AD OU and Security Group Structure

[trading_jacks]

We have AD setup with departmental OUs. I need to filter certain GPOs
from certain users. Example: some of the users in the accounting OU
need folder redirection, some do not. Also some of the users require
restricted access to only the computers in that OU. Some have access
to all computers.

I have two group policies for each of these requirements. I have two
security groups in the OUs named accresctictlogon and accfolder. This
is how I filter who gets the policy applied. Now for the question:

Is this the best way to go about this? I can see this becoming a
nightmare once all policies are in place. I am new to the company and
just getting started on implementing policies, and there are far more
complicated needs here than at my previous jobs, so I am just hoping
someone who has dealt with this can give me an idea if I am on the
right track.

Thanks!

 

[Herb Martin]

We have AD setup with departmental OUs. I need to filter certain GPOs
from certain users. Example: some of the users in the accounting OU
need folder redirection, some do not. Also some of the users require
restricted access to only the computers in that OU. Some have access
to all computers.

Filtering can certainly be a choice in such situations but
usually it indicates you should (at least) review your OU
structure to determine if you have the optimum design.

For instance, you might just create two child OUs for the different
categories of Users in the "accounting OU" and then place common
policy on the parent Accounting, and the differing policies on each
of the child OUs.

It's a choice -- not always best, but something to consider and
review.

I have two group policies for each of these requirements. I have two
security groups in the OUs named accresctictlogon and accfolder. This
is how I filter who gets the policy applied. Now for the question:

Is this the best way to go about this? I can see this becoming a
nightmare once all policies are in place.

Then likely you should consider the ideas above.

My general principle here is to AVOID filtering until I really need
to use it -- or when the problem just "cries out for it."

Filtering OUT say, Admin type users from restrictions since generally
it is difficult to create a group for "everybody but the admins" -- or
in Win2003 (doesn't work in 2000) using WMI filters to choose between
the OS of a computer (WinXp vs. Win2000 workstations) or choose
different policies for machine without the physical resources (ram, video,
disk space) which can or cannot load certain software etc.

I am new to the company and
just getting started on implementing policies, and there are far more
complicated needs here than at my previous jobs, so I am just hoping
someone who has dealt with this can give me an idea if I am on the
right track.

We would need to know a bit more specifics to give you best,
but from the above you will find some ideas for how to appoach
these decisions.

Ask anything that occurs to you on follow-up.

In general though, I like to avoid filtering, block inheritance, and even
"enforced" (or no-override)* except when a specific reason dictates
or strongly suggests this as best.

I am a little bit more free with "Enforced" than the others though.
Frequently 'enforced' is a reason for splitting settings to multiple
GPOs.