Re: Creating AD OU structure for GP deployment

Serrix wrote:
Hi there,
I'm looking at implementing group policies for both security and to deploy/maintain software in a small business (~600 users) with 3 sites.

I've read through all the material I can find however I haven't found if there is a dis-advantage to creating nested OUs?

For the group policy setup, I'd like to have "Group Policies" being the top level OU, with "Software", "Security" and "Features" being the three sub-OUs

Um, I'd only consider myself intermediate as far as skill level with ADS but I've never heard of creating OUs for software, security and features.

In these three OUs i'd create security groups i.e. "ApplicationName" with people from the "Users" and "Security Groups" and link them to group policies on that level.

i.e
I'd have a group policy for deploying an application "ApplicationName" defined in the nested OU [Domain] -> [Group Policies] -> [Software] linked to the security group [Domain] -> [Group Policies] -> [Software] -> [ApplicationName] which has users and groups from [Domain] -> [Users] and [Domain] -> [Security Groups]

If I haven't confused everyone already and there is no issues with nesting OUs, could we also re-create the default Users OU to be the top level with the 3 site locations underneath?

There is no default Users OU. An OU as a different icon than the icon used for Users. It is simply a container. GPOs don't apply to containers , only to GPOs and to the domain/site level. So you have to create a custom OU at the very least for all your users.

If we could, we could potentially do the same with the Computers group and end up with this structure...

Computers
-> Users (End-user machines)
-> Domain Controllers (DCs)
-> Member Servers (Servers)


This is fine as far as I'm concerned except that I leave DCs in their default DC OU. I've done this with the 2 installations of ADS that I've deployed in my career (I'm only 30).

Users
-> Location0
-> Location1
-> Locatoin2
-> Mailboxes (users created just for their mailboxes... i know... don't ask...)


I divide user OUs based on the role of the user. Using that scheme I can apply GPOs to the OUs based on what the user has the capability to do. Since ADS doesn't support true roles I use a combination of GPOs and OUs as a way to simulate roles.

Groups
-> Security groups (folder access)
-> Distribution groups (mail)

I put groups in the same OU as the users in the group. In my a group coincides with a role and the role corresponds with the OU so I can easily do that. You may need to do the above though if you don't do OUs the way I've done them.


Group Policies
-> Security Policies (Security group policies)
-> User Policies (Group policies that apply to users)
-> Computer Policies (Group policies that apply to computers)
-> Software Policies (Software deployment policies)
-> Feature Policies (Features such as disabled screen saver which aren't quite security)

You don't have any control over where group policies are stored so I'm not sure where you got the above structure for GPOs. You only see a user-friendly depiction of GPOs using the Group Policy Management snap-in. The dirty details of GPOs (their location and raw attributes) are not visible in ADUC.


This way, while its slightly more complex, we can implement group policies from one point in the structure to security groups within each Group Policy OU and simply add/remove users/computers from the group to control them.
We do get duplication (sort of) in the form of a policy like the following...

The member of [Domain] -> [Group Policies] (OU) -> [Computer Policies] (OU) -> [Member Services Policy] (Security Group) would be [Domain] -> [Computers] (OU) -> [Member Servers] (OU)

This doesn't work based on what I said above about not having any control over how/where GPOs are stored (unless Win2k8 has changed this).

You lost me every time you used [] -> [] -> [] but maybe someone else can follow it.


Hope this makes some sense and I'm heading in the right direction!
Sorry for such a complicated question and thanks for any help you can give me.
Cheers,
Jason
.

Relevant Pages

  • RE: Active Directory network security
    ... AD's group policies can be used to keep AD itself pretty secure, ... down tightly for security within AD, but a rogue laptop that is not a domain ... When Microsoft first touted Active Directory they pushed for a Single Forest ... Auditing is also very important - audit changes in domain admin groups, ...
    (Focus-Microsoft)
  • Creating AD OU structure for GP deployment
    ... I'm looking at implementing group policies for both security and to ... deploy/maintain software in a small business with 3 sites. ... For the group policy setup, I'd like to have "Group Policies" being the top ...
    (microsoft.public.windows.server.active_directory)
  • Re: Creating AD OU structure for GP deployment
    ... For the group policy setup, I'd like to have "Group Policies" being the top ... but I've never heard of creating OUs for software, security and features. ... only to GPOs and to the domain/site level. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Active Directory design
    ... I've found that group policies tend to be created out of necessity rather ... implemented at the domain level as you are planning. ... default domain policy to define a small number of domain-wide settings ... If I go for the OU deployment scenario, do I need to place the Security ...
    (microsoft.public.win2000.active_directory)
  • Error 1085 when GP refreshes
    ... I have an error 1085 when Group Policies refreshes. ... I have checked what happened before in Event Viewer and there is an ... Security policies were propagated with warning. ...
    (microsoft.public.windows.group_policy)