ou and domain global groups delegation?

G

g

Hello,
I would appreciate some input. I have a multi site ad domain that has
local tech representitives and a core helpdesk/desktop/server team at the
main office. I would like the local techs to add remove
users/computers/groups, passwords etc in their own ou's. So my ous would
be based on offices.

mydomain.com
-------main_office
-------branch1
-------branch2


I would also like them to add users to domain global groups as well.
should i move my domain global groups from main_office to another ou and
delegate to all the tech reps?

mydomain.com
--------global_groups (delegate to all remote and main office techs)
---obj-corp_role1
---obj-corp_role2
--------main_office (delegate certain rolls for desktop techs)
---users/globalgroups
---desktops
--------branch1 (delegate to tech from branchoffice1)
---users/groups
---desktops
--------sensitive_global_groups (that i dont want delegated)
---obj-domain_admins
---obj-enterprise_admins


or should i just keep all my global/univ groups in the main office ou and
add/remove users for the other offices?


Or configure my groups something
like this mydomain.com -------global_groups --delegate to helpdesk
--main_office
--branch1 --delegate to branch1 tech
--branch2 --delegate to branch2 tech
-------main_office
--users
--desktops


Thank you for any input on best way to do this.
 
C

Chriss3

Hello

there is few common ways to desgin AD

by location or by department, or both

Like

Domain.local
New-York
Sales Department

Domain.local
Building43
Sales Department

//Christoffer Anderssson
 
J

Jimmy Andersson

There are a lot more ways than that...

- Geografi
- Role/Function
- etc....

What it all comes down to is to find a design that's good for your
administration. I've seen many different approaches to AD design, it's up to
the individual company to find a good one.

Regards,
/Jimmy
 
C

Chriss3

Yes of course it is, this was just few basic exampels,

some thing i have hold on to makeing Directory Services Desgin is to keep
Computer Accounts away from Users Account like

Sales
Users
Computers

Because GPO comes in that two configration ways, but anyway you can filter
it out..

Gonna watch Technet Live on monday :D



take care
 
G

g

Thanks for the input. I will do some more research to see what fits best
for my company.
thanks again
 
J

Jimmy Andersson

LOL! I just re-read my post... I mixed Swedish and English... :)
It's suppose to say geography, not Geografi....

Regards,
/Jimmy
 
C

Chriss3

Hehe, i understand anyway=)
Have you been working with AD sinec it come out?
yeah i will gladly come annd say hi if there is time for that=)

//Christoffer Andersson
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Delegation 1
Remove Domain Admins ability from "Delegation Of Control" 5
Delegation Wizard 2
Prevent some Domain Admin Account from creating USERS, Groups, OUs 2
Win2003's Global vs Local domain groups... 4
Righs to unlock accounts:Set "read/write accountlockout" time, but option is still gray out 1
Problem with domain local and global groups 3
Adding global groups to global groups 2

Top