OU design

[George]

Hello All!

we are still on NT domain and I am in process of designing the AD at this
moment. I have been working on this design for a long time and devoting a
lot of time to OU design. I believe domain, site and forest characteristics
are simple so it will be single forest, domain and 3 site design. We have 3
physical locations that are connected by private T1 lines. 2 in Chicago and
one in Texas. one in Chicago and one in Texas will have Exchange 2000
servers. Now dilemma is still with OU as more I read and develop and think
about it, more I am not sure what to do and how to organize it. Is there a
check list or a model or some kind of tool to use and aid in this process? I
would like to have some additional OUs that will separate desktops, laptops,
executive, user and admin just to accommodate different GPO that I might
have in the future.

Please help. George

 

[Laura E. Hunter \(MVP\)]

Active Directory Design & Deployment Best Practices:

http://www.microsoft.com/technet/community/columns/profwin/pw0302.mspx

http://www.microsoft.com/windows2000/techinfo/planning/activedirectory/bpaddsgn.asp

http://www.microsoft.com/resources/documentation/windows/2000/server/reskit/en-us/deploy/home.mspx

 

[Mark Scott]

Think about what policies you want to deploy and who needs to get them.
Split the users away from the computers and then by site (or the other way
about IE site first) that way you can have fine control over policies.

OUs = management groups, nothing more. They are an admin's eye view of the
network.

Regards

Mark

 

[George]

Thanks for your replies. I agree OU will be my view. But, also I am confused
as users can navigate to the AD in the My network places and see the same
view as I can in MMC for users and computers. Is this how it is supposed to
be?

Also, what is the best way to deploy the policy. to users or machines and if
you have 2 policies applied, one for machine and one for user what will
happen?

Thanks, George

 

[Tomasz Onyszko]

Thanks for your replies. I agree OU will be my view. But, also I am confused
as users can navigate to the AD in the My network places and see the same
view as I can in MMC for users and computers. Is this how it is supposed to
be?

Also, what is the best way to deploy the policy. to users or machines and if

Depending what You want to achive and which settings You want to apply

you have 2 policies applied, one for machine and one for user what will
happen?

The Result Set of Policy (RSoP) will be the sum of this two with respect
to the rules of inheritance

 

[C Hall]

Hi George,

As Mark said in his post, OUs are the way administrators manage users and
computers...users won't be able to see this logical configuration unless
they can access the A.D Users & Computers snap-in, which you can stop them
from accessing through GPO.
Chris

 

[George]

But, if you go to My network places and then click on Directory icon, you
can see the OU structure and all of the items I can seen in the MMC.
is that the same on your machine? I have a test environment and this is what
I see.

George

 

[Brian Desmond [MVP]]

I'd do this:

YourDomain
--Chicago
----Office A
------Users
------Computers
------Servers
------Groups
----Office B
------Users
------Computers
------Servers
------Groups
--Dallas
----Office A
------Users
------Computers
------Servers
------Groups
--Enterprise Support (Global stuff goes here)
----Groups (this would be a place to stuff enterprise DLs, Domain groups,
etc)

Yes, users will be able to peruse AD via My Network Places if they so chose.
I see no harm in this, really.

You will also have the site level control

So,

You can apply policies at the domain level, and affect all users, comps, etc
You can apply policies at the site level and affect all users, comps, etc in
that site
You can apply policies at the Geo & Office levels

Does this make sense?


--
--
Brian Desmond
Windows Server MVP
(e-mail address removed)12.il.us

Http://www.briandesmond.com

 

[C Hall]

I see what you're saying. When you drill down through the Directory, what
you'll see is what's in the AD Users & Computers snap-in. No changes can be
made there, but you could always use GPO to restrict ability to access My
Network Places.

 

[George]

thank you. this helps allot. I would like to keep the users away from some
things in Directory but definitely want to keep Shares and Printers. How can
I make a GPO that will partially block their view?

T
thanks, George

 

[Brian Desmond [MVP]]

You cannot do this with a GPO. You can change the ACLs on OU trees to block
list rights.

--
--
Brian Desmond
Windows Server MVP
(e-mail address removed)12.il.us

Http://www.briandesmond.com

 

[George]

And how do I change the ACL for OU? I can delegate control but can't figure
out how to change ACL.

Thanks in advance, George

 

[C Hall]

AD Sites & Services > Right-click on the site > Click on the security tab.
You'll find some of your basic rights there or you can click on the Advanced
button for other choices.

 

[George]

I am not sure if I am doing this correctly, but it does not seam to be
working. Can you help me out and explain step by step of stopping user JOE
in test.com to view OU called COMPUTERS in My network places , Directory? I
just want him to see shares and printers when browsing the Directory.

Thanks, George

 

[C Hall]

George,

Give this a try:
1. Open Active Directory Users & Computers snap-in.
2. Click View > Advanced Features
3. Right-click on the OUs that you want to hide and select Properties
4. Click on the Security tab
5. Make adjustments as needed.

**WARNING: Make sure you make changes on the test network first and make
changes one at a time.

See this article for more info:
http://www.windowsitlibrary.com/Content/667/04/1.html

 

[George]

It worked just fine. thank you for your help.

George