Solved

Assigning AD permissions by OU

Posted on 2011-03-14
8
880 Views
Last Modified: 2012-05-11
We recently added a 2nd DC; which operates on Server 2008 R2. The original DC is 2003 SP2. This weekend, i modified our user placements & organizational unit (OU) folders. The structure is now more in-line with our company and policies can be assigned accordingly, althouth we have not reapplied ANY permissions.

My challenge, is when we are assigning permissions to an object like sharepoint, i used to be able to assign to an OU...domain\OU_group. All of the current permissions need to be changed to reflect the change we made to the OU structure. It seems that we can not search based on our new OU names.
0
Comment
Question by:mray77
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
8 Comments
 
LVL 11

Expert Comment

by:RickSheikh
ID: 35129250
If the permissions were based on AD Groups then the groups' changed location in AD should not call for this issue you are sighting. I am not sure what you mean when you say that the permissions had OU references ?
0
 

Author Comment

by:mray77
ID: 35129312
What i mean is instead of assigning permissions to mydomain\joe_smith they are assigned to mydomain\executive or mydomain\sales so we are assigning to the OU group not the individual users, at least for sharepoint. in sharepoint, there is a domain query that allows you to enter either the user or group and it will query AD.
0
 
LVL 11

Accepted Solution

by:
RickSheikh earned 500 total points
ID: 35129402
Are "executives" and "sales" from your last comment AD Groups ? OU and Group objects are distinct things but your reference to an "OU group" is throwing me off. If in fact the executive and sales are AD Groups then the OU hierarchy changes you have made should not be an issue for a sharepoint or any other resource unless the group name was based on DN i.e cn=mygroup,ou=company,dc=domain,dc=local
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 

Author Comment

by:mray77
ID: 35129439
Should they be? Currently, i have them built as an OU so i can assign different AD permissions. Can i assign separate permission to an AD Group?
0
 
LVL 11

Expert Comment

by:RickSheikh
ID: 35129497
Yes, it is a best practice to assign permissions on AD Group than to an OU where users reside.
0
 

Author Comment

by:mray77
ID: 35129545
So i can have multiple with permissions, but it's best not to have a sub-OU, i should use AD Groups; which i can still assign permissions too? That makes sense.
0
 
LVL 11

Expert Comment

by:RickSheikh
ID: 35129611
yes, use AD Groups.
0
 

Author Comment

by:mray77
ID: 35129620
Gotcha. Thanks for explaining this. This makes sense now.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

626 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question