Solved

Active Directory user are in a container

Posted on 2014-09-04
6
128 Views
Last Modified: 2014-09-18
what the best practice for where to put users in Active Directory.   All of our users are in a container  not a OU this includes Domain Admin, Enterprise Admins, Groups etc. I have to apply and  GPO's for screen lock, background, My documents.  what best way to apply these policies without affecting  domain admin accounts etc.?
0
Comment
Question by:HyperTech1911
6 Comments
 
LVL 14

Assisted Solution

by:Brad Groux
Brad Groux earned 166 total points
ID: 40303895
There is no "best practice" for how best to organize objects within Active Directory, how to do so will be directly determined by environment variables like environment usage, size, location(s) and complexity.

With that said, most people break down users via location and/or role levels. Some examples:
Domain Users
- Admins
- Developers
- Business Users

Open in new window

or
Domain Users
- Asia
-- Japan
--- Tokyo
--- Nagasaki 
- Europe
-- England
--- London
-- Germany
--- Berlin
--- Munich
- North America
- Canada
- United States
-- Texas
--- Dallas
--- Houston
-- Houston

Open in new window

0
 
LVL 13

Expert Comment

by:Gabriel Clifton
ID: 40303896
I typically use a root OU that all users go into and branch that off as needed for different buildings, departments, etc so that I can apply different group policies for different OUs where they need one setting and the others do not.
0
 

Author Comment

by:HyperTech1911
ID: 40303907
so I should separate uses, groups , and domain admins in to different OU's as appose to having everyone in a container?
0
Courses: Start Training Online With Pros, Today

Brush up on the basics or master the advanced techniques required to earn essential industry certifications, with Courses. Enroll in a course and start learning today. Training topics range from Android App Dev to the Xen Virtualization Platform.

 
LVL 16

Assisted Solution

by:Spike99
Spike99 earned 167 total points
ID: 40303916
You could link the GPO to the OU where the machine accounts are located instead.  So, when any user signs on to any of the servers in that ou, GPOs would be applied.

You can also add users to a group & use that group to apply security filtering to the GPO. Then, only members of that group who log on to the systems in that OU would have that GPO apply to them: that would prevent those policies from applying to any admin account when they log on to those same systems.
0
 
LVL 13

Expert Comment

by:Gabriel Clifton
ID: 40303920
For me, and most sys admins I have met, it is usually a good idea to separate as much as possible so that you can create a group policy for HR department with shortcuts on desktop and internet settings and mapped drives that people in your maintenance department will not get.
0
 
LVL 10

Accepted Solution

by:
Natty Greg earned 167 total points
ID: 40309034
Everything is set out above for you, separate OU's with the supplied GPO for security purpose, however the day you lock your boss out is the day you get fired. Please separate these fast as possible and apply the necessary restrictions.
0

Featured Post

Courses: Start Training Online With Pros, Today

Brush up on the basics or master the advanced techniques required to earn essential industry certifications, with Courses. Enroll in a course and start learning today. Training topics range from Android App Dev to the Xen Virtualization Platform.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In a hurry?.. scroll down to "HERE's HOW TO DO IT" Section. Greetings All, I was going to post this as question/solution, but its seems more appropriate as an article considering its length.  I felt it important to illucidate all the details c…
Many times while working on a computer regardless of any Operating System, lag and crashes seem to creep in, hindering your working speed. Sometimes, it can also cause your work to be lost unexpectedly and as a result, you are unable to meet your de…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question