Frank Posted September 12, 2008 Share Posted September 12, 2008 I am working on cleaning up our active directory setup and optimizing it (at least the parts I can do) to roll out group policies to the machines/users. I have attached a screenshot of our currnt setup. I can make any changes to the "Pueblo" OU but the rest is out of my control. Right now we have users and computers in a completly seperate OU. Computers are seperated into seperate OU's where users are in one big OU. We also have groups setup for the users that serve as Security Groups for our local file server as well as distrbutuion groups for exchange. Should I seperate the users into seperate OU's as well and combine them inside the same basic OU as the computers? IE: Seperate all users and computers into these different OU's and then assign a different GPO for each? Pueblo -> Sprint -> Agents Pueblo -> Sprint -> Team Leads Pueblo -> Sprint -> Supervisors Pueblo -> Sprint -> Managers Pueblo -> Sprint -> Training Link to comment https://www.neowin.net/forum/topic/668902-optimal-active-directory-design-for-use-with-group-policy/ Share on other sites More sharing options...
whitebread Posted September 12, 2008 Share Posted September 12, 2008 Just a thought for you: make sure to disable Regedit, msconfig, and compmgmt.msc (among other things). Regedit can undo any GP setting :shiftyninja: I'm sure you knew that, though :) Link to comment https://www.neowin.net/forum/topic/668902-optimal-active-directory-design-for-use-with-group-policy/#findComment-589781278 Share on other sites More sharing options...
bobbba Posted September 12, 2008 Share Posted September 12, 2008 the idea is that the AD is flexible enough to do it anyway you want. There's not really a wrong answer as long as it successfully meets your requirements. for example you certainly don't have to split users based on job role into different OU's unless your GPO decisions mean that it would be helpful to do so. at the same time, there is nothing wrong if you choose to do it that way because your GPO's are applied like that. if it's not for GPO requirements or delegation, job roles would be better represented by groups and their permissions using AGLP (Accounts in Global groups in Local groups assigned Permissions to resources). personally i would suggest OU's are used based on department identification and delegation requirements. Also bear in mind that you can control whether a GPO is applied or not via Security Group filtering on the GPO. Link to comment https://www.neowin.net/forum/topic/668902-optimal-active-directory-design-for-use-with-group-policy/#findComment-589782544 Share on other sites More sharing options...
Nick Sheldon Posted September 13, 2008 Share Posted September 13, 2008 bobbba said: personally i would suggest OU's are used based on department identification and delegation requirements. Also bear in mind that you can control whether a GPO is applied or not via Security Group filtering on the GPO. Agreed. That's our set up. Because of this we can give our HR dept access to their cd-rom drives, whilst every other dept is restricted. Link to comment https://www.neowin.net/forum/topic/668902-optimal-active-directory-design-for-use-with-group-policy/#findComment-589784198 Share on other sites More sharing options...
Recommended Posts