?
Solved

Active Directory (OU)

Posted on 2010-01-07
13
Medium Priority
?
414 Views
Last Modified: 2012-05-08
Hello experts,
I have a question related to the organizational Unit design in our new Active Directory.
Some users from the same department would need different group policies and rights but again they would be inside the same folder which I would divide the users by different departments.

I want to create a design that would be easy to manage.

Think about laptops versus computers. They would have different polices applied.
Any ideas would help a lot.

Our new design would look like this:
PLAN A

o      Employees or Users
§      Departments      
"      Building & Development
"      Community Planning
"      Engineering
"      Finance
"      Fire
"      General Government
"      Police
"      Public Works

o      Computers
§      Departments      
"      Building & Development
"      Community Planning
"      Engineering
"      Finance
"      Fire
"      General Government
"      Police
"      Public Works

PLAN B
o      Departments
§      Building & Development
"      Computers
"      Users
§      Community Planning
"      Computers
"      Users
§      Engineering
"      Computers
"      Users
§      Finance
"      Computers
"      Users
§      Fire
"      Computers
"      Users
§      General Government
"      Computers
"      Users
§      Police
"      Computers
"      Users
§      Public Works
"      Computers
"      Users



0
Comment
Question by:VillageNorthbrook
  • 6
  • 4
  • 3
13 Comments
 
LVL 57

Accepted Solution

by:
Mike Kline earned 1004 total points
ID: 26202729
I had some suggestions for OU design here:
http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_24088696.html
I've been at places where different departments did need different policies and we went with something similar to Plan B.
Thanks
Mike
0
 
LVL 22

Assisted Solution

by:Joseph Moody
Joseph Moody earned 996 total points
ID: 26202764
I think both are equally good plans! It comes down to personal preference. I work two jobs. One uses a plan like A and the other uses a plan like B. I find that working vertically in AD works better for managing computers and users. Both of your plans do that.

I normally have a security group for laptops that I scope thse policies down to. That way desktops and laptops can intermingle.
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 1004 total points
ID: 26202804
Jmoody is talking about security filtering in his second paragraph.  More info on security filtering here:
http://adisfun.blogspot.com/2009/04/security-filtering-and-group-policy.html
Thanks
Mike
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 22

Expert Comment

by:Joseph Moody
ID: 26202825
Thanks Mike! You are a lot better at explaining things that I am.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 26202847
I just happened to have a blog entry on it :)  You mentioned it first
0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 26202857
I know. I subscribe to it!
0
 

Author Comment

by:VillageNorthbrook
ID: 26203002
So, using security or districution groups would be the best away to add different policies to certain people on the same department? Plus adding all different group policies to the security/distribution group and allow or deny certain permissions to each GPO?!
0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 26203011
yep but you will only use security groups to scope GPOs down.

Distribution groups are used in Exchange.
0
 

Author Comment

by:VillageNorthbrook
ID: 26203050
I got it and I liked that solution
But still going to be complex.
Do you have any other ideas or suggestions to make it simpler and easy to manage?
Is there other options?!
0
 
LVL 22

Assisted Solution

by:Joseph Moody
Joseph Moody earned 996 total points
ID: 26203079
Once you get it going, it will be easy. It is made easier that you actually have a plan going on into it instead of winging it.

If you haven't draw out everything you can including main security groups. I would also draw out the delgation you are going to apply. For example, we have certain techs that get to do certain things such as resetting passwords. Drawing out these delegations make everything easy in the long run.
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 1004 total points
ID: 26203082
I always start with a simple flat structure and go from there.  For instance if all the users can use the same settings just use one policy and link it at the domain.  
Thanks
Mike
0
 
LVL 22

Assisted Solution

by:Joseph Moody
Joseph Moody earned 996 total points
ID: 26203176
Mike is right. I manage school systems so my GPOs look like this. The left is an OU structure and the right shows how the GPOs are linked to that OU.

My OU "Domain Users" contain all sub OUs with users in them. The most basic user settings are set at that level. These include settings for UAC, shortcuts, homepages, etc. The OUs below (such as Staff) are a lot more specific to those users so a specific policy is created for that OU.


Untitled.jpg
0
 

Author Comment

by:VillageNorthbrook
ID: 26293566
Thank you both!
I think all your answers helped me a lot.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Suggested Courses

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question