How do you use AD to manage computers/users?

  • Thread starter Ken Argo [MSFT]
  • Start date
K

Ken Argo [MSFT]

I would like to get an understanding of how different organizations leverage
Active Directory in their deployments. I am trying to get a cross section
of answers for the following questions:



1) Do you use AD to manage computers?

a. If yes, do you group machines into smaller collections using
Organizational Units (OU)?

i. If
not, do you use any AD tools to manage machines?

2) Do you manage users into OUs? Other grouping mechanism?



Feel free to post back directly to (e-mail address removed) if you would rather
not share this information to the public newsgroup.



Thanks for your help,

Ken
 
H

Herb Martin

Ken Argo said:
I would like to get an understanding of how different organizations leverage
Active Directory in their deployments. I am trying to get a cross section
of answers for the following questions:
Click to expand...
1) Do you use AD to manage computers?
Click to expand...

The most obvious is Group Policy for standard security,
software, and administrative (registry) policies.

Software allows deploying applications automatically to all
machines or a subset -- or to users.

Automatic updates locations can be re-directed to an internal
SUS server too.
a. If yes, do you group machines into smaller collections using
Organizational Units (OU)?
Click to expand...

The KEYS to Group Policy and OU design are to understand the
two primary reasons for creating an OU:

1) Delegate control (OF the items in the OU)

2) Link GPOs

One must first understand and decide on a plan for these two,
linking GPOs and delegation, and then OU design is relatively
easy.

If their is then a conflict, one can go with the Delegation strategy
usually since GPOs can be filtered by permissions or in Win2003
by WMI queries (e.g., XP verses Win2000 workstations etc.)
i. If
not, do you use any AD tools to manage machines?
2) Do you manage users into OUs? Other grouping mechanism?
Click to expand...

OUs are not to be confused with "groups".

Groups are "security principles" for GRANTING access TO the members.

OUs are containers for the DELEGATION of control OF/OVER the
items it contains. (And linking GPOs.)

One cannot link a GPO to a group (although permissions can be used
to "filter" out the application of policy linked to the OUs.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Prevent some Domain Admin Account from creating USERS, Groups, OUs 2
AD Users and Computers 1
GPO for individual users? 8
AD design question. 2 Domains vs. 2 OUs 2
Delegation to create mail-enabled users 2
How to create a container under Users in AD Users and Computers 8
Win2k3 AD OU/GPO Design Discussion 1
AD Users and Computers 2

Top