OU movement

I am performing an inventory using AD, in an attempt to try and identify machines that have not accessed any of our domains in the previous 3 months. During this exercise, as is always the way, a few additional problems have come to light with our AD records.

However, I am trying to quantify the risk with a few of the findings so would appreciate some input from AD admins. Due to the diversity of our network, there are several OU’s. We have been finding departments have been physically moving workstations from one OU, and putting them in a completely different OU, such as when a team changes office location etc. This makes our records outdated but also may have security implications? My question is what security issues could this introduce to our AD environment? What procedures do you have in place when moving a PC from one OU to another? DO you document anything to keep your auditors happy?
LVL 3
pma111Asked:
Who is Participating?
 
Kruger_monkeyConnect With a Mentor Commented:
Security issue will depend on your setup.  What is the security like from one OU to the next.  What GPO'S are applied at which OU.

You may, depending on your setup, have more priveledges for members of a particular OU, or certain GPO settings that should ONLY apply to that specific OU, and moving an account into it without knowing that could give someone more rights/apps/settings than they should have.

Our setup uses different OU's mainly for administration and not security/GPO.  If I need to move a workstation or account I normally verify that said machine/user has also moved to that dept, so I will normally get a managers request.

As it is only workstations being moved I suppose the risk is less, but it depends on your setup.
0
 
pma111Author Commented:
If you physically plug a machine from one network point, take it to another building and plug it in to another network point, could that change which OU the machine is in, or does the users account have to be added to a specific OU, i.e. OU isnt just based on an IP range, more on usernames etc? I am unfamilair with overal management of AD so am learning all the time...
0
 
Kruger_monkeyCommented:
No phsyically moving the pc shouldn't update the OU. When you create a user, the user account is created in the OU, typically the computer account is created under computers.  Some admins will move that to a computer folder under the OU to have more control over Group Policy.

As far as I remember you will have to physically move the pc, then go into AD and physically move the account to the new OU, this doestn' happen automatically.

Is that what you mean
0
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

 
pma111Author Commented:
Yeah thanks KM..
0
 
Kruger_monkeyCommented:
No problem, hope it helped.
0
 
pma111Author Commented:
Is there any process in your setup whereby if a PC needs to move for business purposes, i.e. 10 PC's donated from HR to Accounts, so that your admins can make sure the PC is added to the Accounts OU and doesnt keep getting HR policies applied. Do they have to send through a change document and get it it signed or something? If people do this without informing IT then AD could become a right mess...
0
 
Kruger_monkeyCommented:
How big is your setup?  What you are talking about in regards to change control normally applies to very large installations/setups where there are a lot of various administrators in place that make changes.  Control in those situations needs to be monitored.

My current place is smaller, generally as I said, we will get a request from management to move a user, I or the other admin will go in and manually move the user account.  We don't tend to worry about the computer accounts.

People phsyically moving pc's and not telling IT, really shouldn't cause you any problems in terms of AD.  If it is a concern, implement a company policy requiring noticification to IT regarding moves etc.

As I said, moving a pc will not auto update anything in AD, it will as you say get messy from a housekeeping/admin point of view.  If that is a regular occurance in your site, then setup a change control policy that needs authorizing before any IT related moves are carried out.

It depends entirely on your setup and your needs.
0
 
pma111Author Commented:
> How big is your setup?
Huge!

> People phsyically moving pc's and not telling IT, really shouldn't cause you any problems in terms of AD.  If it is a concern, implement a company policy requiring noticification to IT regarding moves etc.

What if a PC is moved from department and each department is essentially an OU, if security polciies differ from OU to OU, and the PC is moved from department A, to department B, and a user is then using the machine is department B, they will still get the GP's applied to department A, which may be inappropriate?
0
 
Kruger_monkeyCommented:
No, if the pc moves from say accounts to admin, and an admin user logs onto the newly moved accounts pc, the admin user will login with their normal username and receive the normal rights and GP settings that apply to admin, regardless of the pc.

If that pc has some weird GPO's in place as the user is not an accounts user it won't matter as it shouldn't really effect them.

If your setup is huge, then you will want to implement some sort of change crontrol, and have all the various IT depts enforce it.  That's more for general admin etc.  The risk you are worried about it minor and shouldn't really be a problem.
0
All Courses

From novice to tech pro — start learning today.