User and Computer OUs

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

At the risk of getting my head bitten off, or called stupid, can someone
explain why computer objects and user objects should be placed in separate
OUs, or at least point me to some info on this subject.
 
Ageing said:
At the risk of getting my head bitten off, or called stupid, can
someone explain why computer objects and user objects should be
placed in separate OUs, or at least point me to some info on this
subject.
Click to expand...

Group policies you'd want to apply to one OU and not another, etc?
Order rather than chaos? I mean, you wouldn't put all your network files in
a single folder/share called "FILES" with no subfolders, right?
 
There is no requirement to do such however it may make it easier from an
organizing perspective. For smaller numbers of users and computers that may
not be a problem. If you have a larger number you may want to split them.
For instance if you have a group of users and computers in the sales
department, you could create an OU called sales with a child OU's of users
and computers. Group Policy could still be applied to the "sales" OU and
both the user's and computer's OU's would inherit the settings. Or you could
simply have one OU called sales and put both users and computers in it. Do
not however remove domain controllers from the domain controllers container,
in order to have consistent policy apply to domain controllers. You can
however create child OU's in the domain controllers container if you have
special Group/security policy needs for particular domain controllers. ---
Steve


"Ageing Brilliantine Stick Insect"
 
Hi Steven,

Thanks for that......much obliged.



Steven L Umbach said:
There is no requirement to do such however it may make it easier from an
organizing perspective. For smaller numbers of users and computers that may
not be a problem. If you have a larger number you may want to split them.
For instance if you have a group of users and computers in the sales
department, you could create an OU called sales with a child OU's of users
and computers. Group Policy could still be applied to the "sales" OU and
both the user's and computer's OU's would inherit the settings. Or you could
simply have one OU called sales and put both users and computers in it. Do
not however remove domain controllers from the domain controllers container,
in order to have consistent policy apply to domain controllers. You can
however create child OU's in the domain controllers container if you have
special Group/security policy needs for particular domain controllers. ---
Steve


"Ageing Brilliantine Stick Insect"
Click to expand...
 
Hi Lanwench,

(I sure hope you are a girl, coz with that name, I'm getting to like you
already!!....and please accept my humble apologies for that insensitive piece
of male crassness!)

I have some order in my AD.....probably too much. Delegated administration
is not an issue - there are a couple of people here who all have full
unrestrained access to the AD, and that's not likely to change, so we don't
need to take delegated administration into account

We have 4 divisions here, so I've created an OU for each of them. Within
each of those divisions there are a number of workgroups (bad choice of name
within an AD environment, but you know what I mean), so I have created OUs
for each of them, and put both the users in those workgroups, and the
computers they use into those OUs as follows

AD Root
----- Divisional OU 1
-----------Workgroup1 (users and computers)
-----------Workgroup2 (users and computers)
----- Divisional OU 2
-----------Workgroup1 (users and computers)
etc

I have left all the domain controllers in the default Domain Controllers OU,
but all our member servers are still in the default Computers container -
they have all worked since our system was set up (not by us - we just run the
thing after high-paid consultants do all the preparation), and I don't want
to break anything, so I have just left them there.
 
Ageing said:
Hi Lanwench,

(I sure hope you are a girl
Click to expand...

I was, once, but that was back in the early Pleistocene.
, coz with that name, I'm getting to like
you already!!....and please accept my humble apologies for that
insensitive piece of male crassness!)
Click to expand...

OK. Which other pieces of insensitive male crassness shall I then refuse to
forgive?
I have some order in my AD.....probably too much. Delegated
administration is not an issue - there are a couple of people here
who all have full unrestrained access to the AD, and that's not
likely to change, so we don't need to take delegated administration
into account

We have 4 divisions here, so I've created an OU for each of them.
Within each of those divisions there are a number of workgroups (bad
choice of name within an AD environment, but you know what I mean),
so I have created OUs for each of them, and put both the users in
those workgroups, and the computers they use into those OUs as follows

AD Root
----- Divisional OU 1
-----------Workgroup1 (users and computers)
-----------Workgroup2 (users and computers)
----- Divisional OU 2
-----------Workgroup1 (users and computers)
etc

I have left all the domain controllers in the default Domain
Controllers OU, but all our member servers are still in the default
Computers container - they have all worked since our system was set
up (not by us - we just run the thing after high-paid consultants do
all the preparation), and I don't want to break anything, so I have
just left them there.
Click to expand...

I reckon my next question is, is this config causing you problems? What do
you need the "workgroups" for? Perhaps those are excessive....but the
departmental ones may make sense to leave in place. It's all really up to
you, and whatever sense of order your personal tech-OCD desires.
 
Another rational you may find useful is at
http://members.shaw.ca/bsanders/WindowsGeneralWeb/HappyGPOs.htm.

When we first set up our OU structure we set it up like this:

Office (location) or (head office) department
users
groups
computers

However, we are now finding that, for administrative purposes and for ease
of application of GPOs, this structure is not as useful as it might be, so
we are in the process of inverting it to:

users
location or department
groups
Resource Groups for administering servers
Resource Groups for administering workstations
Role groups (various)
computers
servers
administrative
Terminal Services
workstations
location

Whatever works in your situation is right - organise the OUs etc. to
facilitate administration and management. Not all organanizations
distribute work among the support staff the same way.

For example, in our situation:
1. different people administer/manage users than, for example, administer
servers and workstations, thus we set the AD object security differently for
the users OU than for the computers OU
2. we require, for security purposes, that password resets be done only be
someone that knows the person asking for the password reset, which is
usually someone in the same location or department, thus the security on the
user accounts is different depending on office or department
3. some group memberships are critical to correct operation - e.g. who can
administer servers, so we adjust who can change group membership differently
for groups with different purposes.
4. we apply User specific GPOs to the Users OU and Computer specific GPOs to
the appropriate computers OU.

Organising the OU hierarchy helps with keeping the administration as simple
as possible commensurate with business requirements.

--
Bruce Sanderson MVP Printing
http://members.shaw.ca/bsanders

It is perfectly useless to know the right answer to the wrong question.



"Ageing Brilliantine Stick Insect"
 
Back
Top