AD structure for users

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hi all,
I originally setup all my users under the default users group. I have a
need to use group polices in a different way so I created two OUs. One called
restricted users and one called unrestricted users.
I want to assign security rights by using these OUs but OUs do not show up.
So do I need to create a group under the ous and put the users in that group
so that I can assign security rights by groups?
My goal is to be able to assign group polices to different ou users and to
be able to assign security rights to users in the different ous instead of
using the group domain users to assign rights. ( I have a need to have vendor
user accounts that are not a member of the domain users group.)
What is the best way to structure for these needs?
Thanks in advance
Sher
 
Let's start by clarifying that you are trying to do two things,
and they are done in different ways.
To apply group policy differently to separate sets of users
it is convenient to place those sets of user objects in different
OUs. This is not the only, but a convenient, way to do this.
You then link different GPOs to the OUs as desired to effect
the settings required.
To assign rights and grant privileges, it is convenient to define
custom groups and populated these with the users that will
be granted the different settings. I find it most convenient to
define groups for the resources and/or privileges granted and
use these to make those grants. I then define custom groups
for the sets of users, and use these to populate the resource
and rights granting groups. This has nothing directly to do
with group policy except that some grants might be made by
using the custom groups in the values set in the rights policies.
Where the groups are defined in AD is not relevant for the
successful granting of these privileges.
 
Thanks Roger,
I understand about the group policy settings but I guess what I am asking is
I want all my users in a group (except third party vendor logons) so that I
can assign rights globally to all my users (like the domain users group only
I dont want my third party vendors in that group.) For example I have a
shared public folder that I want all my users to have access to but I do not
want my third party vendors to have access to it. I presently use the domain
users group for this. When I setup a user they automatically get added to
the domain users group. (so when I added third party vendors they were also
added to the domain users group) Can I just take them out of that group or
should I setup a group under ou called all company users and a group called
third party vendors? This would mean I would always add company users to a
group under the ou instead of adding them at the ou level, right? Sorry If I
have confused you even more.
Sher
 
No, you have clarified, not confused things further.

The root issue is "what all does Domain Users grant?"

You may try removing the vendor accounts from Domain
Users, which is certainly possible to do, and see. This
has advantages that Domain Users by default also have
login rights on all joined client machines, which removing
those accounts would bar. However, you have not stated
just what kind of access is allowed for those vendors, so
it is something you need to analyze and provide for, if you
remove them from Domain Users and place them in some
other custom group (which would also need to be their
primary group in order to remove them from DU).

The alternatives are to define a custom domain group for
all non-vendor users and use this in place of DU on those
resources of concern. With this approach you would have
to remember to populate the custom group, and that the
vendor accounts have all accesses granted to DU.
Or, you could just define a custom group for the vendors
and use it to Deny all access to those resources of concern,
and then leave DU as it is to grant for your entitled users.

Of these, I would favor the first, as with the vendor accounts
not in DU, other than what they receive as an Authenticated
Users member (which usually includes internactive login to
joined members of the domain), they would only have access
to precisely what you have provisioned.

I do not follow:
"This would mean I would always add company users to a
group under the ou instead of adding them at the ou level, right? "

User objects should live in the OU appropriate for the GPOs
you want applied to them. If they have membership in some
group, that is a separate, extra thing.
 
Back
Top