ou and domain global groups delegation?

  • Thread starter Thread starter g
  • Start date Start date
G

g

Hello,
I would appreciate some input. I have a multi site ad domain that has
local tech representitives and a core helpdesk/desktop/server team at the
main office. I would like the local techs to add remove
users/computers/groups, passwords etc in their own ou's. So my ous would
be based on offices.

mydomain.com
-------main_office
-------branch1
-------branch2


I would also like them to add users to domain global groups as well.
should i move my domain global groups from main_office to another ou and
delegate to all the tech reps?

mydomain.com
--------global_groups (delegate to all remote and main office techs)
---obj-corp_role1
---obj-corp_role2
--------main_office (delegate certain rolls for desktop techs)
---users/globalgroups
---desktops
--------branch1 (delegate to tech from branchoffice1)
---users/groups
---desktops
--------sensitive_global_groups (that i dont want delegated)
---obj-domain_admins
---obj-enterprise_admins


or should i just keep all my global/univ groups in the main office ou and
add/remove users for the other offices?


Or configure my groups something
like this mydomain.com -------global_groups --delegate to helpdesk
--main_office
--branch1 --delegate to branch1 tech
--branch2 --delegate to branch2 tech
-------main_office
--users
--desktops


Thank you for any input on best way to do this.
 
Hello

there is few common ways to desgin AD

by location or by department, or both

Like

Domain.local
New-York
Sales Department

Domain.local
Building43
Sales Department

//Christoffer Anderssson
 
There are a lot more ways than that...

- Geografi
- Role/Function
- etc....

What it all comes down to is to find a design that's good for your
administration. I've seen many different approaches to AD design, it's up to
the individual company to find a good one.

Regards,
/Jimmy
 
Yes of course it is, this was just few basic exampels,

some thing i have hold on to makeing Directory Services Desgin is to keep
Computer Accounts away from Users Account like

Sales
Users
Computers

Because GPO comes in that two configration ways, but anyway you can filter
it out..

Gonna watch Technet Live on monday :D



take care
 
Thanks for the input. I will do some more research to see what fits best
for my company.
thanks again
 
LOL! I just re-read my post... I mixed Swedish and English... :)
It's suppose to say geography, not Geografi....

Regards,
/Jimmy
 
Hehe, i understand anyway=)
Have you been working with AD sinec it come out?
yeah i will gladly come annd say hi if there is time for that=)

//Christoffer Andersson
 
Back
Top