1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Need help with AD Design requirement.

Discussion in 'General Microsoft Certifications' started by Methodman85, Feb 18, 2010.

  1. Methodman85

    Methodman85 Byte Poster

    244
    6
    32
    Hello Everyone,
    Just started a new Job earlier this week and was given my first project today. I need some insite and I hope you will give my scenario a read.

    Today I was given the task of cleaning up and restructuring their entire AD structure including OUs, security groups, NTFS acls, naming conventions. They want to be able to delegate group membership control to department heads, and nest global groups within resource domain local access groups for each and every folder/resource. So incase you're not familiar with this design concept, it's like having a marketing global group, nested in a domain local group called marketingread, which is granted read only access to the marketing department folder. That means each an every top level folder, and resource will have a read, write, modify, and full control domain local access group associated with it. And then global groups added to each of them depending on requirements. Right now the acls are a total mess with individual users added to folders, random groups created, broken inheritance etc.

    Right now for the OU layout, I'm considering top level organization/department accounts, ex.

    Domain.com
    - Departments
    - IT
    - Toronto
    - Users
    - Computers
    - New York
    - Users
    - Computers
    - Sales
    - Toronto
    - Users
    - Computers
    - New York
    - Users
    - Computers


    etc

    My biggest question is where I should put the Security/Distribution Groups. Should I just dump them into a top level OU called Groups, should I break them up within that top level OU based on department and or resource, should I break them up based on Global and Domain Local?

    Any input would be appreciated.

    Thanks!
     
    Certifications: MCTS, MCSE, MCSA:M, CCNA, MCDST, N+
    WIP: 70-680
  2. Qs

    Qs Semi-Honorary Member Gold Member

    3,081
    70
    171
    Depends how granular you want it to be. Personally I'd do exactly what you're suggesting - create a top level OU for storing Security groups and then assign permissions/users as appropriate. It's all about delegation of control, and by splitting by Department this should be relatively easy to achieve.

    HTH

    Qs
     
    Certifications: MCT, MCSE: Private Cloud, MCSA (2008), MCITP: EA, MCITP: SA, MCSE: 2003, MCSA: 2003, MCITP: EDA7, MCITP: EDST7, MCITP: EST Vista, MCTS: Exh 2010, MCTS:ServerVirt, MCTS: SCCM07 & SCCM2012, MCTS: SCOM07, MCTS: Win7Conf, MCTS: VistaConf, MCDST, MCP, MBCS, HND: Applied IT, ITIL v3: Foundation, CCA
  3. craigie

    craigie Terabyte Poster

    3,020
    173
    155
    I'm a fan of location then sub OU's e.g.

    Main OU
    New York

    Sub OU
    Distribution Groups
    Security Groups
    Users
    Computers
     
    Last edited: Feb 18, 2010
    Certifications: CCA | CCENT | CCNA | CCNA:S | HP APC | HP ASE | ITILv3 | MCP | MCDST | MCITP: EA | MCTS:Vista | MCTS:Exch '07 | MCSA 2003 | MCSA:M 2003 | MCSA 2008 | MCSE | VCP5-DT | VCP4-DCV | VCP5-DCV | VCAP5-DCA | VCAP5-DCD | VMTSP | VTSP 4 | VTSP 5
  4. Gingerdave

    Gingerdave Megabyte Poster

    991
    44
    74
    Thats they way we do it here, we have a UK ou which we use for to effect all users and PCS but not servers and then all the other locations as ous business units then users and computers. Seems to work well enough and is easy enough to find people as it replicates the layout of the business.
     
    Certifications: A+,MCP, MCDST, VCP5 /VCP-DV 5, MCTS AD+ Net Inf 2008, MCSA 2008
    WIP: MCSA 2012
  5. Methodman85

    Methodman85 Byte Poster

    244
    6
    32
    Hey Craigie,
    If you do it like that, where do you put the security and distribution groups that span all locations?
    And what do you do if the head of marketing wants to manage their own group?

    Which brings up another question I can't remember at the moment that I was going to test today. Does the security group need to be within the OU that's delegated control? Like if the head of marketing wants to manage the marketing global group, do you have to delegate control over an OU that contains the marketing global group as well as each marketing user account?
     
    Certifications: MCTS, MCSE, MCSA:M, CCNA, MCDST, N+
    WIP: 70-680
  6. craigie

    craigie Terabyte Poster

    3,020
    173
    155
    You need to think carefully about what your requirements are as you really don't want to put in place deny inherit permissions.

    The Global Settings would need to be in an OU by themselves and you need to make sure they are truly global and then have the locations OU's under these in either a sub OU or just higher in name order e.g.

    ~Global Settings
    New York
    Toronto

    Nah mate, the Security Group/User can be anywhere to delegate control off an OU to it.
     
    Certifications: CCA | CCENT | CCNA | CCNA:S | HP APC | HP ASE | ITILv3 | MCP | MCDST | MCITP: EA | MCTS:Vista | MCTS:Exch '07 | MCSA 2003 | MCSA:M 2003 | MCSA 2008 | MCSE | VCP5-DT | VCP4-DCV | VCP5-DCV | VCAP5-DCA | VCAP5-DCD | VMTSP | VTSP 4 | VTSP 5
  7. Methodman85

    Methodman85 Byte Poster

    244
    6
    32
    But isn't the user delegated control of the objects within an OU? So wouldn't the object need to be in an OU in which they have been delegated control of?

    Say I have marketing Global security Group, that's not in the Marketing OU, and I delegate control of the Marketing OU to the Marketing manager. That manager would be able to add users from anywhere in the domain to the Marketing global security group correct?

    Is there any way to limit who the marketing manager can add to the Marketing security groups?
     
    Last edited: Feb 18, 2010
    Certifications: MCTS, MCSE, MCSA:M, CCNA, MCDST, N+
    WIP: 70-680
  8. Methodman85

    Methodman85 Byte Poster

    244
    6
    32
    Hey Qs, thanks for your response. In terms of the Top level OU for storing Security groups, would you take it to another level and great OUs for Domain Local, Global, Universal?

    It might be good to keep them seperate since the domain local groups will be assigned to a specific resource, and the global groups will represent department users.

    What do you think? Would you break them up in another way perhaps?
     
    Certifications: MCTS, MCSE, MCSA:M, CCNA, MCDST, N+
    WIP: 70-680
  9. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,190
    296
    319
    You can have a 'root' OU which I just call the company name, in there you have origanisation wide GPOs etc. and you can delegate permissions to the whole of the organisation if needed.

    Within that OU you can have child OUs for location and assign GPOs\delegated permissions on a location basis.
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010

Share This Page

Loading...