asked on

OU and User setup Server 2008 R2

Setup a new Server 2008 R2 box on a clean install and now getting ready to setup out users. So far under Active Directory Users and Computers I have created a new Organizational Unit called "NCAP". Under "NCAP" I created OU's called Computers, Security Groups, and Users.

I am now wondering if I should create new groups under the "Users" for each of our departments as we have five departments. And then add specific users under each group? Or can I simply create the groups, add the user accounts under "NCAP/Users" and then make them a member of the "Fiscal" group or the "SVS" Group etc?

My main reason behind this is I only need certain users to be part of "Fiscal" etc and have access to those shared folders / programs.

I may be making this harder then I need to but just trying to get the correct setup going off the bat as it is a fresh install. We only have around 25 users spread between the five departments.

Thanks!

ASKER CERTIFIED SOLUTION

Sean Meyer

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

SOLUTION

Stelian Stan

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

serchlop

Microsoft says

Creating an Organizational Unit Design

After domain planning is complete, an OU structure can be designed. In the best practices OU model, departments within the domain manage their internal operations, while the domain's IT staff manages the overall infrastructure. In other words, each department manages its objects in the directory, while the domain IT staff manages the configuration of the directory service itself.

Best practices for creating an OU design introduces the role of "OU owner." The Active Directory OU owner is comparable to most Windows NT domain administrators. This means that domain administrators who manage users and resources in a Windows NT domain will manage the same resources in an Active Directory domain, but will be owners of OUs.

Expect to make periodic changes to your OU structure to reflect changes in your administrative structure and to support policy-based administration. OUs are designed to be easily changed.

The Role of OUs in Windows Network Designs

OUs are containers within domains that can contain other OUs, users, groups, computers, and other objects. These OUs and sub-OUs form a hierarchical structure within a domain, and are primarily used to group objects for management purposes.

Note: There are no practical limitations on how many levels OUs can be nested. When designing sub-tiers of OUs, you should compare the value of additional granularity of control with the added complexity of managing the structure. As a best practice, create OU structures no more than ten levels deep.

When designing an OU structure, keep in mind that the OU hierarchy does not need to mirror your organization's departmental hierarchy. Every OU you create should have a defined purpose (such as delegation or policy) and should add value to your system; otherwise, you will spend additional time maintaining the structure without gaining a corresponding benefit.

The initial goal in designing an OU structure is delegation of administration. After this structure is in place, you can further refine it by creating any sub-tiers of OUs you require for other purposes, such as applying Group Policy or placing objects in separate OUs to restrict their visibility.

You can review the complete document in http://technet.microsoft.com/en-us/library/bb727085.aspx#EFAA

ZephyrM

ASKER

Ok, I think I got it then. Under "Users" create a OU for each department. Under that OU department add another "Users" and place those users under their department OU.

Will I need to create OU's under each department for "Security Groups" and "Computers" as well as "Users" ?

All of these should be OU's and not just standard groups?

Thanks for your replies

serchlop

I think that the best OU Design like you say is create an OU for each department for all objects in that department. This is because like I post before, Microsoft says that "The initial goal in designing an OU structure is delegation of administration"

Then you can chose one person for each OU to delegate permission to reset passwords, change users properties, etc.

If you want to create additional OUs is your choice, but not necessary.

ZephyrM

ASKER

Sounds good. So looks like we will have a setup of

NCAP\Department Names\Users and that should cover it? Create users in the department they belong, but they could also be a member of another group if needed. Say if an Indirect User needs access to the "Fiscal" share etc.

serchlop

Yes, the users could be members of any group in the domain, OU are for admin porpouses only.

Security Groups are for permission configuration. It doesn't matter if the user belong to any OU, you can add they to any security group.

Stelian Stan

That looks good or you can go by:
NCAP\Department Names - and create here the users and groups
NCAP\Computers\Workstations\Department Names - put here the computers for each department
NCAP\Computers\Servers

ZephyrM

ASKER

I have went through and created each department with their own OU, and then a OU for the users in each department. After that, I went into the security ou, and added groups by the name of "Department Users". Did that for all five departments and then, for each user I made them a member of that department users under the security ou.

Is that the correct way of handling that? If so, I'll move on and do some ready on user drive storage as I'm hoping to map a letter on each computer to U: for that logged in users network folder. Hoping I can make that work on a secondary drive like D: on the server.

Thanks for everyone's help thus far and points will be awarded.

Stelian Stan

Seems to be OK. For users folder (or U drive) follow this guide: http://blog.luxem.org/2010/07/how-to-setup-home-directories-on.html