Re: Some simple questions...
- From: "Jorge de Almeida Pinto [MVP]" <SubstituteThisWithMyFullNameSeparatedByDots@xxxxxxxxx>
- Date: Sun, 21 May 2006 11:39:34 +0200
The most important thing for you to remember is not which OU models exist,
but how to create such a model. As you are reading you see several models
exist. IMHO it is better to learn how to create a model than to learn which
models exist.
The OU structure is very depended on several things and those things also
determine the OU structure itself.
The OU structure depends on the following three aspects in the same order:
(1) delegation of control: the first concept OU structure depends on how
administration is done within a certain organization. For that you need to
know the admin roles, the admin tasks within a role and the locations of
those roles (e.g. in a decentralized administration model). After retrieving
this information by reading documentation or doing interviews you should be
able to create the first concept OU structure
(2) hiding objects: the concept OU structure created in (1) is used as input
for this part. Here you may ask yourself and the organization: "are there
any objects within this OU structure that should not be visible to certain
people". If the answer is yes, you may need to split certain OU into more
OUs and configure those OUs with certain permissions so that those OUs in
those OUs are not visible for administration or even LDAP queries. If the
answer is NO, you leave the OU structure as is and move on to the next part.
To be certain, if something was changed check if the second concept OU
structure still fulfills the requirements set in (1)
(3) applying GPOs for policy enforcement and/or software deployment: the
concept OU structure created in (2) is used as input for this part. Here you
may ask yourself and the organization: "what GPOs are needed to enforce
policies and distribute software?". It could be that within an organization
GPOs are only used for policy enforcement and not for software deployment as
that may be done with SMS or some other tool. Again, depending on the
policies needed you may need to split certain OU into more OUs so that you
can apply the different GPOs to those OUs. Remember that GPOs can also be
used for delegation of control purposes using the restricted groups feature
where you can say (A) which groups are certain objects a member of (members
of groups not enforced) (B) which members does a certain group have (members
of groups enforced)
To be certain, if something was changed check if the third concept OU
structure still fulfills the requirements set in (1) and (2).
(1) and (3) are used very often used. (2) may not be used that commonly
because not everyone needs that.
also see:
http://blogs.dirteam.com/blogs/jorge/archive/2006/05/16/983.aspx
http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/369.aspx
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Windows Server - Directory Services
BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
"Robert Bollinger" <robert@xxxxxxxxxxxxxxxx> wrote in message
news:%23QsaPbJfGHA.2456@xxxxxxxxxxxxxxxxxxxxxxx
I am reading through my 70-297 ad book and have at least 1 question:
What is meant by "Object-Based OU" and "Task-Based OU".
I think i understad that but i want to be absolutely clear. THe book says
that an
task based ou is "Delegation by what administrative tasks need to be
performed"
and that a Object based ou is "What administrative tasks need to be
performed on the objects themselves (the ones in the ou).
THis is where i get confused, i understand assiging deletaion permissions
is
required (if you want) but i dont see the difference in object based vs.
task based.
Please explain... simply...
Thanks,
Robert
.
- Follow-Ups:
- Re: Some simple questions...
- From: Joe Richards [MVP]
- Re: Some simple questions...
- References:
- Some simple questions...
- From: Robert Bollinger
- Some simple questions...
- Prev by Date: "The local security authority is unable to obtain an RPC connection to the Domain controller <REMOTE DC>."
- Next by Date: Re: suggestion of forum to learn win2k3?
- Previous by thread: Some simple questions...
- Next by thread: Re: Some simple questions...
- Index(es):
Relevant Pages
|
