Active Directory design

G

Guest

Hi all,

I am in the process of setting up a small network for around 25 users (all
in one site) and would like some advice as to the best design for AD. We have
5 main depts (Management, Middle Office, Marketing, Finance, Operations) plus
a number of general admin staff that dont really belong to any dept. The
only group policy settings I am planning to define are those to do with
password security and workstation screensavers (which I think I can achieve
from the default domain policy).

I was initially thinking of creating an OU for each dept and placing users
in their appropriate OU, which would give the follwoing OU structure:

- Management
- Marketing
- Middle Office
- Finance
- Operations
- General (for those users who dont belong to any dept)

However I'm not sure if this structure is neccessary, due to the following
reasons:

a. I wont be defining separate group policies to each OU - will use only the
default domain policy to define a small number of domain-wide settings
b. I am the only administrator so wont be delegating control to any OU
c. Two of the depts only have one user in each!

Because of this I'm wondering if the above setup is just overkill. So my
questions are:

1. Is it simply worth me creating all the users within the default "Users"
container instead? Is there any advantage of doing this as opposed to
creating OUs?

2. If I do create the user accounts in the default 'Users' container, will
the defualt domain policy work on users in this container?

3. If I go for the OU deployment scenario, do I need to place the Security
and Distribution groups for each dept within their corresponding OU? E.g. if
I create a Security Group called 'Finance' that contains all the members of
the finance team, should this group be placed within the Finance OU, or
should I create a separate OU called 'Groups' and place all my Security and
Distribution groups (for every dept) in the single OU, regardless of which
department's members they contain?

Many thanks in advance for any assistance.

Rgds,

Yasser Hussein
 
A

Ace Fekay [MVP]

In
YHussein said:
Hi all,

I am in the process of setting up a small network for around 25 users
(all in one site) and would like some advice as to the best design
for AD. We have 5 main depts (Management, Middle Office, Marketing,
Finance, Operations) plus a number of general admin staff that dont
really belong to any dept. The only group policy settings I am
planning to define are those to do with password security and
workstation screensavers (which I think I can achieve from the
default domain policy).

I was initially thinking of creating an OU for each dept and placing
users in their appropriate OU, which would give the follwoing OU
structure:

- Management
- Marketing
- Middle Office
- Finance
- Operations
- General (for those users who dont belong to any dept)

However I'm not sure if this structure is neccessary, due to the
following reasons:

a. I wont be defining separate group policies to each OU - will use
only the default domain policy to define a small number of
domain-wide settings
b. I am the only administrator so wont be delegating control to any OU
c. Two of the depts only have one user in each!

Because of this I'm wondering if the above setup is just overkill. So
my questions are:

1. Is it simply worth me creating all the users within the default
"Users" container instead? Is there any advantage of doing this as
opposed to creating OUs?
Click to expand...

If the company has plans for growth and expansion, probably yes. If not, not
really necessary unless YOU want to organize it a little better for your own
sake.
2. If I do create the user accounts in the default 'Users' container,
will the defualt domain policy work on users in this container?
Click to expand...

Yes it will. However, it is suggested to create your own OU for the users
and move them into it, whether this is based on your departments or just a
"Company Users" OU, for organization sake.
3. If I go for the OU deployment scenario, do I need to place the
Security and Distribution groups for each dept within their
corresponding OU? E.g. if I create a Security Group called 'Finance'
that contains all the members of the finance team, should this group
be placed within the Finance OU, or should I create a separate OU
called 'Groups' and place all my Security and Distribution groups
(for every dept) in the single OU, regardless of which department's
members they contain?
Click to expand...

I would create groups for their respective departments in their respective
OUs. Remember, organization! When I teach the AD design course, I stress
that OUs are like drawers in your kitchen that you use to organize your junk
(kitchen utensils, etc). You organize your objects in a similar fashion with
OUs. Plus you can create your own policies per drawer, err, OU, everything
except password policies, which are ONLY effective at the domain level.
Many thanks in advance for any assistance.

Rgds,

Yasser Hussein
Click to expand...

In summary, it is up to YOU. If I were you, yes, I would, but that is
because I try to organize everything in a structure so I can document it for
my customers (I am a Microsoft Trainer and a consultant). I ahve some
customers that only have 6 users. For them I just created an "Office" OU and
put everone in there. Other companies with 20 people, I broke it down by
department. Also, since I am not always onsite at a customer, when a
customer calls, I can refer to my configuration notes to remind me of what I
did and how I organized it, or simply remote in and look at the AD structure
and I can see who's who in the company just by where I placed them (OUs),
etc.

It's up to you...

--
Ace
Innovative IT Concepts, Inc
Willow Grove, PA

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Directory Services
Microsoft Certified Trainer

Having difficulty reading or finding responses to your post?
Instead of the website you're using, I suggest to use OEx (Outlook Express
or any other newsreader), and configure a news account, pointing to
news.microsoft.com. This is a direct link to the Microsoft Public
Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows you
to easily find, track threads, cross-post, sort by date, poster's name,
watched threads or subject.
It's easy:

How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164

Infinite Diversities in Infinite Combinations
Assimilation Imminent. Resistance is Futile
"Very funny Scotty. Now, beam down my clothes."

The only constant in life is change...
 
K

Kurt

I've found that group policies tend to be created out of necessity rather
than initial planning. Common policies like desktop background, redirecting
My Documents to a server with a tape drive for backup purposes, etc. can be
implemented at the domain level as you are planning. But other, more
granular policies are usually directed at a specific department, project or
team. Organizing your AD this way in the beginning makes light work down the
road. I think you're on the right track.

....kurt
 
E

Enkidu

YHussein said:
Hi all,

I am in the process of setting up a small network for around 25 users (all
in one site) and would like some advice as to the best design for AD. We have
5 main depts (Management, Middle Office, Marketing, Finance, Operations) plus
a number of general admin staff that dont really belong to any dept. The
only group policy settings I am planning to define are those to do with
password security and workstation screensavers (which I think I can achieve
from the default domain policy).

I was initially thinking of creating an OU for each dept and placing users
in their appropriate OU, which would give the follwoing OU structure:

- Management
- Marketing
- Middle Office
- Finance
- Operations
- General (for those users who dont belong to any dept)

However I'm not sure if this structure is neccessary, due to the following
reasons:

a. I wont be defining separate group policies to each OU - will use only the
default domain policy to define a small number of domain-wide settings
b. I am the only administrator so wont be delegating control to any OU
c. Two of the depts only have one user in each!

Because of this I'm wondering if the above setup is just overkill. So my
questions are:

1. Is it simply worth me creating all the users within the default "Users"
container instead? Is there any advantage of doing this as opposed to
creating OUs?

2. If I do create the user accounts in the default 'Users' container, will
the defualt domain policy work on users in this container?

3. If I go for the OU deployment scenario, do I need to place the Security
and Distribution groups for each dept within their corresponding OU? E.g. if
I create a Security Group called 'Finance' that contains all the members of
the finance team, should this group be placed within the Finance OU, or
should I create a separate OU called 'Groups' and place all my Security and
Distribution groups (for every dept) in the single OU, regardless of which
department's members they contain?

Many thanks in advance for any assistance.
Click to expand...
Hi Yasser,

I believe that you can easily get away with one Domain, one OU. 25 is
far too few to worry about separate OUs.

Cheers,

Cliff
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Is there a way to automatically add new users to groups........... 2
Active Directory Domain Policy 13
Group Policy Problem 3
Migrating from multiple child domain environment to single domain with OUs. What's correct method? 5
GPO for individual users? 8
How to prevent user to see default AD containers? 1
Large Global single domain Group Policy design 1
groups and OU's in ad 3

Top