Solved

Active Directory user are in a container

Posted on 2014-09-04
6
132 Views
Last Modified: 2014-09-18
what the best practice for where to put users in Active Directory.   All of our users are in a container  not a OU this includes Domain Admin, Enterprise Admins, Groups etc. I have to apply and  GPO's for screen lock, background, My documents.  what best way to apply these policies without affecting  domain admin accounts etc.?
0
Comment
Question by:HyperTech1911
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 14

Assisted Solution

by:Brad Groux
Brad Groux earned 166 total points
ID: 40303895
There is no "best practice" for how best to organize objects within Active Directory, how to do so will be directly determined by environment variables like environment usage, size, location(s) and complexity.

With that said, most people break down users via location and/or role levels. Some examples:
Domain Users
- Admins
- Developers
- Business Users

Open in new window

or
Domain Users
- Asia
-- Japan
--- Tokyo
--- Nagasaki 
- Europe
-- England
--- London
-- Germany
--- Berlin
--- Munich
- North America
- Canada
- United States
-- Texas
--- Dallas
--- Houston
-- Houston

Open in new window

0
 
LVL 13

Expert Comment

by:Gabriel Clifton
ID: 40303896
I typically use a root OU that all users go into and branch that off as needed for different buildings, departments, etc so that I can apply different group policies for different OUs where they need one setting and the others do not.
0
 

Author Comment

by:HyperTech1911
ID: 40303907
so I should separate uses, groups , and domain admins in to different OU's as appose to having everyone in a container?
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 17

Assisted Solution

by:Spike99
Spike99 earned 167 total points
ID: 40303916
You could link the GPO to the OU where the machine accounts are located instead.  So, when any user signs on to any of the servers in that ou, GPOs would be applied.

You can also add users to a group & use that group to apply security filtering to the GPO. Then, only members of that group who log on to the systems in that OU would have that GPO apply to them: that would prevent those policies from applying to any admin account when they log on to those same systems.
0
 
LVL 13

Expert Comment

by:Gabriel Clifton
ID: 40303920
For me, and most sys admins I have met, it is usually a good idea to separate as much as possible so that you can create a group policy for HR department with shortcuts on desktop and internet settings and mapped drives that people in your maintenance department will not get.
0
 
LVL 13

Accepted Solution

by:
Natty Greg earned 167 total points
ID: 40309034
Everything is set out above for you, separate OU's with the supplied GPO for security purpose, however the day you lock your boss out is the day you get fired. Please separate these fast as possible and apply the necessary restrictions.
0

Featured Post

Business Impact of IT Communications

What are the business impacts of how well businesses communicate during an IT incident? Targeting, speed, and transparency all matter. Find out more in this infographic.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The password reset disk is often mentioned as the best solution to deal with the lost Windows password problem. In Windows 2008, 7, Vista and XP, a password reset disk can be easily created. But besides Windows 7/Vista/XP, Windows Server 2008 and ot…
When you upgrade from Windows 8 to 8.1 or to Windows 10 or if you are like me you are on the Insider Program you may find yourself with many 450MB recovery partitions.  With a traditional disk that may not be a problem but with relatively smaller SS…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question