Organizational Units (OU) on Windows Server 2008

cybergenie
cybergenie used Ask the Experts™
on
Hello,

We want to setup a Windows Server 2008 environment + Exchange 2007 and Terminal Services access.

We have several physically as well as logically divided departments. Most of them only have 2-5 users. They are like companies within the company.
Each department has their own email domain: department1.com, department2.com etc.
Each department will have their own set of shared folders and printers.

If we were to use OU´s (Organizational Units) how strictly would we be able to restrict the access between each OU?

It is important that one OU doesn´t even see another OU´s shared folders, exchange users etc.
We preferably want to limit access to certain applications across the OU´s. This might be the case with one OU´s internal book keeping software, that we don´t want users outside this OU to access.
And finally: what happens if a user in one OU plugs a USB memory drive into his/hers Thin Client - will other users within as well as outside the OU be able to see and access it?

Is OU´s the right way of accomplishing this? Or are the other suggestions?

Thanks

Kari
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Expert of the Quarter 2009
Expert of the Year 2009
Commented:
On the Exchange part, to restrict the users to only see each other in Exchange 2007 can be done, but it is a lot of work. You are looking at setting up address list segregation. Microsoft have a white paper on that:
http://technet.microsoft.com/en-us/library/bb936719.aspx

Shared folders etc that is matter of setting the relevant permissions - you can't use OUs for that, so you will need to use groups. There is an optional called Access Based Enumeration which can be enabled which means that users can only see folders that they have permissions to.

As for plugging a memory stick in, that depends on how your terminal services are configured. USB is normally restricted to the session it is connected to though, that is kinda the point.

Simon.
Commented:
Sounds like you want to set up multiple domains inside a company-wide forest. That will allow you to have complete control of segregation of resources, management, etc... but it does add a significant amount of complexity.

You will need a server functioning as a Domain Controller for each department.

Author

Commented:
Thank you for your quick replies which are spot on.

Meshta:
How about controlling access to applications - how would you go about with that?

spassero:
Pardon my basic konwledge with multiple domains and forrests, but is it possible to run multiple domains on one and the same (physical or virtual) server? Or do I need one server instance for each domain?

Or let me rephrase the question: can one server act as domain controller for multiple domains?

Thank guys.

Kari
Expert of the Quarter 2009
Expert of the Year 2009

Commented:
I would disagree with the multiple domains suggestion because of the small number of users in some groups.

Access to applications would be done via groups again. OUs are not used for permissions, that is what groups are for.

Simon.
You are looking at doing ASE control on the OU's. Hosted messaging and collaboration does this for you for you as a all in one solution. Here is a technet describing vaugly http://technet.microsoft.com/en-us/library/cc535322.aspx. We are looking into doing this as well but manually without using the whole hosted messaging.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial