huge user OU

[Jeff Senter]

I do some consulting for an University and they are planing on haveing
all of the users in one large OU. The plan on breaking the machines up
in to smaller OU. THey belive that thay can manage this thoug GPO
easily with this configuration. SOme thing tells me this is not going
to work well but I can not put my finger on it. Or am I wrong am this
configuration will work just fine.

 

[Alex Tarata]

It just depends on the accounts that will be placed in that OU Jeff. If they
will place 50,000 students that should have the same GPO applied then
everything should be fine. If however they are not planning to do this then
things could turn messy. For example: if they put all staff accounts and
all the student accounts in one place then it will be a nightmare applying
different GPOs to different accounts.

But by the sound of it they will not do that since they are splitting some
computers in different OUs.

A good thing is to have a look on the Microsoft website and see some
documentation about Active Directory design and present them with this. I
have read quite a few documents and seen heaps of AD implementations and
never seen ALL the users in one OU.


This does not sound good but unfortunatelly is an unfortunate thing
nowadays: wrong people given the responsibility of working on Active
Directory.

 

[Jimmy Andersson [MVP]]

From an administrative point of view it sounds like a bad idea, the question
you must ask is if it's going to be easy to administrate. I don't think it
will in the long run.

See this link for more info:
http://www.microsoft.com/resources/...003/all/deployguide/en-us/dpgDSS_overview.asp

Regards,
/Jimmy

 

[Simon Geary]

As a rule of thumb there are two reasons to divide your users into different
OU's. If they will have different Group Policies applied; and if you will
use delegation of administration to allow different users to administer the
accounts.
In your case, if all users will be given the same Group Policies and the
same admins will be responsible for the accounts then there is no problem
having that many users in one OU, although searches will take a little
longer.
The less OU's the better, in my opinion, as it keeps things simple. I don't
think large numbers alone would justify creating more than one OU.

 

[Alok Ranjan]

I checked the reply of Jimmy .. and i find it really
good ...
Regards,
Alok.

 

[jeff Senter]

I agree too. I am just looking for reasons I can state why this is going to
be an administrative nighmare. I know that they think they can do user
logon/logoff scripts via machine GPOs. Maybe you can but I do not know how.

 

[Eric Chamberlain, CISSP]

Jeff,

We have all our students in a single OU (some exceptions for graduate
programs). We create OU's for departments and then delegate full control to
the department. The OU admins use loopback processing to apply policies to
students. One of the reasons our student population is in a single OU is
that undergrads move around and take classes in different units, they don't
belong to one department or administrator. Another issue is FERPA, there
are strict federal laws on what student information can and can't be visible
in the directory, before populating information in Active Directory make
sure you are in compliance.

Our AD deployment is pretty extensively documented at
http://calnetad.berkeley.edu

--
Eric Chamberlain, CISSP
Campus Active Directory Architect
Central Computing Services
University of California, Berkeley
http://calnetad.berkeley.edu

 

[Jeff Senter]

Thanks for your documentation. I will read it.

I would not be concerened if the students where in one OU, but they want
to put every one (students, falculty, staff) in the same )OU. They do
not have a very good track record of running larg networks so it
concerns me.

 

[Joe Richards [MVP]]

I will say the same thing Jimmy did but remove the thought that it sounds like a
bad idea...

It completely depends on the support model and doesn't become a bad idea and
difficult until the support model is known.

I had several domains with each domain > 45k users (one had 100k) in a single OU
for a long time and it worked great, however we weren't doing GPOs for users.
Once you do GPOs for users unless they are all taking on the same GPO, then you
probably want to break them up. Ditto if you want to delegate different rights
over different sets of users natively. Say HR can only be managed by the HR
support group natively. However if you used someone management tool, it may not
be necessary or desired to split them up.

All by itself, there is nothing wrong putting them all in one place. The
question comes down to what else is being done and how are they being managed.
That is what will drive the organizational structure in AD.

 

[Jeff Senter]

Asking around, they are plaing on have around 100 to 150 people with
admin rights and somewere between 25 and 200 machine OU that they can
apply differant polocies to. They are assuming that they thay can apply
GPO to people based on which OU there workstation is in.

 

[Simon Geary]

That's an incorrect assumption. They will only be able to apply different Computer settings if they do that. With all the Users in One OU all users will have to get the same User settings, notwithstanding any ACL's and WMI filtering but that would get very messy for a large number of users. Try to group users that will need the same Group Policy into the same OU.
Asking around, they are plaing on have around 100 to 150 people with admin rights and somewere between 25 and 200 machine OU that they can apply differant polocies to. They are assuming that they thay can apply GPO to people based on which OU there workstation is in.

Simon Geary wrote:

As a rule of thumb there are two reasons to divide your users into different
OU's. If they will have different Group Policies applied; and if you will
use delegation of administration to allow different users to administer the
accounts.
In your case, if all users will be given the same Group Policies and the
same admins will be responsible for the accounts then there is no problem
having that many users in one OU, although searches will take a little
longer.
The less OU's the better, in my opinion, as it keeps things simple. I don't
think large numbers alone would justify creating more than one OU.

I do some consulting for an University and they are planing on haveing
all of the users in one large OU. The plan on breaking the machines up
in to smaller OU. THey belive that thay can manage this thoug GPO
easily with this configuration. SOme thing tells me this is not going
to work well but I can not put my finger on it. Or am I wrong am this
configuration will work just fine.

 

[Eric Chamberlain, CISSP]

It's possible with loopback processing.

Asking around, they are plaing on have around 100 to 150 people with admin
rights and somewere between 25 and 200 machine OU that they can apply
differant polocies to. They are assuming that they thay can apply GPO to
people based on which OU there workstation is in.

Simon Geary wrote:

As a rule of thumb there are two reasons to divide your users into different
OU's. If they will have different Group Policies applied; and if you will
use delegation of administration to allow different users to administer the
accounts.
In your case, if all users will be given the same Group Policies and the
same admins will be responsible for the accounts then there is no problem
having that many users in one OU, although searches will take a little
longer.
The less OU's the better, in my opinion, as it keeps things simple. I don't
think large numbers alone would justify creating more than one OU.


I do some consulting for an University and they are planing on haveing
all of the users in one large OU. The plan on breaking the machines up
in to smaller OU. THey belive that thay can manage this thoug GPO
easily with this configuration. SOme thing tells me this is not going
to work well but I can not put my finger on it. Or am I wrong am this
configuration will work just fine.