Re: Active Directory design - simple network

Tech-Archive recommends: Fix windows errors by optimizing your registry

Hi

Inline

a. I wont be defining separate group policies to each OU - will use only
the
default domain policy to define a small number of domain-wide settings
b. I am the only administrator so wont be delegating control to any OU
c. Two of the depts only have one user in each!

The three main reasons to create OUs are: delegation of control to
administer GPO and to hide objects. If none of this apply to you I can't see
any reasons to create OUs.

Because of this I'm wondering if the above setup is just overkill. So my
questions are:

1. Is it simply worth me creating all the users within the default "Users"
container instead? Is there any advantage of doing this as opposed to
creating OUs?

The advantages are the 3 reasons that I said.

2. If I do create the user accounts in the default 'Users' container, will
the defualt domain policy work on users in this container?

Yes.

3. If I go for the OU deployment scenario, do I need to place the Security
and Distribution groups for each dept within their corresponding OU? E.g.
if
I create a Security Group called 'Finance' that contains all the members
of
the finance team, should this group be placed within the Finance OU, or
should I create a separate OU called 'Groups' and place all my Security
and
Distribution groups (for every dept) in the single OU, regardless of which
department's members they contain?

It's UP to you. You don't need to place the Security groups in the same OU
where the users are but if you want you can do that, in this particular
scenario you're the only one that administer the AD so no reasons to hide
security groups or have them together with the users object.

--
I hope that the information above helps you

Good Luck
Jorge Silva
MCSA
Systems Administrator

"YHussein" <YHussein@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:D34C6553-CC05-4A97-BD4D-295AF8ECB254@xxxxxxxxxxxxxxxx
Hi all,

I am in the process of setting up a small network for around 25 users (all
in one site) and would like some advice as to the best design for AD. We
have
5 main depts (Management, Middle Office, Marketing, Finance, Operations)
plus
a number of general admin staff that dont really belong to any dept. The
only group policy settings I am planning to define are those to do with
password security and workstation screensavers (which I think I can
achieve
from the default domain policy).

I was initially thinking of creating an OU for each dept and placing users
in their appropriate OU, which would give the follwoing OU structure:

- Management
- Marketing
- Middle Office
- Finance
- Operations
- General (for those users who dont belong to any dept)

However I'm not sure if this structure is neccessary, due to the following
reasons:

a. I wont be defining separate group policies to each OU - will use only
the
default domain policy to define a small number of domain-wide settings
b. I am the only administrator so wont be delegating control to any OU
c. Two of the depts only have one user in each!

Because of this I'm wondering if the above setup is just overkill. So my
questions are:

1. Is it simply worth me creating all the users within the default "Users"
container instead? Is there any advantage of doing this as opposed to
creating OUs?

2. If I do create the user accounts in the default 'Users' container, will
the defualt domain policy work on users in this container?

3. If I go for the OU deployment scenario, do I need to place the Security
and Distribution groups for each dept within their corresponding OU? E.g.
if
I create a Security Group called 'Finance' that contains all the members
of
the finance team, should this group be placed within the Finance OU, or
should I create a separate OU called 'Groups' and place all my Security
and
Distribution groups (for every dept) in the single OU, regardless of which
department's members they contain?

Many thanks in advance for any assistance.

Rgds,

Yasser Hussein


.

Relevant Pages

  • Re: Local Policy doesnt allow logon interactively
    ... > to log into any of the workstations locally as administrator. ... > replacing the security file from the repair directory using ... > and domain policy on the server and for both the administrator ... Rights Assignments are defined by default is with the Defaut Domain ...
    (microsoft.public.win2000.group_policy)
  • Re: Local admin accounts gone haywire
    ... builtin/administrators and made the administrator and domain admins ... members of the group. ... domain policy would overwrite a policy further in the domain tree. ... Cannot find Power Users. ...
    (microsoft.public.win2000.group_policy)
  • Re: Adding a computer to a security group
    ... Are you really using Loopback? ... > The default domain policy is being applied at th PrimaryOU. ... What does NoGPO have to do specifically with "loopback"? ... The user account objects, the computer account objectand>> the security group, right? ...
    (microsoft.public.win2000.active_directory)
  • Re: joining a computer to a domain
    ... Check out the domain policy ... Windows Settings ... > administrative account on their own machine and a valid account in ... > I had always been under the impression that a domain administrator ...
    (microsoft.public.windows.server.general)
  • Re: joining a computer to a domain
    ... Check out the domain policy ... Windows Settings ... > administrative account on their own machine and a valid account in ... > I had always been under the impression that a domain administrator ...
    (microsoft.public.windows.server.active_directory)