Optimal Active Directory design for use with Group Policy


Recommended Posts

I am working on cleaning up our active directory setup and optimizing it (at least the parts I can do) to roll out group policies to the machines/users. I have attached a screenshot of our currnt setup. I can make any changes to the "Pueblo" OU but the rest is out of my control.

post-28526-1221239764_thumb.jpg

Right now we have users and computers in a completly seperate OU. Computers are seperated into seperate OU's where users are in one big OU. We also have groups setup for the users that serve as Security Groups for our local file server as well as distrbutuion groups for exchange.

Should I seperate the users into seperate OU's as well and combine them inside the same basic OU as the computers?

IE: Seperate all users and computers into these different OU's and then assign a different GPO for each?

Pueblo -> Sprint -> Agents

Pueblo -> Sprint -> Team Leads

Pueblo -> Sprint -> Supervisors

Pueblo -> Sprint -> Managers

Pueblo -> Sprint -> Training

Just a thought for you: make sure to disable Regedit, msconfig, and compmgmt.msc (among other things). Regedit can undo any GP setting :shiftyninja:

I'm sure you knew that, though :)

the idea is that the AD is flexible enough to do it anyway you want. There's not really a wrong answer as long as it successfully meets your requirements.

for example you certainly don't have to split users based on job role into different OU's unless your GPO decisions mean that it would be helpful to do so. at the same time, there is nothing wrong if you choose to do it that way because your GPO's are applied like that. if it's not for GPO requirements or delegation, job roles would be better represented by groups and their permissions using AGLP (Accounts in Global groups in Local groups assigned Permissions to resources).

personally i would suggest OU's are used based on department identification and delegation requirements. Also bear in mind that you can control whether a GPO is applied or not via Security Group filtering on the GPO.

  bobbba said:
personally i would suggest OU's are used based on department identification and delegation requirements. Also bear in mind that you can control whether a GPO is applied or not via Security Group filtering on the GPO.

Agreed.

That's our set up.

Because of this we can give our HR dept access to their cd-rom drives, whilst every other dept is restricted.

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • Download old Windows Startup Sounds @ https://www.winhistory.de/more/winstart/winstart_en.htm
    • Surface Copilot+ PCs coming to classrooms from July 22, turbocharged with on-device AI by Paul Hill Microsoft has announced that it’s launching the new Surface Pro 12-inch and Surface Laptop 13-inch models specifically for education customers from July 22. The Redmond giant said that these devices are being launched as a direct response to feedback from educators who want practicality and ease of use in their diverse classrooms. These are both Copilot+ PCs so teachers and students will be able to leverage the latest AI features thanks to the dedicated Neural Processing Units (NPUs) that allow for on-device AI. The on-device AI, aside from delivering well-known features like Recall, will enable new education features such as a new app Microsoft is working on called Microsoft Learning Zone. Microsoft Learning Zone will allow teachers to create personalized lessons by adapting content from trusted sources like OpenStax, generating interactive games with Kahoot, and tracking students progress. Microsoft expects this to help teachers save time and deliver a more flexible and engaging classroom. Another AI feature that will be available is Click to Do. This lets students highlight text or images and get contextual help. It can be used to summarize a paragraph or explain a graph. To activate it, students can press the Windows key and click. This feature runs entirely on device so inputs to the AI are secure and you don’t need to ever worry about third-parties seeing. Finally, these devices will also have accessibility features such as Voice Access which lets you navigate with speech and Live Captions which provide real-time subtitles and translations for spoken content. These make the devices more inclusive for students with disabilities. Regarding security, these laptops come with the Microsoft Pluton security chip directly integrated into the processor for protecting sensitive data. It can protect data such as passwords and sign-ins, even if your device is stolen. Thanks to automatic Windows Updates, schools never need to worry about falling behind on updates either. With the impending demise of Windows 10 in mid-October, these Surface devices arrive just in time for schools looking for somewhere to upgrade to. Aside from AI features and security, Microsoft is also pushing other key features including easy repair with replacement components at the Microsoft Store and iFixit, their lightweight design and all-day battery life making them ideal for carrying and surviving the school day, and their compatibility with popular education apps such as TestNav, Google Classroom, Minecraft Education, and Adobe Express.
  • Recent Achievements

    • Rising Star
      Phillip0web went up a rank
      Rising Star
    • One Month Later
      Epaminombas earned a badge
      One Month Later
    • One Year In
      Bert Fershner earned a badge
      One Year In
    • Reacting Well
      ChrisOdinUK earned a badge
      Reacting Well
    • One Year In
      Steviant earned a badge
      One Year In
  • Popular Contributors

    1. 1
      +primortal
      545
    2. 2
      ATLien_0
      205
    3. 3
      +FloatingFatMan
      170
    4. 4
      Michael Scrip
      151
    5. 5
      Som
      131
  • Tell a friend

    Love Neowin? Tell a friend!