Active Directory user are in a container

what the best practice for where to put users in Active Directory.   All of our users are in a container  not a OU this includes Domain Admin, Enterprise Admins, Groups etc. I have to apply and  GPO's for screen lock, background, My documents.  what best way to apply these policies without affecting  domain admin accounts etc.?
HyperTech1911Asked:
Who is Participating?
 
Natty GregConnect With a Mentor In Theory (IT)Commented:
Everything is set out above for you, separate OU's with the supplied GPO for security purpose, however the day you lock your boss out is the day you get fired. Please separate these fast as possible and apply the necessary restrictions.
0
 
Brad GrouxConnect With a Mentor Senior Manager (Wintel Engineering)Commented:
There is no "best practice" for how best to organize objects within Active Directory, how to do so will be directly determined by environment variables like environment usage, size, location(s) and complexity.

With that said, most people break down users via location and/or role levels. Some examples:
Domain Users
- Admins
- Developers
- Business Users

Open in new window

or
Domain Users
- Asia
-- Japan
--- Tokyo
--- Nagasaki 
- Europe
-- England
--- London
-- Germany
--- Berlin
--- Munich
- North America
- Canada
- United States
-- Texas
--- Dallas
--- Houston
-- Houston

Open in new window

0
 
Gabriel CliftonCommented:
I typically use a root OU that all users go into and branch that off as needed for different buildings, departments, etc so that I can apply different group policies for different OUs where they need one setting and the others do not.
0
Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

 
HyperTech1911Author Commented:
so I should separate uses, groups , and domain admins in to different OU's as appose to having everyone in a container?
0
 
Spike99Connect With a Mentor On-Site IT TechnicianCommented:
You could link the GPO to the OU where the machine accounts are located instead.  So, when any user signs on to any of the servers in that ou, GPOs would be applied.

You can also add users to a group & use that group to apply security filtering to the GPO. Then, only members of that group who log on to the systems in that OU would have that GPO apply to them: that would prevent those policies from applying to any admin account when they log on to those same systems.
0
 
Gabriel CliftonCommented:
For me, and most sys admins I have met, it is usually a good idea to separate as much as possible so that you can create a group policy for HR department with shortcuts on desktop and internet settings and mapped drives that people in your maintenance department will not get.
0
All Courses

From novice to tech pro — start learning today.