OU Design with single domain AD structure

Toggle sidebar Toggle sidebar
M

Mikey

Distinguished
Dec 31, 2007
322
0
18,780
Archived from groups: microsoft.public.win2000.active_directory (More info?)

I have been wrestling with a couple of issues in regard to the OU
design of our AD structure. I have a pretty good idea about almost all
the OUs, except for the ones that will contain the computer accounts.
I'm hoping some folks will take a look and help me decide which way to
go. Hopefully I can keep this simple.

The OUs I'm pretty certain of will be off the root of the domain and
will be as follows. I'll just use Our to represent the company name.

Our Adminstrators - will contain admin users and computers as well as
Global groups that membership is controlled by admins.

Our Users - will contain all the normal users. If any specific groups
of users need seperation, a sub OU can be created below this one.

Our Resources - will contain OUs for different departments of users.
These OUs will be populated with Global groups for departmental access
to files, printer objects, and share objects.

Our Service Accounts - will contain all service user accounts.

The computer accounts is where I'm uncertain. Here's the layouts I'm
considering...

Domain.com
Our Servers
Application
Corporate
Manufacturing
Database
Corporate
Manufacturing
Our Workstations
Corporate
Manufacturing

Domain.com
Corporate Computers
Servers
Applicaton
Database
Workstations
Manufacturing Computers
Servers
Application
Database
Workstations

Domain.com
Our Computers
Corporate
Servers
Applicaton
Database
Workstations
Manufacturing
Servers
Application
Database
Workstations

I'm really looking to maximize the use of group policy and insure that
the application of the policy layers performs well. I can convince
myself of just about anyone of them. I'm hoping somebody may have some
suggestions or improvements.

Thanks in advance,

Mike
 
M

Mikey

Distinguished
Dec 31, 2007
322
0
18,780
Archived from groups: microsoft.public.win2000.active_directory (More info?)

My indentions didn't show the actual layouts I had intended...Here's
another try...

I have been wrestling with a couple of issues in regard to the OU
design of our AD structure. I have a pretty good idea about almost all
the OUs, except for the ones that will contain the computer accounts.
I'm hoping some folks will take a look and help me decide which way to
go. Hopefully I can keep this simple.

The OUs I'm pretty certain of will be off the root of the domain and
will be as follows. I'll just use Our to represent the company name.

Our Adminstrators - will contain admin users and computers as well as
Global groups that membership is controlled by admins.

Our Users - will contain all the normal users. If any specific groups
of users need seperation, a sub OU can be created below this one.

Our Resources - will contain OUs for different departments of users.
These OUs will be populated with Global groups for departmental access
to files, printer objects, and share objects.

Our Service Accounts - will contain all service user accounts.

The computer accounts is where I'm uncertain. Here's the layouts I'm
considering...

Domain.com
>>Our Servers
>>>>Application
>>>>>>Corporate
>>>>>>Manufacturing
>>>>Database
>>>>>>Corporate
>>>>>>Manufacturing
>>Our Workstations
>>>>Corporate
>>>>Manufacturing

Domain.com
>>Corporate Computers
>>>>Servers
>>>>>>Applicaton
>>>>>>Database
>>>>Workstations
>>Manufacturing Computers
>>>>Servers
>>>>>>Application
>>>>>>Database
>>>>Workstations

Domain.com
>>Our Computers
>>>>Corporate
>>>>>>Servers
>>>>>>>>Applicaton
>>>>>>>>Database
>>>>>>Workstations
>>>>Manufacturing
>>>>>>Servers
>>>>>>>>Application
>>>>>>>>Database
>>>>>>Workstations

I'm really looking to maximize the use of group policy and insure that
the application of the policy layers performs well. I can convince
myself of just about anyone of them. I'm hoping somebody may have some
suggestions or improvements.

Thanks in advance,

Mike
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.active_directory (More info?)

Mikey,

Just speaking from my personal experience, I would use the first layout as
opposed to the second. The reason I would structure it this way is that you
may have group policies that you want to apply to ALL servers and/or ALL
workstations, regardless of their role. Although you could accomplish the
same thing by linking the same GPO to multiple OUs it's a little cleaner to
link the GPO in one place.

JMHO

JHK

"Mikey" wrote:

> My indentions didn't show the actual layouts I had intended...Here's
> another try...
>
> I have been wrestling with a couple of issues in regard to the OU
> design of our AD structure. I have a pretty good idea about almost all
> the OUs, except for the ones that will contain the computer accounts.
> I'm hoping some folks will take a look and help me decide which way to
> go. Hopefully I can keep this simple.
>
> The OUs I'm pretty certain of will be off the root of the domain and
> will be as follows. I'll just use Our to represent the company name.
>
> Our Adminstrators - will contain admin users and computers as well as
> Global groups that membership is controlled by admins.
>
> Our Users - will contain all the normal users. If any specific groups
> of users need seperation, a sub OU can be created below this one.
>
> Our Resources - will contain OUs for different departments of users.
> These OUs will be populated with Global groups for departmental access
> to files, printer objects, and share objects.
>
> Our Service Accounts - will contain all service user accounts.
>
> The computer accounts is where I'm uncertain. Here's the layouts I'm
> considering...
>
> Domain.com
> >>Our Servers
> >>>>Application
> >>>>>>Corporate
> >>>>>>Manufacturing
> >>>>Database
> >>>>>>Corporate
> >>>>>>Manufacturing
> >>Our Workstations
> >>>>Corporate
> >>>>Manufacturing
>
> Domain.com
> >>Corporate Computers
> >>>>Servers
> >>>>>>Applicaton
> >>>>>>Database
> >>>>Workstations
> >>Manufacturing Computers
> >>>>Servers
> >>>>>>Application
> >>>>>>Database
> >>>>Workstations
>
> Domain.com
> >>Our Computers
> >>>>Corporate
> >>>>>>Servers
> >>>>>>>>Applicaton
> >>>>>>>>Database
> >>>>>>Workstations
> >>>>Manufacturing
> >>>>>>Servers
> >>>>>>>>Application
> >>>>>>>>Database
> >>>>>>Workstations
>
> I'm really looking to maximize the use of group policy and insure that
> the application of the policy layers performs well. I can convince
> myself of just about anyone of them. I'm hoping somebody may have some
> suggestions or improvements.
>
> Thanks in advance,
>
> Mike
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.active_directory (More info?)

"Mikey" <mwest@intrex.net> wrote in message
news:1102605357.116458.106800@c13g2000cwb.googlegroups.com...
> My indentions didn't show the actual layouts I had intended...Here's
> another try...
>
> I have been wrestling with a couple of issues in regard to the OU
> design of our AD structure. I have a pretty good idea about almost all
> the OUs, except for the ones that will contain the computer accounts.
> I'm hoping some folks will take a look and help me decide which way to
> go. Hopefully I can keep this simple.

There was too much detail for the time I had to spend on
this, but consider the following....

The two PRIMARY OU design criteria are:

1) Delegation of control
2) Assignment (and inheritance) of Group Policy Objects

Most other 'reasons' are either irrelevant or a form of the above.

Most of the time, your design should handle both (sets of criteria)
but if that is not possible, and no other design is suitable, then
most of the time (not all) you will give precedence to Delegation
of Control.

While delegation can be negated with "negative permissions" (DENY)
as can GPO with negative filtering (DENY), it is also possible to
use both positive permissions for GPOs, and with Win2003 to use
WMI Filters for GPOs.

There is a bit more control for GPOs and in general a lesser need
to use a lot of (usually confusing) negative permissions.

Ultimately you do what you must to cover those two criteria, in
the way that is easiest for you to manage AND document.


--
Herb Martin


"Mikey" <mwest@intrex.net> wrote in message
news:1102605357.116458.106800@c13g2000cwb.googlegroups.com...
> My indentions didn't show the actual layouts I had intended...Here's
> another try...
>
> I have been wrestling with a couple of issues in regard to the OU
> design of our AD structure. I have a pretty good idea about almost all
> the OUs, except for the ones that will contain the computer accounts.
> I'm hoping some folks will take a look and help me decide which way to
> go. Hopefully I can keep this simple.
>
> The OUs I'm pretty certain of will be off the root of the domain and
> will be as follows. I'll just use Our to represent the company name.
>
> Our Adminstrators - will contain admin users and computers as well as
> Global groups that membership is controlled by admins.
>
> Our Users - will contain all the normal users. If any specific groups
> of users need seperation, a sub OU can be created below this one.
>
> Our Resources - will contain OUs for different departments of users.
> These OUs will be populated with Global groups for departmental access
> to files, printer objects, and share objects.
>
> Our Service Accounts - will contain all service user accounts.
>
> The computer accounts is where I'm uncertain. Here's the layouts I'm
> considering...
>
> Domain.com
> >>Our Servers
> >>>>Application
> >>>>>>Corporate
> >>>>>>Manufacturing
> >>>>Database
> >>>>>>Corporate
> >>>>>>Manufacturing
> >>Our Workstations
> >>>>Corporate
> >>>>Manufacturing
>
> Domain.com
> >>Corporate Computers
> >>>>Servers
> >>>>>>Applicaton
> >>>>>>Database
> >>>>Workstations
> >>Manufacturing Computers
> >>>>Servers
> >>>>>>Application
> >>>>>>Database
> >>>>Workstations
>
> Domain.com
> >>Our Computers
> >>>>Corporate
> >>>>>>Servers
> >>>>>>>>Applicaton
> >>>>>>>>Database
> >>>>>>Workstations
> >>>>Manufacturing
> >>>>>>Servers
> >>>>>>>>Application
> >>>>>>>>Database
> >>>>>>Workstations
>
> I'm really looking to maximize the use of group policy and insure that
> the application of the policy layers performs well. I can convince
> myself of just about anyone of them. I'm hoping somebody may have some
> suggestions or improvements.
>
> Thanks in advance,
>
> Mike
>
 
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom