OU Design with single domain AD structure

[Mikey]

I have been wrestling with a couple of issues in regard to the OU
design of our AD structure. I have a pretty good idea about almost all
the OUs, except for the ones that will contain the computer accounts.
I'm hoping some folks will take a look and help me decide which way to
go. Hopefully I can keep this simple.

The OUs I'm pretty certain of will be off the root of the domain and
will be as follows. I'll just use Our to represent the company name.

Our Adminstrators - will contain admin users and computers as well as
Global groups that membership is controlled by admins.

Our Users - will contain all the normal users. If any specific groups
of users need seperation, a sub OU can be created below this one.

Our Resources - will contain OUs for different departments of users.
These OUs will be populated with Global groups for departmental access
to files, printer objects, and share objects.

Our Service Accounts - will contain all service user accounts.

The computer accounts is where I'm uncertain. Here's the layouts I'm
considering...

Domain.com
Our Servers
Application
Corporate
Manufacturing
Database
Corporate
Manufacturing
Our Workstations
Corporate
Manufacturing

Domain.com
Corporate Computers
Servers
Applicaton
Database
Workstations
Manufacturing Computers
Servers
Application
Database
Workstations

Domain.com
Our Computers
Corporate
Servers
Applicaton
Database
Workstations
Manufacturing
Servers
Application
Database
Workstations

I'm really looking to maximize the use of group policy and insure that
the application of the policy layers performs well. I can convince
myself of just about anyone of them. I'm hoping somebody may have some
suggestions or improvements.

Thanks in advance,

Mike

 

[Mikey]

My indentions didn't show the actual layouts I had intended...Here's
another try...

I have been wrestling with a couple of issues in regard to the OU
design of our AD structure. I have a pretty good idea about almost all
the OUs, except for the ones that will contain the computer accounts.
I'm hoping some folks will take a look and help me decide which way to
go. Hopefully I can keep this simple.

The OUs I'm pretty certain of will be off the root of the domain and
will be as follows. I'll just use Our to represent the company name.

Our Adminstrators - will contain admin users and computers as well as
Global groups that membership is controlled by admins.

Our Users - will contain all the normal users. If any specific groups
of users need seperation, a sub OU can be created below this one.

Our Resources - will contain OUs for different departments of users.
These OUs will be populated with Global groups for departmental access
to files, printer objects, and share objects.

Our Service Accounts - will contain all service user accounts.

The computer accounts is where I'm uncertain. Here's the layouts I'm
considering...

Domain.com

Domain.com
Domain.com

I'm really looking to maximize the use of group policy and insure that
the application of the policy layers performs well. I can convince
myself of just about anyone of them. I'm hoping somebody may have some
suggestions or improvements.

Thanks in advance,

Mike

 

[Guest]

Mikey,

Just speaking from my personal experience, I would use the first layout as
opposed to the second. The reason I would structure it this way is that you
may have group policies that you want to apply to ALL servers and/or ALL
workstations, regardless of their role. Although you could accomplish the
same thing by linking the same GPO to multiple OUs it's a little cleaner to
link the GPO in one place.

JMHO

JHK

 

[Herb Martin]

My indentions didn't show the actual layouts I had intended...Here's
another try...

I have been wrestling with a couple of issues in regard to the OU
design of our AD structure. I have a pretty good idea about almost all
the OUs, except for the ones that will contain the computer accounts.
I'm hoping some folks will take a look and help me decide which way to
go. Hopefully I can keep this simple.

There was too much detail for the time I had to spend on
this, but consider the following....

The two PRIMARY OU design criteria are:

1) Delegation of control
2) Assignment (and inheritance) of Group Policy Objects

Most other 'reasons' are either irrelevant or a form of the above.

Most of the time, your design should handle both (sets of criteria)
but if that is not possible, and no other design is suitable, then
most of the time (not all) you will give precedence to Delegation
of Control.

While delegation can be negated with "negative permissions" (DENY)
as can GPO with negative filtering (DENY), it is also possible to
use both positive permissions for GPOs, and with Win2003 to use
WMI Filters for GPOs.

There is a bit more control for GPOs and in general a lesser need
to use a lot of (usually confusing) negative permissions.

Ultimately you do what you must to cover those two criteria, in
the way that is easiest for you to manage AND document.