Organizational Units

[Andrew]

I was told I do not know anything about active directory
because I added an OU to organize users to implement group
policy. I created a separate OU and put users into it so
that I could apply group policy to them. I just wanted to
map home directory and add log off to their start menu. My
domain is a child domain in a forest. I did not use block
inheritance. so I do not see how the following response is
true.

"Whos make changes on your Domain? all user conteiner been
moved to
another user container without security and policies
changes,

So a person who make this dont know nothing about
ActiveDirectory
administration,

You can call to Andrew or what ever and ask him to fix
thisproblem, it
will make many problems for all your regular users (Not in
IT and
Administrative group).
Also it will prevent from all your users to access the
Israel Network
include teminal server and other network shares.

All *domain* Israel Network resources will be univalible
for your users
until this isiue will be solved.

For more Information call me."

can someone explain this? I don't get what you have to set
up security wise, does it not inherit security info from
top level containers?

 

[Cary Shultz [A.D. MVP]]

Andrew,

You do know a little bit about Active Directory!

There, now you should be even ;-)

Someone has told you that you know nothing about AD and now someone has told
you that you know something about AD!

No, kidding aside.....

It sounds like you are doing the right thing. You create an Organizational
Unit and place either user account objects and /or computer account objects
in that OU so that you can better manage your environment. You can then
create a GPO and link it to that OU so that all ( or, if you are using
Security Groups to filter the GPO, some ) of the user account objects /
computer account objects in that OU are affected by that GPO. I believe
that the proper technical term is that they 'fall under the influence of
that GPO'.....

However, I might ask you if you meant using GPO to redirect the users My
Documents folder? You stated that you want to map their home directory.
This is usually done via the ADUC MMC with each user account object where
you enter \\servername\users\%username% - assuming that you are using the
*typical* shared folder of 'Users'....

Also, you need to know that you *USUALLY* do not link a GPO from one Domain
to an OU ( remember, there are three other possible places to which you can
link a GPO ) in another Domain. Technically speaking, you can but it is not
advised. For example, the parent domain has implemented a GPO whereby the
access to the Display tab is restricted for certain users. Let's say that
they created an OU called 'limited users' ( where they have created the
following OUs: limited users, power users and admin users, for example ) and
moved all of the appropriate user account objects from the default container
'users' ( remember that this is a container and that you can not create a
new GPO and link it to a container! ) to that OU. They create the GPO and
link it to the 'limited users' OU. Well, the GPO does indeed exist as an
object and can be linked to other locations. Typically you would be best
served by keeping that 'other locations' within that specific Domain ( the
parent domain ). In the case where there are sub-Domains it is usually
recommended that you create this GPO and link it to the appropriate level.

Now, if I were you I would question the individual who stated that "all
users have been moved from one container to another container without
security and policy changes".

First of all, you have moved the user account objects from a container to an
Organizational Unit. An OU is not a container. A container is a sub-set of
an OU.

Second of all, I am not sure what he/she means by the 'without security and
policy changes' statement. As long as your user account objects are within
the domain ( as silly as that might sound ) they will be subjected to the
Default Domain Policy ( and the Domain Security policy ). There is one way
that this could be avoided - and you have specifically stated that you have
not checked the 'Block Inheritance' check box.

Since we really do not know the layout of your organization we can not
really answer your question.

HTH,

Cary

 

[Guest]

Thank you for your reply. It has been most helpful. All I
wanted to do is map my docs to the SAN and add the log off
option on the start menu so that when I got to a user work
station I could easily see who was logged in. I opened
active directory user and computers. I right clicked and
chose create new OU. I then setup the 2 policies, then I
right click on the users I wanted to be part of that OU
and chose move. Everything worked perfect! Things were
good for a month. Then yesterday, one user could not see
the parent domain names in their address book. Turns out
one of the other admins changed the admin password for the
child domain and did not tell the top level domain person.
I felt the issues were more to do with that then my OUs.

I have done group policy for some time this way by
creating OU's and applying group policy and adding users
and or computer in the case where I set up Software Update
Services and added the computer objects to that OU. So,
that is why this guy through me off. It did not make
sense. So I am just looking for answeres so that if I was
wrong I can admit it. I did not think creating an OU in
the domain that I control would stop users from getting to
the Israel network.

Again thank you so much for your reply. I thought I was
just doing basic creating of OU to organize and apply
group policy and not screwing the whole network. The fact
that it was fine for a month with not one problem did not
add up to me. The fact that another admin changed the
domain admin password with out telling anyone was perhaps
a cause? He changed it because another admin left the
compnay.