Solved

Assigning AD permissions by OU

Posted on 2011-03-14
8
870 Views
Last Modified: 2012-05-11
We recently added a 2nd DC; which operates on Server 2008 R2. The original DC is 2003 SP2. This weekend, i modified our user placements & organizational unit (OU) folders. The structure is now more in-line with our company and policies can be assigned accordingly, althouth we have not reapplied ANY permissions.

My challenge, is when we are assigning permissions to an object like sharepoint, i used to be able to assign to an OU...domain\OU_group. All of the current permissions need to be changed to reflect the change we made to the OU structure. It seems that we can not search based on our new OU names.
0
Comment
Question by:mray77
  • 4
  • 4
8 Comments
 
LVL 11

Expert Comment

by:RickSheikh
Comment Utility
If the permissions were based on AD Groups then the groups' changed location in AD should not call for this issue you are sighting. I am not sure what you mean when you say that the permissions had OU references ?
0
 

Author Comment

by:mray77
Comment Utility
What i mean is instead of assigning permissions to mydomain\joe_smith they are assigned to mydomain\executive or mydomain\sales so we are assigning to the OU group not the individual users, at least for sharepoint. in sharepoint, there is a domain query that allows you to enter either the user or group and it will query AD.
0
 
LVL 11

Accepted Solution

by:
RickSheikh earned 500 total points
Comment Utility
Are "executives" and "sales" from your last comment AD Groups ? OU and Group objects are distinct things but your reference to an "OU group" is throwing me off. If in fact the executive and sales are AD Groups then the OU hierarchy changes you have made should not be an issue for a sharepoint or any other resource unless the group name was based on DN i.e cn=mygroup,ou=company,dc=domain,dc=local
0
 

Author Comment

by:mray77
Comment Utility
Should they be? Currently, i have them built as an OU so i can assign different AD permissions. Can i assign separate permission to an AD Group?
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 11

Expert Comment

by:RickSheikh
Comment Utility
Yes, it is a best practice to assign permissions on AD Group than to an OU where users reside.
0
 

Author Comment

by:mray77
Comment Utility
So i can have multiple with permissions, but it's best not to have a sub-OU, i should use AD Groups; which i can still assign permissions too? That makes sense.
0
 
LVL 11

Expert Comment

by:RickSheikh
Comment Utility
yes, use AD Groups.
0
 

Author Comment

by:mray77
Comment Utility
Gotcha. Thanks for explaining this. This makes sense now.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Resolve DNS query failed errors for Exchange
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now