OU design

[C Hall]

Greetings,

We have a single windows 2000 domain and are expanding. I'm looking for
advice on OU structure, implementing security templates and group policies.

Currently, we have 2 DCs in 2 seperate locations. Site1's DC is the FSMO
role holder and only a couple of people (MIS) login to the domain. Site2 has
about 12 people that login to the domain. We have installed 2 member servers
in a third location and will be adding a DC there. This third location will
host about 50 people, large in our environment, which some of them will be
accessing the two member servers--a SQL server and an application
server(terminal services). After doing some testing, I want to rollout
seperate security templates for workstations, domain controllers, member
servers and laptops. I will create a GPO that will apply to the terminal
services users only. Most other users, aside from MIS staff, would have a
similar desktop configuration. Originally, I was going to put all users in
one OU and all computers/laptops in another, but don't think that will work.

Any suggestions would be appreciated.

 

[Herb Martin]

Greetings,

We have a single windows 2000 domain and are expanding. I'm looking for
advice on OU structure, implementing security templates and group

policies.

The main criteria for OU design are:

1) Delegation strategy you wish to support

2) Assignment (and inheritance) of Group Policy

That is pretty much all you need to consider.

If you wish to delegate, make an OU; If you wish to
assign Group Policy differently then make an OU.

If you wish to delegate or assign group policy through
inheritance build it as a parent-child structure.

 

[Rabbit]

Greetings,

We have a single windows 2000 domain and are expanding. I'm looking for
advice on OU structure, implementing security templates and group
policies.

Currently, we have 2 DCs in 2 seperate locations. Site1's DC is the FSMO
role holder and only a couple of people (MIS) login to the domain. Site2
has
about 12 people that login to the domain. We have installed 2 member
servers
in a third location and will be adding a DC there. This third location
will
host about 50 people, large in our environment, which some of them will be
accessing the two member servers--a SQL server and an application
server(terminal services). After doing some testing, I want to rollout
seperate security templates for workstations, domain controllers, member
servers and laptops. I will create a GPO that will apply to the terminal
services users only. Most other users, aside from MIS staff, would have a
similar desktop configuration. Originally, I was going to put all users in
one OU and all computers/laptops in another, but don't think that will
work.

Any suggestions would be appreciated.

First stab to me would be to put the workstations and laptops in separate
OUs and apply the appropriate policies/templates as required at the OU
level.

For the users, either separate the terminal server users and workstation
users into individual OUs or put them all in the same OU, add the TS users
into a group. Apply the GP to the single OU and filter the application of
the policy by the TS group.

If you want the users to apply certain settings when accessing via terminals
services only, then you need to investigate Loopback processing of GP.
Start here: http://support.microsoft.com/?id=260370

Hope this helps...

 

[Mark Renoden [MSFT]]

Hi

If you're after documentation, take a look at the Windows Server 2003
Deployment Kit Chapter "Designing a Managed Environment" ...

http://www.microsoft.com/resources/...003/all/deployguide/en-us/dpgDME_overview.asp

HTH
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[C Hall]

Thanks everyone for the posts. This will give me a start. I'll post
follow-up questions after a little reading.

Hi

If you're after documentation, take a look at the Windows Server 2003
Deployment Kit Chapter "Designing a Managed Environment" ...

http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deploy
guide/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/all/de
ployguide/en-us/dpgDME_overview.asp

HTH
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

Greetings,

We have a single windows 2000 domain and are expanding. I'm looking for
advice on OU structure, implementing security templates and group
policies.

Currently, we have 2 DCs in 2 seperate locations. Site1's DC is the FSMO
role holder and only a couple of people (MIS) login to the domain. Site2
has
about 12 people that login to the domain. We have installed 2 member
servers
in a third location and will be adding a DC there. This third location
will
host about 50 people, large in our environment, which some of them will be
accessing the two member servers--a SQL server and an application
server(terminal services). After doing some testing, I want to rollout
seperate security templates for workstations, domain controllers, member
servers and laptops. I will create a GPO that will apply to the terminal
services users only. Most other users, aside from MIS staff, would have a
similar desktop configuration. Originally, I was going to put all users in
one OU and all computers/laptops in another, but don't think that will
work.

Any suggestions would be appreciated.

 

[C Hall]

In reading the kb article, correct me if I'm wrong, but the GPO would be
applied to users when they login to the terminal server only? And these
users could have a different policy for their desktops?

 

[Herb Martin]

In reading the kb article, correct me if I'm wrong, but the GPO would be
applied to users when they login to the terminal server only? And these
users could have a different policy for their desktops?

Normally one would expect the same policy for users
whether they login to TS or direct at a machine, but it
is possible to vary this.

The user is going to receive the same GPO calculation
either way except for the following:

1) Filtering based on TS special (dynamic) group

2) Loop back processing

3) Site

Few people have setup such filtering #1 but it is possible.

#3 is only going to matter if the Terminal SERVER is in a
different site (than the User.)

#2 must be explicitly enabled but few do this either. Loop
back processing recalculates the User policy AS-IF the
user were in the same Domain, OU (tree) as the computer.

Two modes are available: merge and replace.

They do the obvious.

 

[Chris Hall]

Thanks, Herb.

Normally one would expect the same policy for users
whether they login to TS or direct at a machine, but it
is possible to vary this.

The user is going to receive the same GPO calculation
either way except for the following:

1) Filtering based on TS special (dynamic) group

2) Loop back processing

3) Site

Few people have setup such filtering #1 but it is possible.

#3 is only going to matter if the Terminal SERVER is in a
different site (than the User.)

#2 must be explicitly enabled but few do this either. Loop
back processing recalculates the User policy AS-IF the
user were in the same Domain, OU (tree) as the computer.

Two modes are available: merge and replace.

They do the obvious.