uraneum73
asked on
I have been asked to redisgn the Active Directory entirely!
Where do I begin, since there seems to be sundry points of entry into this project. I have been asked to go through all the security groups and redo/restrict access, redesign the shares to include a more efficient DFS system. We also have 3 sites located at branch offices with DCs/DHCP in each. Also been asked to redfine roles - how do I define a role? Do I contact that person and ask them what they do? (would take an eternity) Do I call their boss and run down a list? And one of the largest priorities is that my boss wants the defaut security groups isolated from the locally-created security groups. We are planning on taking all the security groups and putting them in a new container just for our created groups. SO, where do I begin?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SunBow
One suggestion, and that is, to make it completely new. Do not try to upgrade or merge. Make it a real redesign, something new. (avoid having too many problems to resolve)
ASKER
Thanks for responding brakko and SunBow. When you say make it completely new, do you mean design and test it on a non-production domain. That would seem to be easier. What about the other questions I had up above?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks Colin,
We are going to keep our sites the way they are; directly from the boss. They are more or less a department - only separated by distance. He does not want to split the main OU into smaller and smaller OUs. So this takes care of that one!
As for the roles issue - it appears that he is speaking about "profiles" of people, the guys in our IT dept to be exact. We have been cleaning up a huge mess, one that has EVERYONE in IT with Domain Admin priviledges! I have to clean this up and assign them appropriate priviledges according to their job function, ie: desktop, enterprise, workstation, etc.
I have to go through all of the Security Groups and determine which ones we will need, keep, delete, etc. There are some pretty ridiculous security groups here! Then I have to go through the OUs and determine which ones we will need to keep, just the same as the Security Groups. Then the DFS, which will follow the clean-up of the Groups! But that is later on down the road.
We are going to keep our sites the way they are; directly from the boss. They are more or less a department - only separated by distance. He does not want to split the main OU into smaller and smaller OUs. So this takes care of that one!
As for the roles issue - it appears that he is speaking about "profiles" of people, the guys in our IT dept to be exact. We have been cleaning up a huge mess, one that has EVERYONE in IT with Domain Admin priviledges! I have to clean this up and assign them appropriate priviledges according to their job function, ie: desktop, enterprise, workstation, etc.
I have to go through all of the Security Groups and determine which ones we will need, keep, delete, etc. There are some pretty ridiculous security groups here! Then I have to go through the OUs and determine which ones we will need to keep, just the same as the Security Groups. Then the DFS, which will follow the clean-up of the Groups! But that is later on down the road.
You may need to do OU's for the servers to do IT level security.
Ie: you want certain techs full access to modify workstations and user accounts, but not servers.
You want some people to admin certain servers, but not all.
There is no reason for everyone to have domain admin. Microsoft security practices suggest further, that a disabled account has domain admin, or one individual has the enterprise but no domain admin, that means that any major change requires both people involved...
You may need to do some OU work, say if you want user tech at site a only able to modify site a's users, but not site b's, etc...
I think you should be on your way now. Does that clarify for you now on where to begin?
CH
Ie: you want certain techs full access to modify workstations and user accounts, but not servers.
You want some people to admin certain servers, but not all.
There is no reason for everyone to have domain admin. Microsoft security practices suggest further, that a disabled account has domain admin, or one individual has the enterprise but no domain admin, that means that any major change requires both people involved...
You may need to do some OU work, say if you want user tech at site a only able to modify site a's users, but not site b's, etc...
I think you should be on your way now. Does that clarify for you now on where to begin?
CH
ASKER
Thanks Colin, you have made me think a little harder, and that is not always a bad thing ;-) I think this site is great in that experts like you and all who answered not only help us out, but actually encourage us to learn!
It looks like I am going to have to go head-to-head with the boss again and stress the need for greater OU management for the ultimate goal.....increased management and security!
It looks like I am going to have to go head-to-head with the boss again and stress the need for greater OU management for the ultimate goal.....increased management and security!