Solved

Active Directory and RDS OU Organizing

Posted on 2013-02-05
3
539 Views
Last Modified: 2013-03-02
Hello Experts, I would like a few opinions on the organization of keeping users and setups simple and clean as well as with using it with RDS.

Part 1: Active Directory

I have setup my active directory so that I have an OU setup for each department and then I put the users in each of the departments.  I did this thinking it would be helpful when deploying printers and keeping security per OU.

Now I am thinking I would have been better off just setting up "Security Group - Global" for each department and keeping everyone in one OU.

Thoughts please.

Part 2: I have read the article Terminal Services: from A to Z (www.2x.com/docs/en/manuals/pdf/TerminalServicesAtoZ.pdf) and it was great however does not work well with my oringinal scheme, I think.  In the guide it talks about creating an OU named TS (in my case I used RDS Users). For these users that are switching to RDS, I would move them from their departmental OU to the new RDS OU which completely breaks my original OU design.


I am ok with changing the OU design and revamping everything.  I have about 30 users and if it makes it easier to manage I am all for it.  I know organization design is a personal preference but I would like to hear from some experienced admins and their approach along with advantages and disadvantages.  All comments welcome becuase I trying to figure out what would fit best.

Also, I believe if I turn on the loopback processing users would be in "thick client" mode when they are logging on from a desktop or laptop versus thin client.

To the person who wrote the terminal services: from a to z, great job!
0
Comment
Question by:tucktech
3 Comments
 
LVL 18

Assisted Solution

by:irweazelwallis
irweazelwallis earned 100 total points
ID: 38857209
Loop back is a pain as it can cause issues, and people don't always understand so if someone else tries to troubleshoot they can break stuff


We Use OU's for organisational but keep the GPOI's applying at a top level so that they apply to most people.
We use security groups to filter GPO's applying, that way unless someones moves them out of the OU structure completely i.e. into the Domain Controllers OU then the polices are still there

Things like printers we use group policy preferences and Item level targettings to make sure they only apply to the right people
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 100 total points
ID: 38857312
I personally like your design.  I like putting the GPOs "closer" to the actual user.    Let me try to find some more info on this.  GP MVP Darren Mar-Elia has some slides on GP Performance.

Thanks

Mike
0
 
LVL 38

Accepted Solution

by:
Hypercat (Deb) earned 300 total points
ID: 38857323
My philosophy is to create OUs only for those groups where the vast number of settings that will be applied via GPs are common.  IOW, I wouldn't necessarily create a separate OU by department UNLESS each department will have a significantly different set of policies being applied.  For most localized group policies, like printer deployments and drive mappings, you can control access by security groups. So, there would be one generic OU for users, and the users in each department would be in a separate global security group. There would be an overall "global" group policy applied to the entire OU, and then separate group policies for printers and drive mappings (if required) for each departmental security group.

It makes sense to create a separate OU for RDS users only if these users are always and only RDS users.  If the RDS users IDs are the same user IDs as the internal user IDs, it becomes difficult to manage them if they're in a separate RDS OU.  I have a lot of situations (mostly) where users work in the office and then they go home and work remotely using RDS.  Putting these users in a separate OU has only created unnecessary complexities in my experience, especially with a small group of users as you have, so I wouldn't recommend it.

In some cases, you may have to block inheritance in order to get the results you need.  It just depends on what settings are in what policies. You can also use the NoOverride setting to prevent certain policy settings from being overwritten by another policy that is processed later in the order of precedence (Local, Site, Domain, OU).
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Synchronize a new Active Directory domain with an existing Office 365 tenant
This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question