Need help with AD Design requirement.

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Hello Everyone,
Just started a new Job earlier this week and was given my first project today. I need some insite and I hope you will give my scenario a read.

Today I was given the task of cleaning up and restructuring their entire AD structure including OUs, security groups, NTFS acls, naming conventions. They want to be able to delegate group membership control to department heads, and nest global groups within resource domain local access groups for each and every folder/resource. So incase you're not familiar with this design concept, it's like having a marketing global group, nested in a domain local group called marketingread, which is granted read only access to the marketing department folder. That means each an every top level folder, and resource will have a read, write, modify, and full control domain local access group associated with it. And then global groups added to each of them depending on requirements. Right now the acls are a total mess with individual users added to folders, random groups created, broken inheritance etc.

Right now for the OU layout, I'm considering top level organization/department accounts, ex.

Domain.com
- Departments
- IT
- Toronto
- Users
- Computers
- New York
- Users
- Computers
- Sales
- Toronto
- Users
- Computers
- New York
- Users
- Computers


etc

My biggest question is where I should put the Security/Distribution Groups. Should I just dump them into a top level OU called Groups, should I break them up within that top level OU based on department and or resource, should I break them up based on Global and Domain Local?

Any input would be appreciated.

Thanks!

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Depends how granular you want it to be. Personally I'd do exactly what you're suggesting - create a top level OU for storing Security groups and then assign permissions/users as appropriate. It's all about delegation of control, and by splitting by Department this should be relatively easy to achieve.

HTH

Qs

 

I'm a fan of location then sub OU's e.g.

Main OU
New York

Sub OU
Distribution Groups
Security Groups
Users
Computers

 

Thats they way we do it here, we have a UK ou which we use for to effect all users and PCS but not servers and then all the other locations as ous business units then users and computers. Seems to work well enough and is easy enough to find people as it replicates the layout of the business.

 

Hey Craigie,
If you do it like that, where do you put the security and distribution groups that span all locations?
And what do you do if the head of marketing wants to manage their own group?

Which brings up another question I can't remember at the moment that I was going to test today. Does the security group need to be within the OU that's delegated control? Like if the head of marketing wants to manage the marketing global group, do you have to delegate control over an OU that contains the marketing global group as well as each marketing user account?

 

You need to think carefully about what your requirements are as you really don't want to put in place deny inherit permissions.

The Global Settings would need to be in an OU by themselves and you need to make sure they are truly global and then have the locations OU's under these in either a sub OU or just higher in name order e.g.

~Global Settings
New York
Toronto

Nah mate, the Security Group/User can be anywhere to delegate control off an OU to it.

 

But isn't the user delegated control of the objects within an OU? So wouldn't the object need to be in an OU in which they have been delegated control of?

Say I have marketing Global security Group, that's not in the Marketing OU, and I delegate control of the Marketing OU to the Marketing manager. That manager would be able to add users from anywhere in the domain to the Marketing global security group correct?

Is there any way to limit who the marketing manager can add to the Marketing security groups?

 

Hey Qs, thanks for your response. In terms of the Top level OU for storing Security groups, would you take it to another level and great OUs for Domain Local, Global, Universal?

It might be good to keep them seperate since the domain local groups will be assigned to a specific resource, and the global groups will represent department users.

What do you think? Would you break them up in another way perhaps?