Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

AD structure for company with groups split on two locations

Posted on 2008-10-01
4
Medium Priority
?
319 Views
Last Modified: 2013-11-05
I´ve been assigned the task to merge two domains into one. I will set up a new structure and migrate users into the new domain.

We have mainly two locations, and departments split over these locations.
Example:
We have 3 sales departments.
Sales internal is present in both locations
Sales external present in one location
Sales projects present in one location.

The same issue arises with other departments. Sales internal is one dep even though it´s split on two locations.

I´m wondering about an, as far as I know, untraditional structure to solve this .
Example:
company.local
OU:
Sales
  Loc1
    Computers
    Users
  Loc2
    Computers
    Users

Groups in Loc1: Sales external  Loc1 and Sales internal Loc1
Groups in Sales (among others): Sales internal, Sales external, Sales projects, Sales Loc1, Sales Loc2 and Sales everyone.

Users would be added to the group in they´re physical locations, so example salesuser1 would only be added to Sales internal Loc1. Sales internal Loc1 would be joined to following groups in OU Sales: Sales internal, Sales Loc1 and Sales everyone. Sales internal Loc1 would be joined to following groups in rootlevel: Everyone Loc1, and All local users. (don´t use everyone group due to ftp server and other services set up)

I could then apply GP using security filtering based on department or physical location. Is this a structure that is advisable considering the strong link within a departmens split on two phycisal locations?


0
Comment
Question by:Intrepidity
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 

Author Comment

by:Intrepidity
ID: 22615210
I might add that its not really just diff departments, the external sales is now in realy a company of it´s own(on paper, long story). I need to be able to isolate based on department/company even if it´s split on diffrent locations. This include NTFS permissions and GP policies in effect. Print mappings and location of home folders are based on location. File shares and such are based partly on location and partly on department. Well, at least that´s my plan anyways..

As they are used to being in our structure I see no reason in splitting it into several domains. This will just create more work as I see it.

With one OU for each sales dep I would get a lot of loc1 loc2 beneath them, and comp/users beneath that again. Severel of these loc1/loc2 below sales/salesdep would then contain one user only.
0
 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 22620090
Yes, the departments should be top-OU

As you're having multiple locations, you should think about creating different sites for each location. Place atleast one (preferably atleast two for redudancy) DC in each location, and create different AD-sites for the locations (assign subnets to site). As you can also link GPOs to site, location-OUs might be unnecessary.
0
 

Author Comment

by:Intrepidity
ID: 22627912
It will be set up with two sites with one DC at each location. Don't have the luxary of backup DC's, but both locations have 2x servers running on ESXi so getting a backup online can be done in minutes if a physical/virtual server fails. Would be extremely slow due to lack of performance - but it will work.

Using GPO linked to sites I would have to give everyone at a site the same printers for example. This might be the easiest solution, but I'm not sure if it's the best.
0
 
LVL 31

Accepted Solution

by:
Henrik Johansson earned 750 total points
ID: 22628075
If distributing GPOs based on location, it will be enough to link the GPOs to the site level. Just keep in mind that GPOs linked to Domain or OU-level will override site-GPOs.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question