AD organizational design

G

Guest

Here's what I have trouble with in AD..

At our accounting firm we have ~100 users that should have different access settings. Partners, Managers, Staff, Support Staff, Interns, etc... Some use LapTops and some use desktops. Some staff work exclusively in one area of accounting while others work in multiple. Auditing, bookkeeping, taxation, royalties, estates, etc..

My question is... when do I use groups? when do I use OUs? where should the GPOs be? what's the difference between a GPO at the domain level applied to a group, or a GPO at an OU level? (I know that one difference is the order in which Group Policies are applied

should i group by position first, then job role or vice versa?

If the royalty department uses only laptops, do i apply royalty-specific settings to the users or the computers

You see where I'm getting with all of this? My network is very small, but I would like to redesign it, because right now everyone is just in Users and I want to further my knowledge of AD and AD design

thanks for all your hel
 
B

Brian Desmond [MVP]

Hi There,

First, let me clear up a common misconception that you have - group policy,
despite the name, cannot be applied to groups. Groups are used for
controlling access to resources and when you have exchange, for creating
email lists (distribution groups). When you create a group is not really a
design question but rather a usefulness question, in my opinion, at least.

The way I would create a tree, given your setup is to Create a parent OU for
all your user accounts - e.g. Accounts. Under it, create your departments -
accounting, marketing, etc. Create a base group policy with all your
standard user settings that you want all your users to have, and link it to
the top level "Accounts" OU. You can then create group policy objects (GPOs)
for each of the departments as necessary. Group policy settings propogate
downward, so if you configure a setting in a downlevel GPO, it will override
that setting in a parent GPO.

It may be appropriate in your situation (sounds like it is, actually) to put
the computers for each department in with the users for that department. In
this scenario, you'd simply configure user and computer settings in the same
group policy object.

--
--
Brian Desmond
Windows Server MVP
(e-mail address removed)12.il.us

Http://www.briandesmond.com


alandaye said:
Here's what I have trouble with in AD...

At our accounting firm we have ~100 users that should have different
Click to expand...
access settings. Partners, Managers, Staff, Support Staff, Interns, etc...
Some use LapTops and some use desktops. Some staff work exclusively in one
area of accounting while others work in multiple. Auditing, bookkeeping,
taxation, royalties, estates, etc...
My question is... when do I use groups? when do I use OUs? where should
Click to expand...
the GPOs be? what's the difference between a GPO at the domain level
applied to a group, or a GPO at an OU level? (I know that one difference is
the order in which Group Policies are applied)
should i group by position first, then job role or vice versa?

If the royalty department uses only laptops, do i apply royalty-specific
Click to expand...
settings to the users or the computers?
You see where I'm getting with all of this? My network is very small, but
Click to expand...
I would like to redesign it, because right now everyone is just in Users and
I want to further my knowledge of AD and AD design.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Win2k3 AD OU/GPO Design Discussion 1
AD OU and Security Group Structure 1
Computer-based group policies do not work 9
GPO for individual users? 8
GPO Computer Setting - Ccan they be applied to Users ? 6
Organizational Unit Printers and Domain Naming 1
GPO not applied - migration from ldap to AD 4
Best practice for AD 1

Top