Solved

Active Directory and RDS OU Organizing

Posted on 2013-02-05
3
537 Views
Last Modified: 2013-03-02
Hello Experts, I would like a few opinions on the organization of keeping users and setups simple and clean as well as with using it with RDS.

Part 1: Active Directory

I have setup my active directory so that I have an OU setup for each department and then I put the users in each of the departments.  I did this thinking it would be helpful when deploying printers and keeping security per OU.

Now I am thinking I would have been better off just setting up "Security Group - Global" for each department and keeping everyone in one OU.

Thoughts please.

Part 2: I have read the article Terminal Services: from A to Z (www.2x.com/docs/en/manuals/pdf/TerminalServicesAtoZ.pdf) and it was great however does not work well with my oringinal scheme, I think.  In the guide it talks about creating an OU named TS (in my case I used RDS Users). For these users that are switching to RDS, I would move them from their departmental OU to the new RDS OU which completely breaks my original OU design.


I am ok with changing the OU design and revamping everything.  I have about 30 users and if it makes it easier to manage I am all for it.  I know organization design is a personal preference but I would like to hear from some experienced admins and their approach along with advantages and disadvantages.  All comments welcome becuase I trying to figure out what would fit best.

Also, I believe if I turn on the loopback processing users would be in "thick client" mode when they are logging on from a desktop or laptop versus thin client.

To the person who wrote the terminal services: from a to z, great job!
0
Comment
Question by:tucktech
3 Comments
 
LVL 18

Assisted Solution

by:irweazelwallis
irweazelwallis earned 100 total points
ID: 38857209
Loop back is a pain as it can cause issues, and people don't always understand so if someone else tries to troubleshoot they can break stuff


We Use OU's for organisational but keep the GPOI's applying at a top level so that they apply to most people.
We use security groups to filter GPO's applying, that way unless someones moves them out of the OU structure completely i.e. into the Domain Controllers OU then the polices are still there

Things like printers we use group policy preferences and Item level targettings to make sure they only apply to the right people
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 100 total points
ID: 38857312
I personally like your design.  I like putting the GPOs "closer" to the actual user.    Let me try to find some more info on this.  GP MVP Darren Mar-Elia has some slides on GP Performance.

Thanks

Mike
0
 
LVL 38

Accepted Solution

by:
Hypercat (Deb) earned 300 total points
ID: 38857323
My philosophy is to create OUs only for those groups where the vast number of settings that will be applied via GPs are common.  IOW, I wouldn't necessarily create a separate OU by department UNLESS each department will have a significantly different set of policies being applied.  For most localized group policies, like printer deployments and drive mappings, you can control access by security groups. So, there would be one generic OU for users, and the users in each department would be in a separate global security group. There would be an overall "global" group policy applied to the entire OU, and then separate group policies for printers and drive mappings (if required) for each departmental security group.

It makes sense to create a separate OU for RDS users only if these users are always and only RDS users.  If the RDS users IDs are the same user IDs as the internal user IDs, it becomes difficult to manage them if they're in a separate RDS OU.  I have a lot of situations (mostly) where users work in the office and then they go home and work remotely using RDS.  Putting these users in a separate OU has only created unnecessary complexities in my experience, especially with a small group of users as you have, so I wouldn't recommend it.

In some cases, you may have to block inheritance in order to get the results you need.  It just depends on what settings are in what policies. You can also use the NoOverride setting to prevent certain policy settings from being overwritten by another policy that is processed later in the order of precedence (Local, Site, Domain, OU).
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This article explains how to install and use the NTBackup utility that comes with Windows Server.
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

832 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question