asked on Active Directory Design
I am building Active Directory for a Company with multiple locations. As everyone knows by default all users got into the Users folder and all computers go into the Computers folder. I am thinking of using that logic in the layout of my OU's for Locations and Departments.
Example: I want to create an OU for Head Quarters and within that OU have Depatmental OUs, then break them down into a Users OU and a Workstations OU for each of the department OUs. Does this sound like a logical approach? or am I making things too complex?
Example: I want to create an OU for Head Quarters and within that OU have Depatmental OUs, then break them down into a Users OU and a Workstations OU for each of the department OUs. Does this sound like a logical approach? or am I making things too complex?
Active Directory
Last Comment
Americom
The ability to form structures in Active Directory are an administrative convenience. The hierarchical structure is there to make your job easier (whether that is identity management, or application of policies, or any other reason). If the structure you design does that then by all means go for it. However, do remember that the more complex you make the structure the harder it is to maintain over time.
No matter how complex or simple your structure I advise you strive to keep it neat and tidy. That includes, but is not limited to:
* Using tools like DSQuery, or OldCmp, or your own scripts to get rid of users and computers that no longer work for you
* Establish procedures with HR for new starters and, equally importantly, leavers
* Monitoring usage (or lack of usage) of distribution lists (actually quite easy with Exchange 2007)
* When creating groups, if it is remotely obscure, make sure you give it a Description!
* Clean out empty groups (could use an LDAP query in AD Users and Computers to find those quickly). Just not the built-in / default groups.
* Populate the organisational attributes on accounts (either manually or automatically).
* Manage assignment of permissions throughout your domain (File System Permissions). You can use whatever fits, but sticking to only assigning permissions to groups does make life a lot easier. (See http://technet.microsoft.com/en-us/library/bb727067.aspx under Security Groups)
* Come up with some naming conventions for groups, users and computers and stick to them :)
It sounds like a lot, but it can become habit very quickly... hmmm then you find there's not much work to do ;)
Chris
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
To complex I think for now
http://www.experts-exchang
See my answer there about OU design considerations
Thanks
Mike