Recommendations for OU and group policy design
Business/IT alignment, Compliance, DataCenter, Desktops, Development, Laws, Management, Microsoft Windows, Networking, OS, Regulations, Security, Servers, SQL Server, standards, Tech support
Hi,
We are currently running a Win2003 AD and have been for some time. As is the usual with this sort of thing, the OU and Group Policy structure has evolved over time and it's currently in a bit of a mess.
I'd like to get some input on how best to re-design the OU and GPO structure. Any ideas are welcomed.
Thanks in advance,
Greg.
Software/Hardware used:
Software/Hardware used:
ASKED:
June 28, 2006 6:40 AM
UPDATED:
June 28, 2006 9:28 AM
RELATED QUESTIONS
- How do I import GPOs from an old domain into a new domain with VBScript?
- How to deploy printers using Windows Server 2008 Group Policy Preferences
- Group policy filtering on both OU and Site?
- How to properly mass delete user profiles in Windows 7 in a Server 2008 R2 environment
- How to set group policy in OU level
Answer Wiki:
Even though the task may seem daunting at this time, don't worry, once you work everything out, it's just a matter of implementation.
Basically, what I did was to break it all out on paper. I worked for a company with multiple offices worldwide so the first thing I did was break everything down by what office a user was in and then by what department they were in until everyone fit in to the appropriate place.
Another way to look at it would be from an HR point of view and just break down all of your users by what department they are in regardless of location, though, I did find it more organized to break them by location first and then department. It all depends on how you want the information broken out.
I hope this helps.
To see all answers submitted to the Answer Wiki: View Answer History.
GregNottage
rayne427?s post is right on. That is how I manage the AD structure as well. In my last position as Net Admin. I broke down the AD OU Structure into departmental levels. The primary reason for doing this was for granularity in applying Group Policies for our employees. And the other was because we started providing terminal service access to run applications to our clients. I needed to be able to maintain control of each TS client?s access and desktop, and that control would need to be different at three different levels for each client, as well as different for each client. Following is a diagram of sorts of how I did it. Hope this helps and good luck
AD Domain (Default Domain GPO)
|
-Sales OU (Sale OU GPO)
|
-Customer Service OU (CustServ OU GPO
|
-IS OU (IS OU GPO)
|
-Terminal Service Users OU (TS OU GPO)
|
——Client A (Client A OU GPO)
|
———Branch (ClnABrn OU GPO)
|
———Administration (ClnAAdmin OU GPO)
|
———Corporate (ClnACorp OU GPO)
|
——Client B (Client B OU GPO)
|
———Branch (ClnBBrn OU GPO)
|
———Administration (ClnAAdmin OU GPO)
|
———Corporate (ClnACorp OU GPO)