We help IT Professionals succeed at work.

New podcast episode! Our very own Community Manager, Rob Jurd, gives his insight on the value of an online community. Listen Now!

x

Help with Organizing Active Directory

774 Views
Last Modified: 2008-06-01
I am trying to configure my Active Directory in the most efficient manner.  However, this is my first time doing this so I need some assistance.  

We currently run under one domain at my company (roughly 50 users and 7 servers).  There are four physical buildings on the property.  Here is how I currently have AD setup:

- Corp (Organizational Unit)
     - Groups (Organizational Unit to hold all Security and Distribution Groups)
     - Servers (Organizational Unit to hold all Severs)
     - Users (Organizational Unit)
          - Main Office (Organizational Unit to hold all Users in Main Office)
               - Test (Organizational Unit to hold all Test Users in Main Office)
          - Plant 1 (Organizational Unit to hold all Users in Plant 1)
               - Test (Organizational Unit to hold all Test Users in Plant 1)
          - Plant 2 (Organizational Unit to hold all Users in Plant 2)
               - Test (Organizational Unit to hold all Test Users in Plant 2)
          - Plant 3 (Organizational Unit to hold all Users in Plant 3)
               - Test (Organizational Unit to hold all Test Users in Plant 3)
          - Remote (Organizational Unit to hold all Remote Users)
               - Test (Organizational Unit to hold all Test Remote Users)
     - Workstations (Organizational Unit)
          - Main Office (Organizational Unit to hold all Workstations in Main Office)
               - Test (Organizational Unit to hold all Test Workstations in Main Office)
          - Plant 1 (Organizational Unit to hold all Workstations in Plant 1)
               - Test (Organizational Unit to hold all Test Workstations in Plant 1)
          - Plant 2 (Organizational Unit to hold all Workstations in Plant 2)
               - Test (Organizational Unit to hold all Test Workstations in Plant 2)
          - Plant 3 (Organizational Unit to hold all Workstations in Plant 3)
               - Test (Organizational Unit to hold all Test Workstations in Plant 3)
          - Remote (Organizational Unit to hold all Remote Workstations)
               - Test (Organizational Unit to hold all Test Remote Workstations)

The reason I have AD setup like this is because I apply certain group policies to all users (ex. Redirecting My Documents), and I apply certain group policies depending on which building they are in (ex. Mapping printers for that building).  The Test OUs contain the users and computers that I use for testing purposes (windows updates, testing new GPs, etc.).

Is there a better way of organizing my AD?

Thanks,

Chris
Comment
Watch Question

CERTIFIED EXPERT

Commented:
One example of why you might want to break down to additional OUs is to delegate authority over them... for example, making an OU admin... But if all you are using this structure for is applying GPOs, then it's overkill.

Remember that group policies can be applied to a security group. If there is no need to create a separate organizational structure, then there is no need to make your OU picture look that complicated.

Create your group policies for your printer mapping and link them to your Workstations OU. Then create global groups for Main Office, Plant 1, Plant 2, Plant 3, and Remote, with the proper settings for printer mappings and such, and use the GPO Security Filtering so that the GPOs only apply to the right group.
Jeremy WeisingerSenior Network Consultant / Engineer
CERTIFIED EXPERT

Commented:
"Remember that group policies can be applied to a security group."
I know what you mean to say but that is, IMHO, a poor choice of words.

Group Policy cannot be applied to groups but rather can be filtered based on group membership. It's a big difference and I've seen it cause lots of confusion for people on forums, etc.

You should avoid Security filtering if possible because of the difficulty in troubleshooting and configuration it adds.

Those Test OUs might be overkill but you should definitely consider what dhoffman_98 was saying about the administrative structure of you organization.
csimmons1324IT Manager

Author

Commented:
I am the only one doing any type of administration.  I am strictly using these OUs to apply group policies.  

My_Username....if the Test OUs are overkill then what would you recommend doing for those users and machines I want to use for testing purposes?

If someone could give me a breakdown on how they would setup my AD so I can see examples, that would be great!

Thanks!
Jeremy WeisingerSenior Network Consultant / Engineer
CERTIFIED EXPERT

Commented:
I said "might" because I've been able to do most of my testing using one OU plus some RSoP in Planning mode. But your circumstances may differ.
Senior Network Consultant / Engineer
CERTIFIED EXPERT
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
CERTIFIED EXPERT
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
csimmons1324IT Manager

Author

Commented:
dhoffman,

I completely agree with you that there is more than one way to accomplish this.  This is why I turned to the people on here to give me some suggestions and ideas.  

I actually thought about filtering the GPOs with Security Filtering as you are currently doing.  I feel that it would help clean up my AD quite a bit.  However, I wasn't sure if it was a good tactic or not.  It would be interesting to see what others have to say about this.

Thanks!
csimmons1324IT Manager

Author

Commented:
Here is what I came up with:

- Lake City (Organizational Unit for our Headquarters)
     - Groups (Organizational Unit to hold all Security and Distribution Groups)
     - Servers (Organizational Unit to hold all Severs)
     - Users (Organizational Unit)
          - Main Office (Organizational Unit to hold all Users in Main Office)
          - Plant 1 (Organizational Unit to hold all Users in Plant 1)
          - Plant 2 (Organizational Unit to hold all Users in Plant 2)
          - Plant 3 (Organizational Unit to hold all Users in Plant 3)
     - Workstations (Organizational Unit)
          - Main Office (Organizational Unit to hold all Workstations in Main Office)
          - Plant 1 (Organizational Unit to hold all Workstations in Plant 1)
          - Plant 2 (Organizational Unit to hold all Workstations in Plant 2)
          - Plant 3 (Organizational Unit to hold all Workstations in Plant 3)

- Remote (Organizational Unit for our Outside Sales People)
     - Users (Organizational Unit to hold all Outside Sales People)
     - Workstations (Organizational Unit to hold all Workstations for Outside Sales People)

I could have put all the remote users and their workstations under the Lake City OU but due to the type of VPN Client we are using certain Group Policies do not work properly for those that connect via a VPN connection.  

Also, there are certain Group Policies that I would want to apply to all users EXCEPT those that are remote.  With this setup, now I can link the GP to the Users OU unit under Lake City and not have the policy pushed out to those remote users.  

As for my Test Users and Computers, I plan on creating a group with these users and computers.  I will then link the GP to the proper OU and use Security Filtering to only apply the policy to those within the Test group.

Does this sound reasonable?  
CERTIFIED EXPERT

Commented:
I like it. Looks like it will accomplish what you need.
Jeremy WeisingerSenior Network Consultant / Engineer
CERTIFIED EXPERT

Commented:
Ditto!
csimmons1324IT Manager

Author

Commented:
Thanks guys.  I appreciate all your help.  If there are no problems, I will split the points between both of you since each one of you made some valid points.

Jeremy WeisingerSenior Network Consultant / Engineer
CERTIFIED EXPERT

Commented:
I have no problems with a split. I'm just glad to help out! =)
CERTIFIED EXPERT

Commented:
Splitting is fine with me. Not like we really get much for the points. Just nice to help out sometimes. Thanks.
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.