Re: [ActiveDir] OU and GPO Design Comments

Tue, 10 Jun 2003 00:17:38 -0700 

If you use group filtering in this way, it is recommended not to use Deny.  Instead 
use positive filtering.  To do this, remove the Authenticated Users group from the ACL 
and then add the groups you want it to apply to using Apply Group Policy.

Another approach would be to create an OU layer for delegation of administration, e.g. 
User, Computer, etc. and then have OUs at a level below these for the application of 
group policy.  For example, under the Branch->Users OU you could have OUs called 
General, Lab, VIP, etc. 

Someone else made a point about separate OUs for workstations and laptops.  This is 
certainly an option, but there may be a way to avoid this by using WMI filtering in 
the GPO.  For example, WMI can identify the chassis type of the machine.  Based on 
this information you could filter the GPO based on whether the chassis corresponds to 
a laptop or workstation.

Tony 

---------- Original Message ----------------------------------
Wrom: TZRCLBDXRQBGJSNBOHMKHJYFMYXOEAIJJPHSC
Reply-To: [EMAIL PROTECTED]
Date:  Tue, 10 Jun 2003 00:04:25 -0400

I'm interested in feedback on the following OU and GPO design.

Simple OU structure, something like:

|--Branches
        |--Users
        |--Computers

The "Users" OU would hold around 5000 users and the "Computers" OU an equal 
amount of workstations and servers.

GPO's would be created for the users and linked to the OU, but only applied 
to certain global groups that the users would be members of.  Similar for 
the computers.  There would be an "All Users" and "All Computers" GPO with 
global settings, then more granular GPO's for departmental specific settings.

Almost all administration would be done centrally, so there should be 
little need for delegation.

This seems like it should be simple and effective, but we haven't tried it 
real-world, so I'm curious if people have any thoughts on possible 
gotcha's, issues, etc.



--
David

List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Reply via email to