?
Solved

Active Directory and RDS OU Organizing

Posted on 2013-02-05
3
Medium Priority
?
560 Views
Last Modified: 2013-03-02
Hello Experts, I would like a few opinions on the organization of keeping users and setups simple and clean as well as with using it with RDS.

Part 1: Active Directory

I have setup my active directory so that I have an OU setup for each department and then I put the users in each of the departments.  I did this thinking it would be helpful when deploying printers and keeping security per OU.

Now I am thinking I would have been better off just setting up "Security Group - Global" for each department and keeping everyone in one OU.

Thoughts please.

Part 2: I have read the article Terminal Services: from A to Z (www.2x.com/docs/en/manuals/pdf/TerminalServicesAtoZ.pdf) and it was great however does not work well with my oringinal scheme, I think.  In the guide it talks about creating an OU named TS (in my case I used RDS Users). For these users that are switching to RDS, I would move them from their departmental OU to the new RDS OU which completely breaks my original OU design.


I am ok with changing the OU design and revamping everything.  I have about 30 users and if it makes it easier to manage I am all for it.  I know organization design is a personal preference but I would like to hear from some experienced admins and their approach along with advantages and disadvantages.  All comments welcome becuase I trying to figure out what would fit best.

Also, I believe if I turn on the loopback processing users would be in "thick client" mode when they are logging on from a desktop or laptop versus thin client.

To the person who wrote the terminal services: from a to z, great job!
0
Comment
Question by:tucktech
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 18

Assisted Solution

by:irweazelwallis
irweazelwallis earned 300 total points
ID: 38857209
Loop back is a pain as it can cause issues, and people don't always understand so if someone else tries to troubleshoot they can break stuff


We Use OU's for organisational but keep the GPOI's applying at a top level so that they apply to most people.
We use security groups to filter GPO's applying, that way unless someones moves them out of the OU structure completely i.e. into the Domain Controllers OU then the polices are still there

Things like printers we use group policy preferences and Item level targettings to make sure they only apply to the right people
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 300 total points
ID: 38857312
I personally like your design.  I like putting the GPOs "closer" to the actual user.    Let me try to find some more info on this.  GP MVP Darren Mar-Elia has some slides on GP Performance.

Thanks

Mike
0
 
LVL 38

Accepted Solution

by:
Hypercat (Deb) earned 900 total points
ID: 38857323
My philosophy is to create OUs only for those groups where the vast number of settings that will be applied via GPs are common.  IOW, I wouldn't necessarily create a separate OU by department UNLESS each department will have a significantly different set of policies being applied.  For most localized group policies, like printer deployments and drive mappings, you can control access by security groups. So, there would be one generic OU for users, and the users in each department would be in a separate global security group. There would be an overall "global" group policy applied to the entire OU, and then separate group policies for printers and drive mappings (if required) for each departmental security group.

It makes sense to create a separate OU for RDS users only if these users are always and only RDS users.  If the RDS users IDs are the same user IDs as the internal user IDs, it becomes difficult to manage them if they're in a separate RDS OU.  I have a lot of situations (mostly) where users work in the office and then they go home and work remotely using RDS.  Putting these users in a separate OU has only created unnecessary complexities in my experience, especially with a small group of users as you have, so I wouldn't recommend it.

In some cases, you may have to block inheritance in order to get the results you need.  It just depends on what settings are in what policies. You can also use the NoOverride setting to prevent certain policy settings from being overwritten by another policy that is processed later in the order of precedence (Local, Site, Domain, OU).
0

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

741 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question