site and assign each DC to their site.

Of course if the companies are totally seperate it might be worth creating each as a sub-domain to the parent.

hth a little.... talked too much already for 20 points :-)


Author Comment

ID: 7981530
Thanks for the info.  Very informative. Thanks again. I am going to go recreate the structures. Thanks
LVL 43

Expert Comment

by:Steve Knight
ID: 7981977
No probs.  Good luck!


Featured Post

Plug and play, no additional software required!

The ATEN UE3310 USB3.1 Gen1 Extender Cable allows users to extend the distance between the computer and USB devices up to 10 m (33 ft). The UE3310 is a high-quality, cost-effective solution for professional environments such as hospitals, factories and business facilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
Resolve DNS query failed errors for Exchange
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question