Large Global single domain Group Policy design

[Guest]

We are designing a large AD Forest 70k+user accounts with an OU structure to
divide by continents then by country and then within each country users,
computers etc.

Within each country we would need to have different laptop and desktop
policies applied but with our current OU proposal we would need to link a
specific group policy for the laptop OU within each country.

- What would be the impact to linking the same laptop GP to each country say
20+
-Wouldn't WMI filtering be an option to identify whether it is a laptop and
thus apply the GP at the root level from the continent OU?
- or move the computers Ou containing the laptop and desktops at the root
level OU instead of at each country level?

Thanks.

 

[Joe Richards [MVP]]

You can link a single GPO to as many OU's as you want, it is a popular
design. I have seen a single GPO linked to hundreds of OU's in several
Fortune 15 companies.

I would try to make the OU design as simple as possible though. Although
you can have a nice hierarchy you have to ask yourself why you are doing
it. Because it looks pretty isn't a good reason. With that many users
you should be using a provisioning system for users anyway and they
should be in one OU or a series of 5-10 GPO based OUs and all management
through proxy/provisioning tools and no native delegation. Computers are
a different story unless you have a proxy tool that will also handle
those. As a general rule I have found Ad Hoc GPOs to be a nightmare to
sort out later when there are problems, try to come up with a small
number (less than 10) of fixed GPOs that you use and stick to it. People
like to use GPOs like a hammer and look at every problem as if it is a
nail in need of the hammer.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm