Re: AD Design Question
- From: "Herb Martin" <news@xxxxxxxxxxxxxx>
- Date: Wed, 25 Apr 2007 09:09:38 -0500
"briant97" <briant97@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:38F05A1C-35D7-4132-96E7-0C480B38B728@xxxxxxxxxxxxxxxx
I have a question on the AD Design that I am working on.
Quick Overview
Domain.com
Home Office
HR
HR Users
HR Groups
HR Computers
IT
IT Users
IT Admins
IT Service Accounts
IT Groups
IT Computers
That is a basic structure I have been working with other departments
included. My question comes in with how should you handle misc. contacts
and
then misc groups.
THE KEY to OU Design is to create OUs that represent the way
you wish to do two things:
1) Delegate Authority (to junior or local admins)
2) Link Group Policy (including overriding GPOs at child levels)
OUs are not Groups, and Groups are almost totally unrelated to
Group Policy. (sounds wrong but it's true.)
For instance we have application groups that allows
certain users to use an online web application to post pictures to our
website. This group is called app_webmaintanence.
Groups are used primarily for granting access to resources. Users
can be put into MANY groups (Global usually) and these groups
can be put into (Local) groups for resource access.
Then comes the question
of handling outside contacts as well as contacts for our parent company.
Another item I have concerns about is placement misc distribution groups
and
so on and so forth. I guess items that really don't fall under any
specific
department within the company.
Think of GLOBAL groups for any relevant "set of people" and think of
LOCAL groups as representing a set of resources.
--
Herb Martin, MCSE, MVP
http://www.LearnQuick.Com
(phone on web site)
.
- Follow-Ups:
- Re: AD Design Question
- From: briant97
- Re: AD Design Question
- Prev by Date: Re: Client deleted File (s) from network share
- Next by Date: Re: AD Design Question
- Previous by thread: ADAM - Modifying dsheuristics
- Next by thread: Re: AD Design Question
- Index(es):
Relevant Pages
|
