Question regarding ou's and child-domains

J

Jesper

Hi
I was wondering if it is possible to move a user to other OU in the child
domains, without affection their position in a OU in the root domain.

The user in the root domain
ldap://cn=jesper,ou=student,dc=testdomain,dc=com

The user in the "child1" child domain
ldap://cn=jesper,ou=staff,dc=child1,dc=testdomain,dc=com

The user in the "child2" child domain
ldap://cn=jesper,ou=superuser,dc=child2,dc=testdomain,dc=com

The deal is that each child domain is run by a seperate admin, and he wants
to be able to move any user to a specifik OU in his child domain (to manage
GP's for that user).

Regards
Jesper
 
S

Simon Geary

What you really have here is three separate and unconnected user accounts so
moving the user in one domain will not affect the similarly named accounts
in the other domains.
 
J

Jesper

Hi Simon
What you really have here is three separate and unconnected user accounts so
moving the user in one domain will not affect the similarly named accounts
in the other domains.

Yep, but is it possible ? The only thing I want to make sure is that the
password is the same for alle the users, and that if I change the password,
disable or delete the user in the root domain then these actions are
migrated to all the other child domains.

Regards
Jesper
 
S

Simon Geary

No, this will not happen automatically. If the password is changed on the
account in one domain or the account is disabled or deleted the action will
have to be manually repeated in each of the other domains.

Microsoft have a metadirectory service called Identity Integration Server
that can synchronise accounts in this fashion, you might want to check it
out as it will do what you are after.
http://www.microsoft.com/windowsserver2003/technologies/directory/miis/default.mspx

Another alternative would be to rethink your AD design and have only one
user account per user which would make things easier if this were possible.
 
J

Jesper

Hi Simon
No, this will not happen automatically. If the password is changed on the
account in one domain or the account is disabled or deleted the action will
have to be manually repeated in each of the other domains.
Ok,

Microsoft have a metadirectory service called Identity Integration Server
that can synchronise accounts in this fashion, you might want to check it
out as it will do what you are after.
http://www.microsoft.com/windowsserver2003/technologies/directory/miis/default.mspx

Nice I will look into that - thanks
Another alternative would be to rethink your AD design and have only one
user account per user which would make things easier if this were
possible.

The deal is that I only want one user in the root domain, but as I have
understood the AD structure, it is not possible to have a user placed in one
OU in one domain and the same user placed in another OU in another domain.
It might be that my AD design isn't the right one. What would you suggest if
I told you, that the only feature that I'm looking for, is the
password/enable/delete syncronization between 2 seperate domains.


Regards
Jesper
 
S

Simon Geary

The deal is that I only want one user in the root domain, but as I have
understood the AD structure, it is not possible to have a user placed in one
OU in one domain and the same user placed in another OU in another domain.

That's right, you can create a user with the same name but it will really
just be two different accounts.
It might be that my AD design isn't the right one. What would you suggest if
I told you, that the only feature that I'm looking for, is the
password/enable/delete syncronization between 2 seperate domains.

You therefore need a directory synchronisation tool. That Microsoft MIIS
server will do this and there are also numerous 3rd party products that will
do this although I've never used any of them so I can't recommend anything
in particular. This link might be useful
http://www.ferris.com/rep/19971211/SM.html
 
J

Jesper

Hi Simon
Thanks for all your help - I guess have to buy the MIIS or program something
myself.

Regards
Jesper
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top