• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 897
  • Last Modified:

Assigning AD permissions by OU

We recently added a 2nd DC; which operates on Server 2008 R2. The original DC is 2003 SP2. This weekend, i modified our user placements & organizational unit (OU) folders. The structure is now more in-line with our company and policies can be assigned accordingly, althouth we have not reapplied ANY permissions.

My challenge, is when we are assigning permissions to an object like sharepoint, i used to be able to assign to an OU...domain\OU_group. All of the current permissions need to be changed to reflect the change we made to the OU structure. It seems that we can not search based on our new OU names.
0
mray77
Asked:
mray77
  • 4
  • 4
1 Solution
 
RickSheikhCommented:
If the permissions were based on AD Groups then the groups' changed location in AD should not call for this issue you are sighting. I am not sure what you mean when you say that the permissions had OU references ?
0
 
mray77Author Commented:
What i mean is instead of assigning permissions to mydomain\joe_smith they are assigned to mydomain\executive or mydomain\sales so we are assigning to the OU group not the individual users, at least for sharepoint. in sharepoint, there is a domain query that allows you to enter either the user or group and it will query AD.
0
 
RickSheikhCommented:
Are "executives" and "sales" from your last comment AD Groups ? OU and Group objects are distinct things but your reference to an "OU group" is throwing me off. If in fact the executive and sales are AD Groups then the OU hierarchy changes you have made should not be an issue for a sharepoint or any other resource unless the group name was based on DN i.e cn=mygroup,ou=company,dc=domain,dc=local
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
mray77Author Commented:
Should they be? Currently, i have them built as an OU so i can assign different AD permissions. Can i assign separate permission to an AD Group?
0
 
RickSheikhCommented:
Yes, it is a best practice to assign permissions on AD Group than to an OU where users reside.
0
 
mray77Author Commented:
So i can have multiple with permissions, but it's best not to have a sub-OU, i should use AD Groups; which i can still assign permissions too? That makes sense.
0
 
RickSheikhCommented:
yes, use AD Groups.
0
 
mray77Author Commented:
Gotcha. Thanks for explaining this. This makes sense now.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now