Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Active Directory and RDS OU Organizing

Posted on 2013-02-05
3
Medium Priority
?
592 Views
Last Modified: 2013-03-02
Hello Experts, I would like a few opinions on the organization of keeping users and setups simple and clean as well as with using it with RDS.

Part 1: Active Directory

I have setup my active directory so that I have an OU setup for each department and then I put the users in each of the departments.  I did this thinking it would be helpful when deploying printers and keeping security per OU.

Now I am thinking I would have been better off just setting up "Security Group - Global" for each department and keeping everyone in one OU.

Thoughts please.

Part 2: I have read the article Terminal Services: from A to Z (www.2x.com/docs/en/manuals/pdf/TerminalServicesAtoZ.pdf) and it was great however does not work well with my oringinal scheme, I think.  In the guide it talks about creating an OU named TS (in my case I used RDS Users). For these users that are switching to RDS, I would move them from their departmental OU to the new RDS OU which completely breaks my original OU design.


I am ok with changing the OU design and revamping everything.  I have about 30 users and if it makes it easier to manage I am all for it.  I know organization design is a personal preference but I would like to hear from some experienced admins and their approach along with advantages and disadvantages.  All comments welcome becuase I trying to figure out what would fit best.

Also, I believe if I turn on the loopback processing users would be in "thick client" mode when they are logging on from a desktop or laptop versus thin client.

To the person who wrote the terminal services: from a to z, great job!
0
Comment
Question by:tucktech
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 18

Assisted Solution

by:irweazelwallis
irweazelwallis earned 300 total points
ID: 38857209
Loop back is a pain as it can cause issues, and people don't always understand so if someone else tries to troubleshoot they can break stuff


We Use OU's for organisational but keep the GPOI's applying at a top level so that they apply to most people.
We use security groups to filter GPO's applying, that way unless someones moves them out of the OU structure completely i.e. into the Domain Controllers OU then the polices are still there

Things like printers we use group policy preferences and Item level targettings to make sure they only apply to the right people
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 300 total points
ID: 38857312
I personally like your design.  I like putting the GPOs "closer" to the actual user.    Let me try to find some more info on this.  GP MVP Darren Mar-Elia has some slides on GP Performance.

Thanks

Mike
0
 
LVL 38

Accepted Solution

by:
Hypercat (Deb) earned 900 total points
ID: 38857323
My philosophy is to create OUs only for those groups where the vast number of settings that will be applied via GPs are common.  IOW, I wouldn't necessarily create a separate OU by department UNLESS each department will have a significantly different set of policies being applied.  For most localized group policies, like printer deployments and drive mappings, you can control access by security groups. So, there would be one generic OU for users, and the users in each department would be in a separate global security group. There would be an overall "global" group policy applied to the entire OU, and then separate group policies for printers and drive mappings (if required) for each departmental security group.

It makes sense to create a separate OU for RDS users only if these users are always and only RDS users.  If the RDS users IDs are the same user IDs as the internal user IDs, it becomes difficult to manage them if they're in a separate RDS OU.  I have a lot of situations (mostly) where users work in the office and then they go home and work remotely using RDS.  Putting these users in a separate OU has only created unnecessary complexities in my experience, especially with a small group of users as you have, so I wouldn't recommend it.

In some cases, you may have to block inheritance in order to get the results you need.  It just depends on what settings are in what policies. You can also use the NoOverride setting to prevent certain policy settings from being overwritten by another policy that is processed later in the order of precedence (Local, Site, Domain, OU).
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question