Users, Groups and Computers - BEst practise?

Discussion in 'Active Directory' started by Michael, Jan 30, 2007.

  1. Michael

    Michael Guest


    Just a quick question really to settle a debate about a redesign of AD
    structure we are having.

    What is the ideal way within USers and Computers to organise things?

    My opinion was we have a group called Servers in which we put all of our
    machine room servers in. Should this be drilled down further into Web
    Servers, SQL Servers etc etc?

    Within Users we have all our deparments listed - within a department - say
    for example NEtwork Services should there be more groups which say:
    Computers (all the computers of the users in Network Services)
    USers (all the users in Network Services dept)
    Email GRoups(all the email groups in Network Services dept)
    Security groups(all the security groups in Network Services dept)
    Should file shares be in here as well?

    Or should all/some of these be somewhere else etc?

    I guess it depends on each circumstance but i'm looking for best practise
    again really.

    Ideally if anyone has any screenshots of their setup that would be

    Michael, Jan 30, 2007
    1. Advertisements

  2. Michael-

    I usually organize servers geographically and by function. If you only have
    one location then you have things a little easier.

    That said if you've got an OU for a type of server of which you have one, it
    becomes inefficient. There's a balance you have to strike between a generic
    server's OU and a tree under it for special types for it to work.

    Brian Desmond
    Windows Server MVP - Directory Services
    Brian Desmond [MVP], Jan 31, 2007
    1. Advertisements

  3. I'm guessing you mean OU's instead of groups.

    We manage our Servers by roles they play within the organization. The base
    is servers and within that we have Citrix, Web, File_Print, etc... but in
    the end it really should be based on how you need to manage your machines.

    From what I have read and heard most organizations, organize users by either
    org chart or geographical location. I have worked for companies that have
    done it both ways and both worked fine for them. We currently use org chart
    type and can push certain gpo's based on scope.

    Best of luck and hope this has helped.
    Paul Bergson [MVP-DS], Jan 31, 2007
  4. Michael

    Herb Martin Guest

    Brian and Paul have given you different EXAMPLE answers, both correct
    in some situations, and both have indicated these are not "generically

    The "right" answer (as they indicated) is dependent on the particular
    organization but GENERALLY should follow one of the following:

    1) Function (computers) or Role (users)
    2) Geography (but this can be handled by Sites sometimes)
    3) Department (business org, and frequently different from function/role
    4) Task or team (and variations on all of the above.)

    The key idea is to set it up so that it is easy to implement your business
    DELEGATION (of control) and LINKING of GPOs.

    You design the OU structure primarily for these two ideas.

    For example, if you have different admin people at each physical location,
    this TENDS towards or suggests geographic organization, but if you
    have admins assigned to each business unit (i.e., sales, engineering) this
    to suggest using OU that equate to those business units.

    If the company is large, with business units spread over multiple locatins
    you look at how the DELEGATION hierarch works. Do all the admins
    for sales report to the same manager even though they are at different
    Or do all the IT people in Chicago report to a Chicago senior admin/exec no
    matter what department they server.

    For Geography, we also have the idea that Sites can get GPOs, so that
    one design constraint.

    Users (and Computers) are NOT "OUs" (organization units) so they cannot
    have child OUs which prevents the hierarchy from being extended there.

    These containers (Users and Computers) not being OUs cannot have GPOs
    linked either.

    GROUPS are not used for "organinizing" you company for delegation and
    GPO linkage but rather for granting (and denying) privileges, either
    or rights.
    Groups can be created anywhere that is convenient for you (and consistent
    with your delegation strategy) since they are irrelevant to the actual
    of group policy (Group Policy is NOT linked to groups or their OUs, and
    it almost unrelated to Groups except for permission filtering.)
    The best practice is to understand the design philosophy Microsoft
    and the apply that to a particular situation rather than expecting there is
    a best
    practice "design" for most situations.

    It's in the method, not the design that the best practice emerges in this
    They would only mislead you probably.
    Herb Martin, Jan 31, 2007
  5. Michael

    SLongxyzzy Guest

    All that - but leave the DC's where MS put them.
    SLongxyzzy, Jan 31, 2007
  6. Michael

    Herb Martin Guest


    DCs to NOT like to be remove from the Domain Controller OU.
    Herb Martin, Jan 31, 2007
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.