Re: Setting up an AD structure

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

I forgot to mention a suggestion for added security. Rather than run all the time as a domain admin, you could create regular user accounts for you and your brother. Then create Admin_Karl and Admin_KarlsBrother accounts for when you need domain admin rights. Unless you need admin rights frequently, that might work as well, while adding to your security.


"Frank McCallister SBS MVP" <anonymous> wrote in message news:8E05360C-2F16-445A-9E01-4D3A4548A23A@xxxxxxxxxxxxxxxx
I agree with Dave KISS (Keep it Simple) and stick with the default OUs and use Security groups for your purposes. You and your Brother will be Admins and put Appropriate users in Finance and Partners Groups. This will be MUCH easier to maintain then separate OUs

--
Frank McCallister SBS MVP
MCP Microsoft Small Business Specialist
COMPUMAC

"Dave Nickason [SBS MVP]" <gwdibble@xxxxxxxxxxxxxxxxxxxxxx> wrote in message news:eD1sK6NcIHA.2268@xxxxxxxxxxxxxxxxxxxxxxx
Just my $0.02. IMO, your thinking about security and distribution groups makes perfect sense.

I'm not sure I agree about the OUs. What I have found in our small business is that I generally want all the users and computers to operate under the same policies. Particularly for stuff that's security or configuration-related, I want those to apply to the whole organization. So I leave the computers and users in their default locations.

If you think you are going to want to apply different GPOs to different groups, two considerations come to mind. First of all, if you do go with separate OUs, it's still simple to apply one GPO to all 3 OUs (or domain-wide). Alternatively, you can use security filtering to apply the policies more granularly within one OU. For example, you could link a GPO to the finance group, but rather than apply it to Domain Users (which includes domain computers), you could apply it only to a specific security group. The trick there is to remember that if a security group contains only users, you can't use it to filter computer policies, and vice versa.

If you create separate OUs, I recommend creating them under the ones that SBS creates by default. Then, use the regular wizards to create user and computer accounts. Once they're created in the default locations, you can then move them to the correct OUs.

And, create separate GPOs for different functions. It's easier to apply them where you want them, but more importantly, if you get an unintended result and have to disable a GPO, you're not disabling all of your policies at once, but only the ones that aren't working as expected.


"Karl" <Karl@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:0414F1F4-722F-4454-AF3A-F53FA89E5B09@xxxxxxxxxxxxxxxx
Hi,

I’m learning how to use SBS 2003, using virtual PC, in preparation for
installing it at our family business. What I want to check is the best way to
harmonise different organisational units.

We’re a small family company, and I’m currently only planning on having
three groups of users:

1. A normal users group: this is for employees. Each employee will have
access to our three mono printers, to their personal space on the server and
to a share called “swapzone”.
2. A finance group: this is for our accounts guy and his assistant. They’ll
have access to the resources described above and to a separate “finance”
network share and some other finance-specific resources. .
3. A partners group: me, my brother and some other family members who all
own a share of the business and participate in its running. Members of this
group won’t have admin rights, but they will have access to all the network’s
resources (all network shares, the colour printer and so on).

There will be two domain admins, myself and my brother.

I’m reading up on how to do this, and wanted to check that my current
thinking is along the right lines.

What I plan is for each of the above logical groups to have its own Active
Directory Security Group and its own Distribution Group. Everyone has their
own PC, with no hotdesking, so I was going to create an OU for each group of
users within SBSComputers, and then put the relevant Computers into each
group (is there any advantage to this?).

My idea is that I can easily and quickly apply group policy objects to these
groups, and that having the same groups across the three different OUs
(SBScomputers, Distribution Groups and Security Groups) will make it easy to
be consistent and logical.

Is the right way of going about things? I’d really appreciate any general
advice anyone can give.

Cheers

Karl









.

Relevant Pages

  • Re: Permission problem on User accounts
    ... computers that do not expose the printer to accounts in the users group. ... I am still using the default XP security accounts and Simple File Sharing ...
    (microsoft.public.windowsxp.configuration_manage)
  • Re: Are Domains True Security Boundaries?
    ... The ONLY true bondary of security is the Forest. ... So if you do not trust a group of "domain admin" who for whatever reason you ... > We feel that adding a second domain and giving untrusted domain admin ...
    (microsoft.public.windows.server.active_directory)
  • Read only Admin privileges for Active Directory environment?
    ... Our InfoSec team has requested Domain Admin privileges ... on the corporate Active Directory to audit the environment's security. ...
    (Security-Basics)
  • Re: Admin Acct
    ... > We have an obligation in security documentation to discuss the least ... > SMS without Domain Admin rights. ... >> wants to use advanced security, local admin rights and no domain admin ...
    (microsoft.public.sms.admin)
  • Re: Mailbox Permissions - Deny Access
    ... why does your domain admin account have a mailbox at all (making the ... This goes against our security ...
    (microsoft.public.exchange.admin)