?
Solved

Help with Organizing Active Directory

Posted on 2007-10-02
13
Medium Priority
?
756 Views
Last Modified: 2008-06-01
I am trying to configure my Active Directory in the most efficient manner.  However, this is my first time doing this so I need some assistance.  

We currently run under one domain at my company (roughly 50 users and 7 servers).  There are four physical buildings on the property.  Here is how I currently have AD setup:

- Corp (Organizational Unit)
     - Groups (Organizational Unit to hold all Security and Distribution Groups)
     - Servers (Organizational Unit to hold all Severs)
     - Users (Organizational Unit)
          - Main Office (Organizational Unit to hold all Users in Main Office)
               - Test (Organizational Unit to hold all Test Users in Main Office)
          - Plant 1 (Organizational Unit to hold all Users in Plant 1)
               - Test (Organizational Unit to hold all Test Users in Plant 1)
          - Plant 2 (Organizational Unit to hold all Users in Plant 2)
               - Test (Organizational Unit to hold all Test Users in Plant 2)
          - Plant 3 (Organizational Unit to hold all Users in Plant 3)
               - Test (Organizational Unit to hold all Test Users in Plant 3)
          - Remote (Organizational Unit to hold all Remote Users)
               - Test (Organizational Unit to hold all Test Remote Users)
     - Workstations (Organizational Unit)
          - Main Office (Organizational Unit to hold all Workstations in Main Office)
               - Test (Organizational Unit to hold all Test Workstations in Main Office)
          - Plant 1 (Organizational Unit to hold all Workstations in Plant 1)
               - Test (Organizational Unit to hold all Test Workstations in Plant 1)
          - Plant 2 (Organizational Unit to hold all Workstations in Plant 2)
               - Test (Organizational Unit to hold all Test Workstations in Plant 2)
          - Plant 3 (Organizational Unit to hold all Workstations in Plant 3)
               - Test (Organizational Unit to hold all Test Workstations in Plant 3)
          - Remote (Organizational Unit to hold all Remote Workstations)
               - Test (Organizational Unit to hold all Test Remote Workstations)

The reason I have AD setup like this is because I apply certain group policies to all users (ex. Redirecting My Documents), and I apply certain group policies depending on which building they are in (ex. Mapping printers for that building).  The Test OUs contain the users and computers that I use for testing purposes (windows updates, testing new GPs, etc.).

Is there a better way of organizing my AD?

Thanks,

Chris
0
Comment
Question by:csimmons1324
  • 5
  • 4
  • 4
13 Comments
 
LVL 13

Expert Comment

by:dhoffman_98
ID: 20000878
One example of why you might want to break down to additional OUs is to delegate authority over them... for example, making an OU admin... But if all you are using this structure for is applying GPOs, then it's overkill.

Remember that group policies can be applied to a security group. If there is no need to create a separate organizational structure, then there is no need to make your OU picture look that complicated.

Create your group policies for your printer mapping and link them to your Workstations OU. Then create global groups for Main Office, Plant 1, Plant 2, Plant 3, and Remote, with the proper settings for printer mappings and such, and use the GPO Security Filtering so that the GPOs only apply to the right group.
0
 
LVL 23

Expert Comment

by:Jeremy Weisinger
ID: 20000959
"Remember that group policies can be applied to a security group."
I know what you mean to say but that is, IMHO, a poor choice of words.

Group Policy cannot be applied to groups but rather can be filtered based on group membership. It's a big difference and I've seen it cause lots of confusion for people on forums, etc.

You should avoid Security filtering if possible because of the difficulty in troubleshooting and configuration it adds.

Those Test OUs might be overkill but you should definitely consider what dhoffman_98 was saying about the administrative structure of you organization.
0
 

Author Comment

by:csimmons1324
ID: 20000997
I am the only one doing any type of administration.  I am strictly using these OUs to apply group policies.  

My_Username....if the Test OUs are overkill then what would you recommend doing for those users and machines I want to use for testing purposes?

If someone could give me a breakdown on how they would setup my AD so I can see examples, that would be great!

Thanks!
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 23

Expert Comment

by:Jeremy Weisinger
ID: 20001048
I said "might" because I've been able to do most of my testing using one OU plus some RSoP in Planning mode. But your circumstances may differ.
0
 
LVL 23

Accepted Solution

by:
Jeremy Weisinger earned 1000 total points
ID: 20001072
Others may have a better design (and you're wasn't bad IMO) but here's how I'd change yours.

- Corp (Organizational Unit)
     - Groups (Organizational Unit to hold all Security and Distribution Groups)
     - Servers (Organizational Unit to hold all Severs)
     - Users (Organizational Unit)
          - Main Office (Organizational Unit to hold all Users in Main Office)
          - Plant 1 (Organizational Unit to hold all Users in Plant 1)
          - Plant 2 (Organizational Unit to hold all Users in Plant 2)
          - Plant 3 (Organizational Unit to hold all Users in Plant 3)
          - Remote (Organizational Unit to hold all Remote Users)
     - Workstations (Organizational Unit)
          - Main Office (Organizational Unit to hold all Workstations in Main Office)
          - Plant 1 (Organizational Unit to hold all Workstations in Plant 1)
          - Plant 2 (Organizational Unit to hold all Workstations in Plant 2)
          - Plant 3 (Organizational Unit to hold all Workstations in Plant 3)
          - Remote (Organizational Unit to hold all Remote Workstations)
- Test (OU)
- Jokes (OU) note: use with extreme caution!!! ;)
0
 
LVL 13

Assisted Solution

by:dhoffman_98
dhoffman_98 earned 1000 total points
ID: 20001599
OK, sorry for the confusion there... I went back and re-read my first post and saw how it could be confusing.

I don't have any objection to using security filtering to cause GPOs to only have an affect on particular groups, computers, or machines, but as My_Username stated, his/her opinion is not to use them.

That being the case, you still need to make a decision about whether you really need all the OUs for only applying GPOs, or if you can accomplish the same thing by using groups like I originally suggested. Either way will work.

But something to keep in mind... what happens if you have some policy that you want to set on only some of the machines in your OU. Do you then create another smaller OU under that? Do you create Plant 3, and then under that create "Print Servers", and then "SQL Servers", etc.?

My environment is much much larger than yours (14000 users and a 400+ servers), so separating each individual role by OU would have been a nightmare. Instead, I have situations where I might have an OU for computers that are located at the same site, in which case I can apply a GPO for all of those machines in the OU. But if I have a specific policy that only needs to apply to SQL servers... rather than putting them in their own OU, they are simply a member of a group, and security filtering lets me define that only that group can read the policy.

Not to say that My_Username's comments are invalid... there is just more than one way to accomplish what you are trying to do.
0
 

Author Comment

by:csimmons1324
ID: 20001951
dhoffman,

I completely agree with you that there is more than one way to accomplish this.  This is why I turned to the people on here to give me some suggestions and ideas.  

I actually thought about filtering the GPOs with Security Filtering as you are currently doing.  I feel that it would help clean up my AD quite a bit.  However, I wasn't sure if it was a good tactic or not.  It would be interesting to see what others have to say about this.

Thanks!
0
 

Author Comment

by:csimmons1324
ID: 20007159
Here is what I came up with:

- Lake City (Organizational Unit for our Headquarters)
     - Groups (Organizational Unit to hold all Security and Distribution Groups)
     - Servers (Organizational Unit to hold all Severs)
     - Users (Organizational Unit)
          - Main Office (Organizational Unit to hold all Users in Main Office)
          - Plant 1 (Organizational Unit to hold all Users in Plant 1)
          - Plant 2 (Organizational Unit to hold all Users in Plant 2)
          - Plant 3 (Organizational Unit to hold all Users in Plant 3)
     - Workstations (Organizational Unit)
          - Main Office (Organizational Unit to hold all Workstations in Main Office)
          - Plant 1 (Organizational Unit to hold all Workstations in Plant 1)
          - Plant 2 (Organizational Unit to hold all Workstations in Plant 2)
          - Plant 3 (Organizational Unit to hold all Workstations in Plant 3)

- Remote (Organizational Unit for our Outside Sales People)
     - Users (Organizational Unit to hold all Outside Sales People)
     - Workstations (Organizational Unit to hold all Workstations for Outside Sales People)

I could have put all the remote users and their workstations under the Lake City OU but due to the type of VPN Client we are using certain Group Policies do not work properly for those that connect via a VPN connection.  

Also, there are certain Group Policies that I would want to apply to all users EXCEPT those that are remote.  With this setup, now I can link the GP to the Users OU unit under Lake City and not have the policy pushed out to those remote users.  

As for my Test Users and Computers, I plan on creating a group with these users and computers.  I will then link the GP to the proper OU and use Security Filtering to only apply the policy to those within the Test group.

Does this sound reasonable?  
0
 
LVL 13

Expert Comment

by:dhoffman_98
ID: 20007561
I like it. Looks like it will accomplish what you need.
0
 
LVL 23

Expert Comment

by:Jeremy Weisinger
ID: 20007716
Ditto!
0
 

Author Comment

by:csimmons1324
ID: 20007730
Thanks guys.  I appreciate all your help.  If there are no problems, I will split the points between both of you since each one of you made some valid points.

0
 
LVL 23

Expert Comment

by:Jeremy Weisinger
ID: 20007896
I have no problems with a split. I'm just glad to help out! =)
0
 
LVL 13

Expert Comment

by:dhoffman_98
ID: 20008232
Splitting is fine with me. Not like we really get much for the points. Just nice to help out sometimes. Thanks.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
High user turnover can cause old/redundant user data to consume valuable space. UserResourceCleanup was developed to address this by automatically deleting user folders when the user account is deleted.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question