Organization Units

  • Thread starter Thread starter Lars
  • Start date Start date
L

Lars

Is it possible to convert an Organization Unit(s) in Active Directory to one
that has it's own group policy attributes? (Currently, I have a few that
are just "folders" w/o properties) I would like to separate "Computers"
into two separate Organizations. Some are VPN clients and don't require the
same group policies as those that are in the office. If it can't be changed
over, is it safe to create new ones, and "move" items to it. Will this be
tracked by the active directory? I tried something like this a few months
ago where I tried to separate out the "groups" from the users and have two
separate OU's. Directory security went out of whack. Thanks.

~Lars
 
-----Original Message-----
Is it possible to convert an Organization Unit(s) in Active Directory to one
that has it's own group policy attributes? (Currently, I have a few that
are just "folders" w/o properties) I would like to separate "Computers"
into two separate Organizations. Some are VPN clients and don't require the
same group policies as those that are in the office. If it can't be changed
over, is it safe to create new ones, and "move" items to it. Will this be
tracked by the active directory? I tried something like this a few months
ago where I tried to separate out the "groups" from the users and have two
separate OU's. Directory security went out of whack. Thanks.

~Lars


.
Click to expand...
Howdy, Lars.

I guess that you are asking about the COMPUTER
container? This is the default location in WIN2000 when
a computer object is created. Please bear in mind that
this is actually a CONTAINER and not an Organizational
Unit. In fact, by default the only OU initially created
is the Domain Controllers OU. The others are simply
Containers. FYI - A container is a subset of an OU.

Here is what you can do: Create an Organizational Unit.
Call it "Office Computers". Create a second
Organizational Unit. Call it "VPN Clients". Please feel
free to name them whatever makes sense to you and your
naming scheme. These are just suggestions. Then, go to
the COMPUTERS container and simply move the computer
objects to the appropriate OU ( either Office Computers
or VPN Clients ). You can do this by right clicking each
object, select MOVE and then navigate to the appropriate
OU.

Yes, this will be 'tracked' by Active Directory. The
Distinguished Name of each object would be changed to
reflect its new location. The "old" Distinguished Name
of a computer object named MPG2000 located in the
COMPUTERS Container for the 'YOURDOMAIN.COM' domain would
be 'DN: CN=MPG2000,CN=Computers,DC=Yourdomain,DC=Com'.
If you moved that computer object into the "Office
Computers" Organizational Unit then its new Distinguished
Name would be 'DN: CN=MPG2000,OU=Office
Computers,DC=Yourdomain,DC=Com'. Notice how this is
different?

Now, I am not sure how you are going to move the computer
objects of the VPN clients. Are these VPN Users taking
an office-supplied laptop out and about ( aka Road
Warriors ) or are these VPN Users simply people who sit
at home at their own personal computer, have the
necessary 'VPN' Software installed and work from home?

GPOs are applied according to the following pecking
order: local, Site, Domain, OU, sub-OU. You can create a
GPO and link it to just about anywhere. Typically,
however, most people are going to create a GPO and apply
it at either the domain- or OU-level.

Let's focus on the OU. You can create an OU and have GPO
install Office XP either to the user configuration or to
the computer configuration. Remember that GPOs consist
of a computer-side and a user-side. Essentially, there
are two halves. You can disable one "half" of the GPO
with no adverse affects ( assuming that you do this
correctly; it is generally suggested to not do this until
you are very proficient with GPOs ). Furthermore, you
can create a GPO ( it is linked to the OU - aka location -
where it was created ) and then link it to other
locations ( like another OU ). That is quite simple.

Now, security groups are not really in the picture.
However, they can be used to filter GPOs. By default,
the group 'Authenticated Users' is given the "Read"
and "Apply Group Policy" rights. This group pretty much
consists of everyone and everything in that OU ( user
objects and computer objects ). If you created that GPO
to install Office XP to the user-configuration, for
example, and linked it to a certain OU and that OU was
populated by 100 user objects but you wanted only 70 of
those user objects to get Office XP then you could create
a Security Group ( call it "Office XP via GPO" or
whatever ), populate that group with the 70 user objects
and then simply remove the 'Authenticated Users' group
and replace it with 'Office XP via GPO'. Apply
the "Read" and "Apply Group Policy" to the 'new' group
and away you go....Only those particular 70 user objects
would get Office XP the next time they logged off and
then back on. Let's just assume that you could not
create a new OU and move those particular 70 user objects
to that newly created OU due to your organizational set
up ( there are several other GPOs applied to that OU, for
example, and linking those GPOs to the newly created OU
would be too much of a pain! ).

I am not sure what you mean by 'Directory Security wnet
out of whack"?

HTH,

Cary
 
Hi Cary,

Thank you very much for such a comprehensive reply to my post. You've
provided a lot to digest. I've administered the Active Directory for some
time, and I am starting to learn more about GPO. Your comments are very
helpful.

You were asking about my VPN users. They have computers that are domain
members and have the VPN client software installed. They are connected to
the office anytime they have an internet connection. The reason for
separating them out, is that I don't want to apply proxy settings and some
other GPO settings to their (off premises) computers.

The other item you asked about was my comment concerning directory security.
I created an OU called "Groups". Then moved all my groups to that location.
I simply wanted to separate users and groups. After doing so, there were
difficulties browsing directories in the domain. So without hesitation I
moved everything back to its original location and the problem was gone. I
will tinker with this a little more with some testing.

Thank you again!!

Regards,
~Lars
 
-----Original Message-----
Hi Cary,

Thank you very much for such a comprehensive reply to my post. You've
provided a lot to digest. I've administered the Active Directory for some
time, and I am starting to learn more about GPO. Your comments are very
helpful.

You were asking about my VPN users. They have computers that are domain
members and have the VPN client software installed. They are connected to
the office anytime they have an internet connection. The reason for
separating them out, is that I don't want to apply proxy settings and some
other GPO settings to their (off premises) computers.

The other item you asked about was my comment concerning directory security.
I created an OU called "Groups". Then moved all my groups to that location.
I simply wanted to separate users and groups. After doing so, there were
difficulties browsing directories in the domain. So without hesitation I
moved everything back to its original location and the problem was gone. I
will tinker with this a little more with some testing.

Thank you again!!

Regards,
~Lars




.
Click to expand...
Lars,

Glad to be of help. I hope that it was not too much.
There is just so much involved and the deeper you get into
it the more overwhelming ( at first ) it seems.

Do not do too much with VPN so I might not be up to speed
entirely on how this works.

Anyway, I would be a bit suprised if moving the Group
objects from, say, the USERS container to an
Organizational Unit messed too much with Security ( read:
folder access ). Again, the DN would change ( see my
previous post ) but that should not have too much of an
effect. You most probably did the right thing, though.
Something was working, you changed that something somehow,
something appears to not work correctly anymore, change
that something back to how it was.

Do you have the option of creating a test environement and
looking into this further? If I have the time I might
look into this as this would be news to me. I ass/u/me
that we are talking about both Share and NTFS permissions
to shared folders, correct?

HTH,

Cary
 
Hi Cary,

No, it wasn't too much information. It was great! Clear and understandable.

I have in the past created test environments, and each time I do the
equipment gets sucked into production environment shortly after because of
demand. I know its the right thing, but I had given up on it for a while.
The share and ntfs permissions were indeed what was affected. I am going to
try this move of objects again with just a limited number of items. Again,
thank you for your input.

~Lars
 
Back
Top