Re: AD Design question
- From: "Paul Bergson" <pbergson@xxxxxxxxxxxxxxxxx>
- Date: Mon, 24 Jul 2006 10:29:20 -0500
We have three groups defined for each share Read, Read/Write and Full
Control. The Full Control has our Help Desk as it membership, this way they
can manage the day to day issues. We don't provide permissions below the
root of the share all permissions below are inherited. We have hundreds of
shares, maintenance is really quite minor.
We have about 1200 security groups.
--
Paul Bergson MCT, MCSE, MCSA, Security+, CNE, CNA, CCA
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
"SStory" <nospam@xxxxxxxxxx> wrote in message
news:OaX$eGzrGHA.4652@xxxxxxxxxxxxxxxxxxxxxxx
Thanks for the reply Paul.
Our current peer to peer has groups on a couple of "servers". And some
shares. Our problem has always been the dual funcionality of many
employees. How do you guys go about defining your groups. Do you have
many groups? Do you see this problem also and how do you overcome it?
Thanks.
"Paul Bergson" <pbergson@xxxxxxxxxxxxxxxxx> wrote in message
news:%23tV5fsyrGHA.4844@xxxxxxxxxxxxxxxxxxxxxxx
You are a very small shop. Your need for a complicated OU structure
would only create unneeded complexities. The OU scenario for you should
probably fall on geographical boundries, personally I wouldn't even do
that, but that is just me. You should define your user access of data
via group control, assigning permissions to the groups and maintain group
membership to provide users access to these folders.
I also work for a Power Utility but we are much larger more of a midsized
firm with about 1,500 users. We have some OU structure but it is simple
we control all access via group membership.
--
Paul Bergson MCT, MCSE, MCSA, Security+, CNE, CNA, CCA
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.
"SStory" <nospam@xxxxxxxxxx> wrote in message
news:ODZDYdyrGHA.4424@xxxxxxxxxxxxxxxxxxxxxxx
We are relatively small organization as compared to some. We have 100+
employees, but only 50-60 are users. We have four geographical
sites--most things happen at site #1. We are a utility company. We are
planning to implement Server 2003 AD on a new server. The current
network is just one big peer-to-peer.
In trying to properly design the AD the first time, I have read Mark
Minasi's book (around 1600p) and some other resources. The main
questions that I'm uncertain as to how to answer involve OU's.
1.) Should an organization of our size use OU's? I'm thinking yes, but
not certain.
2.) Our shares are mostly used by accounting at present. However, I
expect that this will change as the server comes online and folks
understand what is possible.
I gather that I can use OU's and Groups and GPO's to more easily
manage access to shares and such. The challenge is obviously, if I use
OU's how to
determine what OU's are needed. Does anyone have insight, input
into this task? Major pitfalls?
3.) I read a chapter from "Windows 2003 Server Bible" published by
Wiley. The basic premise of it's OU design was to create OU's not along
departmental divisions, but KME (Key Management Entities). This goes
along with my inital thoughts, of surveying the organization to discover
distinct roles. This chapter said to create OU's, assign groups to them
and users to the groups. What are you opinions about this strategy?
Any comments and advice, hopefully from folks with experience in this,
would be greatly appreciated.
Thanks,
Shane
.
- References:
- AD Design question
- From: SStory
- Re: AD Design question
- From: Paul Bergson
- Re: AD Design question
- From: SStory
- AD Design question
- Prev by Date: Re: Backing up GP's and DFS shares?
- Next by Date: Re: Upgrade to Wind2003 - [WildPacket]
- Previous by thread: Re: AD Design question
- Next by thread: Re: AD Design question
- Index(es):
Relevant Pages
|
