• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 430
  • Last Modified:

Active Directory (OU)

Hello experts,
I have a question related to the organizational Unit design in our new Active Directory.
Some users from the same department would need different group policies and rights but again they would be inside the same folder which I would divide the users by different departments.

I want to create a design that would be easy to manage.

Think about laptops versus computers. They would have different polices applied.
Any ideas would help a lot.

Our new design would look like this:
PLAN A

o      Employees or Users
§      Departments      
"      Building & Development
"      Community Planning
"      Engineering
"      Finance
"      Fire
"      General Government
"      Police
"      Public Works

o      Computers
§      Departments      
"      Building & Development
"      Community Planning
"      Engineering
"      Finance
"      Fire
"      General Government
"      Police
"      Public Works

PLAN B
o      Departments
§      Building & Development
"      Computers
"      Users
§      Community Planning
"      Computers
"      Users
§      Engineering
"      Computers
"      Users
§      Finance
"      Computers
"      Users
§      Fire
"      Computers
"      Users
§      General Government
"      Computers
"      Users
§      Police
"      Computers
"      Users
§      Public Works
"      Computers
"      Users



0
VillageNorthbrook
Asked:
VillageNorthbrook
  • 6
  • 4
  • 3
6 Solutions
 
Mike KlineCommented:
I had some suggestions for OU design here:
http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_24088696.html
I've been at places where different departments did need different policies and we went with something similar to Plan B.
Thanks
Mike
0
 
Joseph MoodyBlogger and wearer of all hats.Commented:
I think both are equally good plans! It comes down to personal preference. I work two jobs. One uses a plan like A and the other uses a plan like B. I find that working vertically in AD works better for managing computers and users. Both of your plans do that.

I normally have a security group for laptops that I scope thse policies down to. That way desktops and laptops can intermingle.
0
 
Mike KlineCommented:
Jmoody is talking about security filtering in his second paragraph.  More info on security filtering here:
http://adisfun.blogspot.com/2009/04/security-filtering-and-group-policy.html
Thanks
Mike
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
Joseph MoodyBlogger and wearer of all hats.Commented:
Thanks Mike! You are a lot better at explaining things that I am.
0
 
Mike KlineCommented:
I just happened to have a blog entry on it :)  You mentioned it first
0
 
Joseph MoodyBlogger and wearer of all hats.Commented:
I know. I subscribe to it!
0
 
VillageNorthbrookAuthor Commented:
So, using security or districution groups would be the best away to add different policies to certain people on the same department? Plus adding all different group policies to the security/distribution group and allow or deny certain permissions to each GPO?!
0
 
Joseph MoodyBlogger and wearer of all hats.Commented:
yep but you will only use security groups to scope GPOs down.

Distribution groups are used in Exchange.
0
 
VillageNorthbrookAuthor Commented:
I got it and I liked that solution
But still going to be complex.
Do you have any other ideas or suggestions to make it simpler and easy to manage?
Is there other options?!
0
 
Joseph MoodyBlogger and wearer of all hats.Commented:
Once you get it going, it will be easy. It is made easier that you actually have a plan going on into it instead of winging it.

If you haven't draw out everything you can including main security groups. I would also draw out the delgation you are going to apply. For example, we have certain techs that get to do certain things such as resetting passwords. Drawing out these delegations make everything easy in the long run.
0
 
Mike KlineCommented:
I always start with a simple flat structure and go from there.  For instance if all the users can use the same settings just use one policy and link it at the domain.  
Thanks
Mike
0
 
Joseph MoodyBlogger and wearer of all hats.Commented:
Mike is right. I manage school systems so my GPOs look like this. The left is an OU structure and the right shows how the GPOs are linked to that OU.

My OU "Domain Users" contain all sub OUs with users in them. The most basic user settings are set at that level. These include settings for UAC, shortcuts, homepages, etc. The OUs below (such as Staff) are a lot more specific to those users so a specific policy is created for that OU.


Untitled.jpg
0
 
VillageNorthbrookAuthor Commented:
Thank you both!
I think all your answers helped me a lot.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 6
  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now