?
Solved

Active Directory structure

Posted on 2010-11-27
5
Medium Priority
?
309 Views
Last Modified: 2012-05-10
A customer still has an Win2003 environment, and wants to structure his AD.
Currently it is all flat, all computers in 1 OU, all users and groups in 1 OU.
They have a main site with 50 users, and 10 remote sites with 5 - 10 users, connected through DSL-lines. Each remote site has a DC/GC.
Sidemark: 70% of the PC's are laptops, moving around to main site and remote sites a lot.

How would you structure servers, users, groups and computers in this kind of site, thinking about future policies, preferences, virusscan updates, WSUS....etc.

rgrds
0
Comment
Question by:HamannWetteren
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
5 Comments
 
LVL 70

Expert Comment

by:KCTS
ID: 34221610
You need to think about the structure of the business and create OUs according to the way you want to organise amd manage users and computers and to delegate control. Often this will take the form of mirroring any departmental structure and/or locations in OUs
Normally servers would be better in an OU of their own (DCs are already in a seperate OU by default and should not need to be changed). Laptops too may be better in an ou of their own, depending on how you want to manage them
0
 
LVL 12

Assisted Solution

by:Vaseem Mohammed
Vaseem Mohammed earned 800 total points
ID: 34222572
I will suggest you to create an Org Unit for each site, then within each OU create Computer Acct, User Acct, Groups.
This structure is good if you are managing Computer accounts, User accounts via GPO and have diff type of settings for each site or group of users.

- Domain.com
   - Site-01
      -Computer Acct
      -User Acct
      -Groups
   - Site-02
      -Computer Acct
      -User Acct
      -Groups
   - Site-03
      -Computer Acct
      -User Acct
      -Groups


If you have universal policy for all computers OU better to have them in one place as it is by default in "Computers" OU. Any policy you have set on domain level will be set to computer OU.
- Domain.com
   - Default Computers OU
   - Site-01
      -User Acct
      -Groups
   - Site-02
      -User Acct
      -Groups
   - Site-03
      -User Acct
      -Groups

If you don't want to apply policy at domain level then you will have to create a new OU at root for computer Acct, coz you cant apply GPO at default computers OU separately.
- Domain.com
   - Default Computers OU
   - Computer Acct --> (custom created)
   - Site-01
      -User Acct
      -Groups
   - Site-02
      -User Acct
      -Groups
   - Site-03
      -User Acct
      -Groups
0
 
LVL 12

Expert Comment

by:Vaseem Mohammed
ID: 34222583
Also make sure to go through the article at

This will be useful when you create a custom "Computer Acct" OU at root, reason is when u join a desktop by default its account will be created in default Computer OU, and using redircmp ou=Computer Acct, DC=domain,dc=com the computer account will land in your custom Computer Acct OU.
AND
if you want a specific set of policy to be applied when user and computer accounts comes to domain for the 1st time.
0
 
LVL 12

Expert Comment

by:Vaseem Mohammed
ID: 34222587
0
 
LVL 8

Accepted Solution

by:
TSGITDept earned 1200 total points
ID: 34305775

If 70% of the laptops are roaming then having them dedicated to Location Based OUs may not make as much sense.  Perhaps those might be in an OU for RemoteLaptops and use Location-based OUs for everything else.  Roaming laptops may have special security needs, like extra Firewall Security, password protected screen saver policy, and other things to keep them safe.

Have they considered a Terminal Server, aka Remote Desktop Services?  We even run it in a Virtual Server environment.

We have about 20 locations and use it extensively.  It has a lot of benefits, although we use GP and have lots of fat client laptops too:
 - Fast
 - Centralized control
 - Shadowing for tech support
 - Automatic backups of user files
 - Better security since the data doesn't leave the server.
 - Allows the option to access your work from home, or on the road.

Might talk to them about it in the future and sell them some consulting time, if that's what you do.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses
Course of the Month15 days, 10 hours left to enroll

741 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question