Can anyone advise on the safest way to re-org our AD setup?

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

OK, here goes. We are a small rural bank, with 6 physical locations, a total
of 80 or so employees, and a Windows 2000 AD domain. I have Group Policies
in place at the top of our domain, that were in place when I got here.
Problem is, each branch has a mix of bank officers, teller, and new
accounts/back office folks, each of which would ideally have different
policies in place. We also have 2 2003 Servers running proprietary software
that for whatever reason cannot use automatic updates, which I have in place
for the entire domain.

Right now everything is divided by physical location. UNder our domain, we
have a sep. OU for each branch. I would prefer to group users by their job
type, ie. Officers, Tellers, win2000 servers, win2003 servers, etc. Is this
a change that is feasible? Is this a change that is doable?

Right this minute, my bottom-line is getting the 2 2003 servers to stop
using automatic update from our SUS server. Since the policy for automatic
updates is at the top of our domain, I don't know how to stop em.

Any advice or tools appreciated.


Thanks.
Taggert
 
Taggert said:
OK, here goes. We are a small rural bank, with 6 physical locations, a total
of 80 or so employees, and a Windows 2000 AD domain. I have Group Policies
in place at the top of our domain, that were in place when I got here.
Problem is, each branch has a mix of bank officers, teller, and new
accounts/back office folks, each of which would ideally have different
policies in place. We also have 2 2003 Servers running proprietary software
that for whatever reason cannot use automatic updates, which I have in place
for the entire domain.

Right now everything is divided by physical location. UNder our domain, we
have a sep. OU for each branch. I would prefer to group users by their job
type, ie. Officers, Tellers, win2000 servers, win2003 servers, etc. Is this
a change that is feasible? Is this a change that is doable?
Click to expand...

If this is feasible - You have to answer for Yourself. You have to
organize directory structure to meet Your organizational and management
needs - who will now it better then You. From what You are writing - You
need it to better manage Your infrastructure.

Is is doable - of course, just plan Your new structure of OUs and think
about it, write on the paper and think again. Plan Your GPO objects and
settings. Then test it in the lab if it works as You expected and as a
final step move Your computer and users objects to appropriate OUs in
the new structure.
Right this minute, my bottom-line is getting the 2 2003 servers to stop
using automatic update from our SUS server. Since the policy for automatic
updates is at the top of our domain, I don't know how to stop em.
Click to expand...
You can always move these two servers to some OU and apply new policy at
this OU level. Just remember about policy processing order which is:
local -> site -> domain -> ou, and this will help You o resolve a lot of
such issues.

Or just stop Automatic updates service on these servers (which also can
be accomplished with GPO).
 
Hello Taggert,

Thank you for posting. Also thank you Tomasz for your kind inputs.

Tomasz has provided useful information for us. You may first refer to his
suggestions.

In addition, you may refer to the following link for more information about
planning and deploying Active Directory domains:

Designing the Active Directory Structure
http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/
en-us/deploy/dgbd_ads_heqs.asp

Windows 2000 Group Policy Reference
http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/
en-us/w2rkbook/gp.asp

Hope this helps.

Steven Wang (MSFT)
Microsoft CSS Online Newsgroup Support

--------------------
 
Back
Top