Re: AD setup questions

From: Derek Melber [MVP] (derekm_at_braincore.net)
Date: 04/24/04

  • Next message: Samantha: "limit to the number of OUs in Active Directory" 
    Date: Fri, 23 Apr 2004 21:11:33 -0700

    Brian,

    You may not find the exact document that you are looking for. If you do, it
    will be a lot of reading:-).

    Here are two basic rules for AD/OU design:

    1) Design OUs for GPO application to both user and computer accounts
    2) Design OUs for delegation of administration of user accounts and groups

    Now, this might seem simple, but it is complex, yet effective!

    Things to keep in mind:
    1) GPOs will inherit down to child OUs, so nesting OUs is key
    2) the objects down further in the OUs will receive more GPOs (usually) than
    those higher, due to the GPOs linked down lower in the OU structure
    3) considering #2, usually employees (not execs and IT) will be lower in the
    OU structure, having more restrictions. Also, computer accounts for
    employees will be lower.
    4) consider creating a special separate OU structure for IT/enterprise. You
    will place the following objects in here:
    IT user accounts, servers, service accounts, IT computer accounts, developer
    user accounts, etc.

    does this get the wheels cranking at all? 

    -- 
Derek Melber
BrainCore.Net
derekm@braincore.net
"Brian Henry" <brianiupmsdn@newsgroups.nospam> wrote in message
news:uIbrb%23ZKEHA.3628@TK2MSFTNGP12.phx.gbl...
> We are trying to reorganize our AD, is there any articles out there that
> you'd consider good to look at on organizeing AD?
>
> What we want to do is create different group policies and apply them to
> different groups, but a user could be in different groups.. I'm kinda
> looking for something about something similar to that... I thought makeing
> OU's and placeing groups in OU's would do the trick but it appears that
the
> user objects have to be in the OU's also for that to work and can't be in
a
> different OU?
>
>
  • Next message: Samantha: "limit to the number of OUs in Active Directory"

    Relevant Pages

    • Re: UserAccountControl Attribute
      ... specific user objects (enabled user accounts) that appear to be missing those ... How can I view the attributes of the user objects in question? ... foreach (string parameter in Parameters) ...
      (microsoft.public.win2000.active_directory)
    • Re: Access 2003 application with MSDE backend connection error in
      ... I'm trying to create a connection using my deployed application. ... >> our internal network where the MSDE database is installed. ... >> the necessary user accounts to it. ...
      (microsoft.public.access.developers.toolkitode)
    • Re: New business: many questions (mostly on topic...)
      ... I shall probably be leaving Entourage behind for Mail or Eudora. ... That's where you can manage your website, email accounts (via webmail ... or as an IMAP server), other user accounts, ... You also asked about Mac project management software. ...
      (uk.comp.sys.mac)
    • Re: User accounts gone help needes
      ... the existing install and registry are sufficiently damaged. ... If the accounts aren't listed, they weren't created and don't exist. ... The problem is I can not create any new user accounts. ...
      (microsoft.public.windowsxp.help_and_support)
    • RE: user account not recognized
      ... I had tried to restore system to several ... All user accounts are there and it appears I can change ... Restarting has no impact, the error message reappears. ...
      (microsoft.public.windowsxp.security_admin)