Solved

AD structure for company with groups split on two locations

Posted on 2008-10-01
4
305 Views
Last Modified: 2013-11-05
I´ve been assigned the task to merge two domains into one. I will set up a new structure and migrate users into the new domain.

We have mainly two locations, and departments split over these locations.
Example:
We have 3 sales departments.
Sales internal is present in both locations
Sales external present in one location
Sales projects present in one location.

The same issue arises with other departments. Sales internal is one dep even though it´s split on two locations.

I´m wondering about an, as far as I know, untraditional structure to solve this .
Example:
company.local
OU:
Sales
  Loc1
    Computers
    Users
  Loc2
    Computers
    Users

Groups in Loc1: Sales external  Loc1 and Sales internal Loc1
Groups in Sales (among others): Sales internal, Sales external, Sales projects, Sales Loc1, Sales Loc2 and Sales everyone.

Users would be added to the group in they´re physical locations, so example salesuser1 would only be added to Sales internal Loc1. Sales internal Loc1 would be joined to following groups in OU Sales: Sales internal, Sales Loc1 and Sales everyone. Sales internal Loc1 would be joined to following groups in rootlevel: Everyone Loc1, and All local users. (don´t use everyone group due to ftp server and other services set up)

I could then apply GP using security filtering based on department or physical location. Is this a structure that is advisable considering the strong link within a departmens split on two phycisal locations?


0
Comment
Question by:Intrepidity
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 

Author Comment

by:Intrepidity
ID: 22615210
I might add that its not really just diff departments, the external sales is now in realy a company of it´s own(on paper, long story). I need to be able to isolate based on department/company even if it´s split on diffrent locations. This include NTFS permissions and GP policies in effect. Print mappings and location of home folders are based on location. File shares and such are based partly on location and partly on department. Well, at least that´s my plan anyways..

As they are used to being in our structure I see no reason in splitting it into several domains. This will just create more work as I see it.

With one OU for each sales dep I would get a lot of loc1 loc2 beneath them, and comp/users beneath that again. Severel of these loc1/loc2 below sales/salesdep would then contain one user only.
0
 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 22620090
Yes, the departments should be top-OU

As you're having multiple locations, you should think about creating different sites for each location. Place atleast one (preferably atleast two for redudancy) DC in each location, and create different AD-sites for the locations (assign subnets to site). As you can also link GPOs to site, location-OUs might be unnecessary.
0
 

Author Comment

by:Intrepidity
ID: 22627912
It will be set up with two sites with one DC at each location. Don't have the luxary of backup DC's, but both locations have 2x servers running on ESXi so getting a backup online can be done in minutes if a physical/virtual server fails. Would be extremely slow due to lack of performance - but it will work.

Using GPO linked to sites I would have to give everyone at a site the same printers for example. This might be the easiest solution, but I'm not sure if it's the best.
0
 
LVL 31

Accepted Solution

by:
Henrik Johansson earned 250 total points
ID: 22628075
If distributing GPOs based on location, it will be enough to link the GPOs to the site level. Just keep in mind that GPOs linked to Domain or OU-level will override site-GPOs.
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question