designing -- single domain, single location

Discussion in 'Active Directory' started by Terry, Feb 19, 2007.

  1. Terry

    Terry Guest

    Good morning,

    I am designing a simple AD that will consist of a single domain. We only
    have 1 location, so no need to delegate administration to other personnel
    other than what I have direct control over. The part that I am stuck on is
    OU/Group design. I have different business groups that have different levels
    of management. For example: call center and distribution center where users
    move to different PCs often and I will want to restrict their functionality.
    Other departments will be a little less restrictive. When I create GPOs, I
    can tie specific GROUPS of people to those GPOs, or I can logically separate
    them out by OU. Which and why?

    Terry, Feb 19, 2007
    1. Advertisements

  2. When I create GPOs, I can tie specific GROUPS of people to those GPOs, or
    You can do both. It's generally easier to do this by linking policies to
    OUs, but depending on where your user and computer objects are, it is
    sometimes necessary to introduce filtering which effectively allows you to
    apply policy to groups of computers or users. However, this becomes more
    difficult to manage in large environments. Generally, consider doing it by
    OU only unless you have to introduce filtering or WQL queries. That's the
    recommendations as far as I remember.
    Paul Williams [MVP], Feb 19, 2007
    1. Advertisements

  3. Since group policy does not apply to groups, move the users/computers into
    an OU ad apply your group policy accordingly.

    Danny Sanders, Feb 19, 2007
  4. Terry

    Terry Guest

    I am sorry, I don't understand this part. I can assign groups directly to
    GPOs. How does it tnot apply to groups?

    Terry, Feb 19, 2007
  5. Technically, a GPO only applies to a user or computer object. Policies are
    linked to sites, domains and OUs. You implement what appears to be the
    ability to apply policy to groups by applying to a container object and
    filtering the scope of the GPO. You do this by granting apply policy
    permissions to the group only. This means that users (or computers) who are
    within scope of the policy try to apply the policy but only those that are
    members of said group actually have permissions to do so. I've briefly
    discussed this here:

    It's also documented in a host of other places.
    Paul Williams [MVP], Feb 19, 2007
  6. Terry

    Terry Guest

    So, it is clear that I need to create different OUs for each logical
    business unit and assign users to those OUs based on their permissions. I
    have read to try and not overdo OU creation and keep it to a minimum.

    On that note, I have been trying to find examples on the net regarding OU
    design. I am stuck on naming conventions and such. I have thought about
    assigning different levels to OUs:

    Level1 -- call center, distribution, etc: most restrictive
    Level2 -- other business units: medium restrictions
    Level3 -- IT personnel


    I could create an OU for each business unit regardless of their
    functionality need:

    Call Center
    Distribution Center

    What do you guys think? I like having a clean slate, makes things fun. :)
    Terry, Feb 19, 2007
  7. OUs have two technical purposes, and one fluffy non-technical purpose:

    Delegation of administration
    Policy application

    The fluffy one is organising things so it's easier on the eye.

    If you have a need to lock some users down, over others, then your
    restricted, medium and low level OUs is a good idea. Consider what else you
    need to do though. Do you need to define folder redirection and/ or proxy
    settings per business unit? If so, you might have to divide up into
    business units and apply policies that way.

    There's no hard and fast rule. It entirely depends on your businesses
    requirements and the organisation's structure.
    Paul Williams [MVP], Feb 19, 2007
  8. Terry

    Terry Guest

    You mean there isn't a download on that fits my needs exactly?
    BAH! Thanks for your help guys. If there are no serious issues with
    separating each business unit into their own OU, I will do it that way. It
    sounds like it will give me possible flexibility in the future.
    Terry, Feb 19, 2007
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.