Active Directory Design

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Hello All,

I'm new to this so please bear with me. I have been given an exercise to design a user and group structure in Active Directory for a made up company with the following info.
Managing Director x1
Sales Manager x1
Purchasing Manager x1
Accounts Managerx1
Sales Staff x4
Purchasing Staff x4
Accounts Staff x4.

16 users in all. How would I go about organizing this when they all have difference requirements for software installation, access to certain files, ect?
The managers need access to all files within their respective departments with the MD having access to all files. I understand that ill have to apply a different GPO to specify which users get what software but does that mean separate OU's for each manager, and users since not all users require the same software as the others?

Thanks for any info

Tom.

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

A different OU for every manager or user wouldnt scale very well in a large business! How about doing it by department.

 

So if I have a separate OU for the MD, sales, purchasing and accounts and within each them have two global groups, one for staff and one for managers. If a GPO applied to say the sales OU, would this affect all users in that OU no matter which group they are in?

 

I think your getting groups and ou's mixed up buy yes if you applied a gpo to an OU it would affect anything within that OU unless you explicitly set it not to inherit the settings.

Best thing to do is if you have a PC/laptop with ok spec is create a virtual machine and install Windows server with AD in it. That way you can do all this for real(ish)

 

Think of it this way, GPOs apply to organizational units. The GPOs can be applied to users and computers in the OUs to restrict/apply settings, deploy packages, scripts etc. User Groups for example are good for applying permissions. For example a security group can be given permission to a folder where only the users in that group can have access... Depending on that type of requirement, you have to build your AD environment accordingly. One thing to note, you can do these changes in more than just one way and have the same result, you just need to figure out the most efficient way to do it.

 

Thanks for all the info guys, I think I understand it now! Reading a Microsoft book on managing servers makes it seem soo much more complicated than it is, maybe its the way they word it. I already have a few xp machines on virtual, so Ill install a virtual server also as I can get windows server off MSDN .