Creating AD OU structure for GP deployment
- From: Serrix <Serrix@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 18 Sep 2008 15:22:00 -0700
Hi there,
I'm looking at implementing group policies for both security and to
deploy/maintain software in a small business (~600 users) with 3 sites.
I've read through all the material I can find however I haven't found if
there is a dis-advantage to creating nested OUs?
For the group policy setup, I'd like to have "Group Policies" being the top
level OU, with "Software", "Security" and "Features" being the three sub-OUs
In these three OUs i'd create security groups i.e. "ApplicationName" with
people from the "Users" and "Security Groups" and link them to group policies
on that level.
i.e
I'd have a group policy for deploying an application "ApplicationName"
defined in the nested OU [Domain] -> [Group Policies] -> [Software] linked
to the security group [Domain] -> [Group Policies] -> [Software] ->
[ApplicationName] which has users and groups from [Domain] -> [Users] and
[Domain] -> [Security Groups]
If I haven't confused everyone already and there is no issues with nesting
OUs, could we also re-create the default Users OU to be the top level with
the 3 site locations underneath?
If we could, we could potentially do the same with the Computers group and
end up with this structure...
Computers
-> Users (End-user machines)
-> Domain Controllers (DCs)
-> Member Servers (Servers)
Users
-> Location0
-> Location1
-> Locatoin2
-> Mailboxes (users created just for their mailboxes... i know... don't
ask...)
Groups
-> Security groups (folder access)
-> Distribution groups (mail)
Group Policies
-> Security Policies (Security group policies)
-> User Policies (Group policies that apply to users)
-> Computer Policies (Group policies that apply to computers)
-> Software Policies (Software deployment policies)
-> Feature Policies (Features such as disabled screen saver which aren't
quite security)
This way, while its slightly more complex, we can implement group policies
from one point in the structure to security groups within each Group Policy
OU and simply add/remove users/computers from the group to control them.
We do get duplication (sort of) in the form of a policy like the following...
The member of [Domain] -> [Group Policies] (OU) -> [Computer Policies] (OU)
-> [Member Services Policy] (Security Group) would be [Domain] -> [Computers]
(OU) -> [Member Servers] (OU)
Hope this makes some sense and I'm heading in the right direction!
Sorry for such a complicated question and thanks for any help you can give me.
Cheers,
Jason
.
- Follow-Ups:
- Re: Creating AD OU structure for GP deployment
- From: Jorge de Almeida Pinto [MVP - DS]
- Re: Creating AD OU structure for GP deployment
- From: Florian Frommherz [MVP]
- Re: Creating AD OU structure for GP deployment
- From: Brandon McCombs
- Re: Creating AD OU structure for GP deployment
- Prev by Date: Re: AD LDS (ADAM) on Vista
- Next by Date: Re: search entire ADS for SMTP email address
- Previous by thread: SPN problems?
- Next by thread: Re: Creating AD OU structure for GP deployment
- Index(es):
Relevant Pages
|
