?
Solved

OU and User setup Server 2008 R2

Posted on 2012-09-20
10
Medium Priority
?
732 Views
Last Modified: 2012-10-17
Setup a new Server 2008 R2 box on a clean install and now getting ready to setup out users. So far under Active Directory Users and Computers I have created a new Organizational Unit called "NCAP". Under "NCAP" I created OU's called Computers, Security Groups, and Users.

I am now wondering if I should create new groups under the "Users" for each of our departments as we have five departments. And then add specific users under each group? Or can I simply create the groups, add the user accounts under "NCAP/Users" and then make them a member of the "Fiscal" group or the "SVS" Group etc?

My main reason behind this is I only need certain users to be part of "Fiscal" etc and have access to those shared folders / programs.

I may be making this harder then I need to but just trying to get the correct setup going off the bat as it is a fresh install. We only have around 25 users spread between the five departments.

Thanks!
0
Comment
Question by:ZephyrM
  • 3
  • 3
  • 3
  • +1
10 Comments
 
LVL 9

Accepted Solution

by:
Sean Meyer earned 1000 total points
ID: 38418351
I would create the departments under the users and put the users in each group.  This allows you to roll out things by group policy.  Things always become more complex.  If you map it out ahead of time you will save your self time later.

Examples of things you might want to rollout --

1. Mapped network drive by default for users in specific departments to share.
2. Printers.

Etc...
0
 
LVL 23

Assisted Solution

by:Stelian Stan
Stelian Stan earned 1000 total points
ID: 38418363
For long run it's better o put all the users and groups for a specific department in their own OU. For example if you want to apply GPO to users on a department it's easier if you have it setup that way.

On a small environment is doable your config also.
0
 
LVL 12

Expert Comment

by:serchlop
ID: 38418369
Microsoft says

Creating an Organizational Unit Design

After domain planning is complete, an OU structure can be designed. In the best practices OU model, departments within the domain manage their internal operations, while the domain's IT staff manages the overall infrastructure. In other words, each department manages its objects in the directory, while the domain IT staff manages the configuration of the directory service itself.

Best practices for creating an OU design introduces the role of "OU owner." The Active Directory OU owner is comparable to most Windows NT domain administrators. This means that domain administrators who manage users and resources in a Windows NT domain will manage the same resources in an Active Directory domain, but will be owners of OUs.

Expect to make periodic changes to your OU structure to reflect changes in your administrative structure and to support policy-based administration. OUs are designed to be easily changed.

The Role of OUs in Windows Network Designs

OUs are containers within domains that can contain other OUs, users, groups, computers, and other objects. These OUs and sub-OUs form a hierarchical structure within a domain, and are primarily used to group objects for management purposes.

Note: There are no practical limitations on how many levels OUs can be nested. When designing sub-tiers of OUs, you should compare the value of additional granularity of control with the added complexity of managing the structure. As a best practice, create OU structures no more than ten levels deep.

When designing an OU structure, keep in mind that the OU hierarchy does not need to mirror your organization's departmental hierarchy. Every OU you create should have a defined purpose (such as delegation or policy) and should add value to your system; otherwise, you will spend additional time maintaining the structure without gaining a corresponding benefit.

The initial goal in designing an OU structure is delegation of administration. After this structure is in place, you can further refine it by creating any sub-tiers of OUs you require for other purposes, such as applying Group Policy or placing objects in separate OUs to restrict their visibility.

You can review the complete document in http://technet.microsoft.com/en-us/library/bb727085.aspx#EFAA
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:ZephyrM
ID: 38418441
Ok, I think I got it then. Under "Users" create a OU for each department. Under that OU department add another "Users" and place those users under their department OU.

Will I need to create OU's under each department for "Security Groups" and "Computers" as well as "Users" ?

All of these should be OU's and not just standard groups?

Thanks for your replies
0
 
LVL 12

Expert Comment

by:serchlop
ID: 38418490
I think that the best OU Design like you say is create an OU for each department for all objects in that department. This is because like I post before, Microsoft says that "The initial goal in designing an OU structure is delegation of administration"

Then you can chose one person for each OU to delegate permission to reset passwords, change users properties, etc.

If you want to create additional OUs is your choice, but not necessary.
0
 

Author Comment

by:ZephyrM
ID: 38418527
Sounds good. So looks like we will have a setup of

NCAP\Department Names\Users and that should cover it? Create users in the department they belong, but they could also be a member of another group if needed. Say if an Indirect User needs access to the "Fiscal" share etc.
0
 
LVL 12

Expert Comment

by:serchlop
ID: 38418550
Yes, the users could be members of any group in the domain, OU are for admin porpouses only.

Security Groups are for permission configuration. It doesn't matter if the user belong to any OU, you can add they to any security group.
0
 
LVL 23

Expert Comment

by:Stelian Stan
ID: 38418585
That looks good or you can go by:
NCAP\Department Names - and create here the users and groups
NCAP\Computers\Workstations\Department Names - put here the computers for each department
NCAP\Computers\Servers
0
 

Author Comment

by:ZephyrM
ID: 38419426
I have went through and created each department with their own OU, and then a OU for the users in each department. After that, I went into the security ou, and added groups by the name of "Department Users". Did that for all five departments and then, for each user I made them a member of that department users under the security ou.

Is that the correct way of handling that? If so, I'll move on and do some ready on user drive storage as I'm hoping to map a letter on each computer to U: for that logged in users network folder. Hoping I can make that work on a secondary drive like D: on the server.

Thanks for everyone's help thus far and points will be awarded.
0
 
LVL 23

Expert Comment

by:Stelian Stan
ID: 38419454
Seems to be OK. For users folder (or U drive) follow this guide: http://blog.luxem.org/2010/07/how-to-setup-home-directories-on.html
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question