Win2k3 AD OU/GPO Design Discussion

[Hutton]

Hi,

I would like people's comments on OU design and GPO application. A
colleague an I have been discussing two possibilities on general
design principles:

(a) Use multiple OUs to seperate Computers and Users. Use a couple
more levels to split by department. Place GPOs at the top. Place
department-specific GPOs at department level OUs. In addition have
role-based OUs for servers, harden servers using templates imported
into these OUs.

(b) Use two OUs, one for Computers and the other for Users. Place
top-level GPOs. On the two OUs, use filtering (groups, WMI etc) to
apply different GPOs to different users and computers. Harden
servers, still by using GPOs and security templates but application
via GPO filtering.

Obviously it depends on the company, size, needs etc. But for this
sceanrio, lets say an SME of 2,500 users, single forest, single domain
and single site; 20 departments and lots of security groups already in
place.

Both can achieve the same thing, I have my view, but would like yours.
When I've been thinking about this I've also considered the impact on
AD reporting tools.


Thanks in advance,
Hutton

 

[Herb Martin]

Hi,

I would like people's comments on OU design and GPO application. A
colleague an I have been discussing two possibilities on general
design principles:

Let's make sure we are following good primary
design principles. There are two primary reasons
for creating OUs:

1) Delegate Control

2) Link Group Policy

(a) Use multiple OUs to seperate Computers and Users.

If you aren't planning to link different group policies or
delegate authority to different admin groups then this is
unnecessary.

Also, different group policies for Users and Computers
can be dealt with by just leaving the respective half
empty or disabled.

Use a couple
more levels to split by department. Place GPOs at the top. Place
department-specific GPOs at department level OUs.

This sounds like a good reasons AND it might
also follow your delegation strategy if any.

In addition have
role-based OUs for servers, harden servers using templates imported
into these OUs.

Sounds right due to different GPO and likely different
delegation of control.

(b) Use two OUs, one for Computers and the other for Users. Place
top-level GPOs. On the two OUs, use filtering (groups, WMI etc) to
apply different GPOs to different users and computers.

WMI filters don't work until Win2003 AD.

Most filtering by permissions should be avoided
UNLESS there is no workable alternative (like
permissions you should try to avoid giving unnecessary
permissions and than attempt to deny them but rather
never give them.)

Harden
servers, still by using GPOs and security templates but application
via GPO filtering.

Obviously it depends on the company, size, needs etc. But for this
sceanrio, lets say an SME of 2,500 users, single forest, single domain
and single site; 20 departments and lots of security groups already in
place.

It mostly should depend on the GPOs you mentioned
and the DELEGATION strategy you haven't really
outlined.

E.g., if you have separate admins for each department
that argues strongly for those being separate OUs.

If you have separate admins for each department AT
each location this argue for an additional layer of
OUs.

Both can achieve the same thing, I have my view, but would like yours.
When I've been thinking about this I've also considered the impact on
AD reporting tools.

1) Delegation of control

2) Link Group Policy

Use filtering by permissions to break deadlocks between
these two and for things like getting true exceptions free,
e.g., "admins free of restrictive policies".

Use filtering by WMI for differences in machines, e.g.,
OS, disk sizes, RAMs, whatever.