Solved

Active Directory and RDS OU Organizing

Posted on 2013-02-05
3
543 Views
Last Modified: 2013-03-02
Hello Experts, I would like a few opinions on the organization of keeping users and setups simple and clean as well as with using it with RDS.

Part 1: Active Directory

I have setup my active directory so that I have an OU setup for each department and then I put the users in each of the departments.  I did this thinking it would be helpful when deploying printers and keeping security per OU.

Now I am thinking I would have been better off just setting up "Security Group - Global" for each department and keeping everyone in one OU.

Thoughts please.

Part 2: I have read the article Terminal Services: from A to Z (www.2x.com/docs/en/manuals/pdf/TerminalServicesAtoZ.pdf) and it was great however does not work well with my oringinal scheme, I think.  In the guide it talks about creating an OU named TS (in my case I used RDS Users). For these users that are switching to RDS, I would move them from their departmental OU to the new RDS OU which completely breaks my original OU design.


I am ok with changing the OU design and revamping everything.  I have about 30 users and if it makes it easier to manage I am all for it.  I know organization design is a personal preference but I would like to hear from some experienced admins and their approach along with advantages and disadvantages.  All comments welcome becuase I trying to figure out what would fit best.

Also, I believe if I turn on the loopback processing users would be in "thick client" mode when they are logging on from a desktop or laptop versus thin client.

To the person who wrote the terminal services: from a to z, great job!
0
Comment
Question by:tucktech
3 Comments
 
LVL 18

Assisted Solution

by:irweazelwallis
irweazelwallis earned 100 total points
ID: 38857209
Loop back is a pain as it can cause issues, and people don't always understand so if someone else tries to troubleshoot they can break stuff


We Use OU's for organisational but keep the GPOI's applying at a top level so that they apply to most people.
We use security groups to filter GPO's applying, that way unless someones moves them out of the OU structure completely i.e. into the Domain Controllers OU then the polices are still there

Things like printers we use group policy preferences and Item level targettings to make sure they only apply to the right people
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 100 total points
ID: 38857312
I personally like your design.  I like putting the GPOs "closer" to the actual user.    Let me try to find some more info on this.  GP MVP Darren Mar-Elia has some slides on GP Performance.

Thanks

Mike
0
 
LVL 38

Accepted Solution

by:
Hypercat (Deb) earned 300 total points
ID: 38857323
My philosophy is to create OUs only for those groups where the vast number of settings that will be applied via GPs are common.  IOW, I wouldn't necessarily create a separate OU by department UNLESS each department will have a significantly different set of policies being applied.  For most localized group policies, like printer deployments and drive mappings, you can control access by security groups. So, there would be one generic OU for users, and the users in each department would be in a separate global security group. There would be an overall "global" group policy applied to the entire OU, and then separate group policies for printers and drive mappings (if required) for each departmental security group.

It makes sense to create a separate OU for RDS users only if these users are always and only RDS users.  If the RDS users IDs are the same user IDs as the internal user IDs, it becomes difficult to manage them if they're in a separate RDS OU.  I have a lot of situations (mostly) where users work in the office and then they go home and work remotely using RDS.  Putting these users in a separate OU has only created unnecessary complexities in my experience, especially with a small group of users as you have, so I wouldn't recommend it.

In some cases, you may have to block inheritance in order to get the results you need.  It just depends on what settings are in what policies. You can also use the NoOverride setting to prevent certain policy settings from being overwritten by another policy that is processed later in the order of precedence (Local, Site, Domain, OU).
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article outlines the process to identify and resolve account lockout in an Active Directory environment.
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question