Marbet,
Without much more information it is very difficult to advise you as to the
'best way' to proceed. This is often very different in each organization.
OUs are used to facilitate the management of your environment ( mainly your
users and computers as well as Group Policies ). OUs can also be used in
lieu of creating child domains. But again, that all goes back to managing
your environment.
Are you going to use Group Policy for anything? If yes, for what?
I typically create an OU called 'Departments' and then create sub-OUs for
'Accounting', 'Marketing', 'Finance', etc. I then create another OU called
PCs ( at the same level as 'Departments' ) and create two sub-OUs: one
called 'WIN2K' and one called 'WINXP'. If there are any WINNT 4
workstations then I would create a 'WINNT' sub-OU. However, the reason that
I do this is due to the way I use GPOs. I like to use GPO to install Office
2000 and Office XP. Granted, this is very limited but I am using this as
the example here. There are many other things that I like to do. I also
like to make use of the .mst transforms files so that different departments
get different office apps. Marketing, for example, gets PowerPoint along
with Word, Excel and Outlook whereas Finance gets Access along with Word,
Excel and Outlook. I create a standard Office 2000 GPO including Word,
Excel and Outlook. This is linked to the 'Departments' OU. I then create
two other GPOs - one for Marketing and one for Finance and link those
specifically to the proper OU.
Naturally, this does not 'fit' each and every organization. For some it is
more based on geography! We have a client that has four locations. Thus, I
have created an OU structure based on the geographic location. So, I have
an OU called 'Offices'. Inside this I have created a 'Roanoke', a
'Blacksburg', a 'Richmond' and a 'Raleigh' sub-OU. Most of the stuff is
linked to the 'Offices' OU so that it applies to everyone. However, if
there is something specific to Roanoke then I create a GPO and link it only
to the Roanoke sub-OU. Naturally, all of the user accounts are in the
appropriate OU. So, if you are Mary Smith and you work in Roanoke then you
user account is in the Roanoke sub-OU. If you are Tom Jackson and you work
in Richmond then your user account is in the Richmond sub-OU.
Just a little aside - you may have heard about security groups and GPOs.
You do not apply GPOs to security groups. What you do is create a GPO, link
it to an OU and then use security groups to filter that GPO. An example.
Say that you have an OU called 'Executives'. Let's say that you create
some GPO that is to be applied to 'Executives'. Furthermore, there are only
some 35 user accounts in the 'Executives' OU. Here comes a stipulation:
everyone except Bob, Mary and Charlie are to be affected by this specific
GPO. Those Top 3 executives should not be bothered with this. Let's say
that you have several other GPOs already in place and rearranging your OU
structure is not an option. Simply create a security group, make those 32
user accounts a member - that would be all of the executives EXCEPT Bob,
Mary and Charlie and use this security group as the filter. Simply delete
the 'Authenticated Users' group in the Security Tab and replace it with this
security group. Add 'Read' and 'Apply Group Policy' rights and there you
go....
Does this help you?
If you provide some additional information we will be more than glad to give
you our ideas and thoughts.
Cary
