Optimal Active Directory design for use with Group Policy


Recommended Posts

I am working on cleaning up our active directory setup and optimizing it (at least the parts I can do) to roll out group policies to the machines/users. I have attached a screenshot of our currnt setup. I can make any changes to the "Pueblo" OU but the rest is out of my control.

post-28526-1221239764_thumb.jpg

Right now we have users and computers in a completly seperate OU. Computers are seperated into seperate OU's where users are in one big OU. We also have groups setup for the users that serve as Security Groups for our local file server as well as distrbutuion groups for exchange.

Should I seperate the users into seperate OU's as well and combine them inside the same basic OU as the computers?

IE: Seperate all users and computers into these different OU's and then assign a different GPO for each?

Pueblo -> Sprint -> Agents

Pueblo -> Sprint -> Team Leads

Pueblo -> Sprint -> Supervisors

Pueblo -> Sprint -> Managers

Pueblo -> Sprint -> Training

Just a thought for you: make sure to disable Regedit, msconfig, and compmgmt.msc (among other things). Regedit can undo any GP setting :shiftyninja:

I'm sure you knew that, though :)

the idea is that the AD is flexible enough to do it anyway you want. There's not really a wrong answer as long as it successfully meets your requirements.

for example you certainly don't have to split users based on job role into different OU's unless your GPO decisions mean that it would be helpful to do so. at the same time, there is nothing wrong if you choose to do it that way because your GPO's are applied like that. if it's not for GPO requirements or delegation, job roles would be better represented by groups and their permissions using AGLP (Accounts in Global groups in Local groups assigned Permissions to resources).

personally i would suggest OU's are used based on department identification and delegation requirements. Also bear in mind that you can control whether a GPO is applied or not via Security Group filtering on the GPO.

  bobbba said:
personally i would suggest OU's are used based on department identification and delegation requirements. Also bear in mind that you can control whether a GPO is applied or not via Security Group filtering on the GPO.

Agreed.

That's our set up.

Because of this we can give our HR dept access to their cd-rom drives, whilst every other dept is restricted.

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • There is nobody to challenge the status quo. Foldables have not taken off as expected. People are holding onto their existing phones for a lot longer. There is movement happening in the handheld console space, but those are not phones. Both Apple and Google are involved in legal fights. Yet they have to stick to releasing a new OS every year... It all adds up.
    • Elon Musk once again claims Tesla robotaxis are coming soon by David Uzondu Image via Depositphotos.com Tesla's CEO, Elon Musk, has announced a tentative start date of June 22 for the company's long-awaited public robotaxi service. According to a post on his social media platform X, the initial launch will be in Austin, Texas. Musk added a significant condition, however, saying "We are being super paranoid about safety, so the date could shift." The service is expected to begin with just 10 to 20 Model Y SUVs operating within a limited area and with remote human supervision. He also mentioned a plan starting June 28 for new Teslas to drive themselves from the factory to a customer's home. This is a moment many are probably waiting for, though it comes with a heavy dose of skepticism. Musk has made grand promises about self-driving before. This robotaxi network brings to mind the bold claims from all the way back in 2019 when the company said a similar service would launch the following year. That evidently did not happen. Federal regulators also have their doubts. Last year, the National Highway Traffic Safety Administration criticized Tesla for making its "Full Self-Driving" feature sound more capable than it actually is, demanding the company align its marketing with reality. Tesla is also driving into a field that is no longer empty. Waymo, Google's sibling company, is already a major player, offering hundreds of thousands of paid rides per week across Phoenix, San Francisco, Los Angeles, and even Austin. The company is so far ahead that it has begun testing in Tokyo. But being ahead means Waymo is also the first to face certain dangers. For example, on the evening of June 8, a group of protesters in downtown Los Angeles summoned Waymo vehicles during a demonstration. When the vehicles arrived, they slashed the tires, smashed the windows, and spray-painted the cars before setting three of them on fire. Which raises a thorny question for Tesla: if you can summon a car with no one inside, can you summon it just to destroy it? It's one thing for protesters to stumble upon a robotaxi and vandalize it; it's another for someone to use the app to call a driverless car to a secluded spot for a planned attack. With public sentiment around Musk so divided, especially given his DOGE shenanigans and his recent face off with Donald Trump, that's not just a theoretical problem. We've already seen this hostility play out in attacks where people vandalize Teslas, carving swastikas into them and spray painting slogans like "Burn More Teslas" on walls.
    • This is actually quite useful. But why wouldn't they implement this in the local file system? The code is obviously all there now... maybe in 5 years.
    • The new "Story Cards" in the Software section are nice, but I wish they had the product icon included. I use this section to identify updates for software that I use regularly, and it's sometime difficult to identify the software without the product icon. Thanks for your consideration. pelaird
    • Mozilla really needed to focus on their core product for a while now. I will not mourn the death of pocket or AI garbage. One thing they don't do that I believe they should is advertise more, and not just to their core audience, especially their additional services. Let people know they actually exist.
  • Recent Achievements

    • Week One Done
      Food-Beverages-Nutrition earned a badge
      Week One Done
    • Week One Done
      Tech Dogs earned a badge
      Week One Done
    • Enthusiast
      computerdave91111 went up a rank
      Enthusiast
    • Week One Done
      Falisha Manpower earned a badge
      Week One Done
    • One Month Later
      elsa777 earned a badge
      One Month Later
  • Popular Contributors

    1. 1
      +primortal
      524
    2. 2
      ATLien_0
      271
    3. 3
      +Edouard
      199
    4. 4
      +FloatingFatMan
      196
    5. 5
      snowy owl
      138
  • Tell a friend

    Love Neowin? Tell a friend!