Solved

Active Directory user are in a container

Posted on 2014-09-04
6
123 Views
Last Modified: 2014-09-18
what the best practice for where to put users in Active Directory.   All of our users are in a container  not a OU this includes Domain Admin, Enterprise Admins, Groups etc. I have to apply and  GPO's for screen lock, background, My documents.  what best way to apply these policies without affecting  domain admin accounts etc.?
0
Comment
Question by:HyperTech1911
6 Comments
 
LVL 14

Assisted Solution

by:Brad Groux
Brad Groux earned 166 total points
ID: 40303895
There is no "best practice" for how best to organize objects within Active Directory, how to do so will be directly determined by environment variables like environment usage, size, location(s) and complexity.

With that said, most people break down users via location and/or role levels. Some examples:
Domain Users
- Admins
- Developers
- Business Users

Open in new window

or
Domain Users
- Asia
-- Japan
--- Tokyo
--- Nagasaki 
- Europe
-- England
--- London
-- Germany
--- Berlin
--- Munich
- North America
- Canada
- United States
-- Texas
--- Dallas
--- Houston
-- Houston

Open in new window

0
 
LVL 13

Expert Comment

by:Gabriel Clifton
ID: 40303896
I typically use a root OU that all users go into and branch that off as needed for different buildings, departments, etc so that I can apply different group policies for different OUs where they need one setting and the others do not.
0
 

Author Comment

by:HyperTech1911
ID: 40303907
so I should separate uses, groups , and domain admins in to different OU's as appose to having everyone in a container?
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 16

Assisted Solution

by:Spike99
Spike99 earned 167 total points
ID: 40303916
You could link the GPO to the OU where the machine accounts are located instead.  So, when any user signs on to any of the servers in that ou, GPOs would be applied.

You can also add users to a group & use that group to apply security filtering to the GPO. Then, only members of that group who log on to the systems in that OU would have that GPO apply to them: that would prevent those policies from applying to any admin account when they log on to those same systems.
0
 
LVL 13

Expert Comment

by:Gabriel Clifton
ID: 40303920
For me, and most sys admins I have met, it is usually a good idea to separate as much as possible so that you can create a group policy for HR department with shortcuts on desktop and internet settings and mapped drives that people in your maintenance department will not get.
0
 
LVL 9

Accepted Solution

by:
nattygreg earned 167 total points
ID: 40309034
Everything is set out above for you, separate OU's with the supplied GPO for security purpose, however the day you lock your boss out is the day you get fired. Please separate these fast as possible and apply the necessary restrictions.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Have you ever had a hard drive that you can't boot into, but need to change the registry? Here is the solution! This article guides you through accessing and editing a registry of a non-primary drive. To read registry information on a non-prim…
When you upgrade from Windows 8 to 8.1 or to Windows 10 or if you are like me you are on the Insider Program you may find yourself with many 450MB recovery partitions.  With a traditional disk that may not be a problem but with relatively smaller SS…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now