Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 648
  • Last Modified:

Active directory structure question: belonging to multiple OUs

Hi,

In our organisation we have the following structure:

Researchers is an OU and researchers can work in more than one workpackage (WP). Each wp should have acces to its own mapped drives and not have access to data from the other WPs.

A solution could be to create an OU for each WP and set group policies per OU. However, a researcher can be  member of multiple WPs. What is the best solution for this? Should I use only one OU=Researchers and just use groups for the WP and impose GPOs per group?

Thanks
0
PjotterR
Asked:
PjotterR
  • 4
  • 4
  • 4
1 Solution
 
every1isevil2Commented:
please define workpackage?  is this like a network share?
0
 
every1isevil2Commented:
and you cant belong to multiple ou's
0
 
Neil RussellTechnical Development LeadCommented:
To achieve what it SOUNDS LIKE you want to achieve, your best bet would be to have Multiple logins per researcher and then you can have your OU's and GPO's applied correctly to do all of the mappings etc.
So have an OU per WP and then depending on the role that that researcher has, create them an account that they need in each OU but of course the name in each OU would need to be different.

OR

Do they use a different PC depending on the WP that they are on? You could then alter the environment based on the PC and not the user.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
PjotterRAuthor Commented:
Workpackage is just a part of the project that needs their own data. I know that you cannot be member of multiple OUs that why I asked the question.

Is it not possible to create groups per WP and then impose a GPO restricted to users of that group?
0
 
PjotterRAuthor Commented:
Neilsr:

it is not wanted to have multiple logins because people that are in multiple WPs should be able to copy data from different shares to their own directory for analyses.

they will not use multiple pcs
0
 
every1isevil2Commented:
global groups are mainly used for shared resources.  but from the sounds of it.  

user a uses wp a
user b uses wp b
user c uses wp a and c

you can use gpo to use groups with the use of security filtering.  and create map drives to link the wp of another user.  

it may be best to know how many users will be using multiple wp
0
 
PjotterRAuthor Commented:
Oke. I just want that if a researcher is in  wp3 he will have a maped drive to the data of wp3. if he is also in wp5 he will also get a mapped drive to that data
0
 
Neil RussellTechnical Development LeadCommented:
The misleading bit in your question was this then "Each wp should have acces to its own mapped drives and not have access to data from the other WPs."

Thats why I suguested seperate logins.  Of course you can map as many WP drives as you have letters available.  And a user can belong to as many groups as you like..

In the group policy Just use Security filtering. Remove the Authenticated users and add a Group that you setup called (For example) WP1-Users, WP2-Users

Then just add the users to each of the GROUPS that they require access to.
0
 
every1isevil2Commented:
u can control that from gpo with the map drives
0
 
Neil RussellTechnical Development LeadCommented:
Thats what i said! Use a GPO to do the mappings in each of the WPx policies.
0
 
PjotterRAuthor Commented:
Thanks neilsr
That is working except for this:

I do have mapped drives based on the membership of a wp all fine! However in some strange way a user can write in the original mapped folder but not when using the drive letter used to map to this same folder?

Icacls gives the same output for both?
0
 
Neil RussellTechnical Development LeadCommented:
Make that the Share permisions give the rights to Right as well as the NTFS permissions
0

Featured Post

Become an Android App Developer

Ready to kick start your career in 2018? Learn how to build an Android app in January’s Course of the Month and open the door to new opportunities.

  • 4
  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now