School District OU Design

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

I have a large school district I'm designing an OU strucure for. They
currently use e-directory and organize by school and then year of graduation.
That system is pretty bad since each year the year of graduation of each
school changes. They have proposed to just organize by year of graduation.
That way only one new OU a year and students don't move. I see that a bit
unstructured and hard to manage (delegation is too wide spread since one OU
would have students from many schools) etc.. So I figure use School, then
grade level. Then the OU's dont change, however then you have to move
students around OU's....

Anyone have any experiance with this or otherwise have a bright idea?

Thanks,
Brad

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

OU design is usually 'constructed' to better facilitate the use of GPOs.

So, if you want all of the Teachers ( the user account objects for the
Teachers ) to have one set of GPOs and the Students ( the user account
objects for the Students ) to have a completely different set of GPOs then
setting up a Teachers OU and a Students OU would make sense. If you need to
break that down even further ( such as Lower School, Middle School and Upper
School ) then you could create sub-OUs. And then you might want to create
an OU for the Administrators of the School. Now, if you are locking down
systems that are in the labs you would then create an OU for the computer
account objects that are in each lab. So, maybe create an OU called 'Labs'
and then create a sub-OU for each lab! If all of the computers are to be
locked down with the same GPO then you simply link that GPO to the 'Labs' OU
and make sure that you do not check the "Block Inheritance" check box.

Now, you said that Delegation is wide-spread. So, it might be better to
create an OU for each particular school. I might suggest that you will find
that you will need to move a lot of user account objects if you use the '9th
Grade', '10th Grade', etc. etc. etc. design. Year of Graduation might not
be a bad idea. This will the students will almost always be in the same OU
through out their entire 'career' at the school. However, you will possibly
be linking and unlinking GPOs to those OUs each Summer.

--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



"Brad Rossiter" <BradRossiter@discussions.microsoft.com> wrote in message
news:211900EF-9F63-4C0F-A5B3-6F0C3D8C4103@microsoft.com...
>
> I have a large school district I'm designing an OU strucure for. They
> currently use e-directory and organize by school and then year of
> graduation.
> That system is pretty bad since each year the year of graduation of each
> school changes. They have proposed to just organize by year of
> graduation.
> That way only one new OU a year and students don't move. I see that a bit
> unstructured and hard to manage (delegation is too wide spread since one
> OU
> would have students from many schools) etc.. So I figure use School,
> then
> grade level. Then the OU's dont change, however then you have to move
> students around OU's....
>
> Anyone have any experiance with this or otherwise have a bright idea?
>
> Thanks,
> Brad
>