Solved

Active Directory user are in a container

Posted on 2014-09-04
6
129 Views
Last Modified: 2014-09-18
what the best practice for where to put users in Active Directory.   All of our users are in a container  not a OU this includes Domain Admin, Enterprise Admins, Groups etc. I have to apply and  GPO's for screen lock, background, My documents.  what best way to apply these policies without affecting  domain admin accounts etc.?
0
Comment
Question by:HyperTech1911
6 Comments
 
LVL 14

Assisted Solution

by:Brad Groux
Brad Groux earned 166 total points
ID: 40303895
There is no "best practice" for how best to organize objects within Active Directory, how to do so will be directly determined by environment variables like environment usage, size, location(s) and complexity.

With that said, most people break down users via location and/or role levels. Some examples:
Domain Users
- Admins
- Developers
- Business Users

Open in new window

or
Domain Users
- Asia
-- Japan
--- Tokyo
--- Nagasaki 
- Europe
-- England
--- London
-- Germany
--- Berlin
--- Munich
- North America
- Canada
- United States
-- Texas
--- Dallas
--- Houston
-- Houston

Open in new window

0
 
LVL 13

Expert Comment

by:Gabriel Clifton
ID: 40303896
I typically use a root OU that all users go into and branch that off as needed for different buildings, departments, etc so that I can apply different group policies for different OUs where they need one setting and the others do not.
0
 

Author Comment

by:HyperTech1911
ID: 40303907
so I should separate uses, groups , and domain admins in to different OU's as appose to having everyone in a container?
0
Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

 
LVL 17

Assisted Solution

by:Spike99
Spike99 earned 167 total points
ID: 40303916
You could link the GPO to the OU where the machine accounts are located instead.  So, when any user signs on to any of the servers in that ou, GPOs would be applied.

You can also add users to a group & use that group to apply security filtering to the GPO. Then, only members of that group who log on to the systems in that OU would have that GPO apply to them: that would prevent those policies from applying to any admin account when they log on to those same systems.
0
 
LVL 13

Expert Comment

by:Gabriel Clifton
ID: 40303920
For me, and most sys admins I have met, it is usually a good idea to separate as much as possible so that you can create a group policy for HR department with shortcuts on desktop and internet settings and mapped drives that people in your maintenance department will not get.
0
 
LVL 11

Accepted Solution

by:
Natty Greg earned 167 total points
ID: 40309034
Everything is set out above for you, separate OU's with the supplied GPO for security purpose, however the day you lock your boss out is the day you get fired. Please separate these fast as possible and apply the necessary restrictions.
0

Featured Post

Networking for the Cloud Era

Join Microsoft and Riverbed for a discussion and demonstration of enhancements to SteelConnect:
-One-click orchestration and cloud connectivity in Azure environments
-Tight integration of SD-WAN and WAN optimization capabilities
-Scalability and resiliency equal to a data center

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Hallo! I guess almost every Windows Administrator must have got stumped with this question "Where does WINDOWS store a users cached credentials? Every user who had once logged onto a Server/Desktop while it was connected to the domain could sti…
This article covers how to install the Microsoft Windows Operating System (OS). What is covered in this article:  > Different Versions and Editions of the Windows OS  > Upgrading versus Fresh Installation of the OS           - Steps to take pr…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …

789 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question