Pau Lo
asked on
OU movement
I am performing an inventory using AD, in an attempt to try and identify machines that have not accessed any of our domains in the previous 3 months. During this exercise, as is always the way, a few additional problems have come to light with our AD records.
However, I am trying to quantify the risk with a few of the findings so would appreciate some input from AD admins. Due to the diversity of our network, there are several OU’s. We have been finding departments have been physically moving workstations from one OU, and putting them in a completely different OU, such as when a team changes office location etc. This makes our records outdated but also may have security implications? My question is what security issues could this introduce to our AD environment? What procedures do you have in place when moving a PC from one OU to another? DO you document anything to keep your auditors happy?
However, I am trying to quantify the risk with a few of the findings so would appreciate some input from AD admins. Due to the diversity of our network, there are several OU’s. We have been finding departments have been physically moving workstations from one OU, and putting them in a completely different OU, such as when a team changes office location etc. This makes our records outdated but also may have security implications? My question is what security issues could this introduce to our AD environment? What procedures do you have in place when moving a PC from one OU to another? DO you document anything to keep your auditors happy?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
No phsyically moving the pc shouldn't update the OU. When you create a user, the user account is created in the OU, typically the computer account is created under computers. Some admins will move that to a computer folder under the OU to have more control over Group Policy.
As far as I remember you will have to physically move the pc, then go into AD and physically move the account to the new OU, this doestn' happen automatically.
Is that what you mean
As far as I remember you will have to physically move the pc, then go into AD and physically move the account to the new OU, this doestn' happen automatically.
Is that what you mean
ASKER
Yeah thanks KM..
No problem, hope it helped.
ASKER
Is there any process in your setup whereby if a PC needs to move for business purposes, i.e. 10 PC's donated from HR to Accounts, so that your admins can make sure the PC is added to the Accounts OU and doesnt keep getting HR policies applied. Do they have to send through a change document and get it it signed or something? If people do this without informing IT then AD could become a right mess...
How big is your setup? What you are talking about in regards to change control normally applies to very large installations/setups where there are a lot of various administrators in place that make changes. Control in those situations needs to be monitored.
My current place is smaller, generally as I said, we will get a request from management to move a user, I or the other admin will go in and manually move the user account. We don't tend to worry about the computer accounts.
People phsyically moving pc's and not telling IT, really shouldn't cause you any problems in terms of AD. If it is a concern, implement a company policy requiring noticification to IT regarding moves etc.
As I said, moving a pc will not auto update anything in AD, it will as you say get messy from a housekeeping/admin point of view. If that is a regular occurance in your site, then setup a change control policy that needs authorizing before any IT related moves are carried out.
It depends entirely on your setup and your needs.
My current place is smaller, generally as I said, we will get a request from management to move a user, I or the other admin will go in and manually move the user account. We don't tend to worry about the computer accounts.
People phsyically moving pc's and not telling IT, really shouldn't cause you any problems in terms of AD. If it is a concern, implement a company policy requiring noticification to IT regarding moves etc.
As I said, moving a pc will not auto update anything in AD, it will as you say get messy from a housekeeping/admin point of view. If that is a regular occurance in your site, then setup a change control policy that needs authorizing before any IT related moves are carried out.
It depends entirely on your setup and your needs.
ASKER
> How big is your setup?
Huge!
> People phsyically moving pc's and not telling IT, really shouldn't cause you any problems in terms of AD. If it is a concern, implement a company policy requiring noticification to IT regarding moves etc.
What if a PC is moved from department and each department is essentially an OU, if security polciies differ from OU to OU, and the PC is moved from department A, to department B, and a user is then using the machine is department B, they will still get the GP's applied to department A, which may be inappropriate?
Huge!
> People phsyically moving pc's and not telling IT, really shouldn't cause you any problems in terms of AD. If it is a concern, implement a company policy requiring noticification to IT regarding moves etc.
What if a PC is moved from department and each department is essentially an OU, if security polciies differ from OU to OU, and the PC is moved from department A, to department B, and a user is then using the machine is department B, they will still get the GP's applied to department A, which may be inappropriate?
No, if the pc moves from say accounts to admin, and an admin user logs onto the newly moved accounts pc, the admin user will login with their normal username and receive the normal rights and GP settings that apply to admin, regardless of the pc.
If that pc has some weird GPO's in place as the user is not an accounts user it won't matter as it shouldn't really effect them.
If your setup is huge, then you will want to implement some sort of change crontrol, and have all the various IT depts enforce it. That's more for general admin etc. The risk you are worried about it minor and shouldn't really be a problem.
If that pc has some weird GPO's in place as the user is not an accounts user it won't matter as it shouldn't really effect them.
If your setup is huge, then you will want to implement some sort of change crontrol, and have all the various IT depts enforce it. That's more for general admin etc. The risk you are worried about it minor and shouldn't really be a problem.
ASKER