RE: [ActiveDir] OUs by server function?

[Rich Milburn]

I think Windows Mag (or .Net mag or I forget what it’s called now!) had an article about using filters – they’re new with 2003 right?  What’s a good way to keep straight which GPOs are being applied to which servers though?  Vbscript-generated web reports?  Manual documentation?  OUs make it fairly obvious to tell… but I like your solution, takes care of things dynamically (since OUs aren’t dynamic). Rich PS I’m new to this list, wow I’ve been missing a lot!! From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: Friday, October 31, 2003 4:03 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OUs by server function?   Why not try this approach:   Start of with a single OU for all your different server types.   Use security group filtering to (exceptionally) handle group policies that need to be applied to certain types of servers but not others (remember that computers can be members of security groups).  If you find you have to do a lot of filtering and this becomes too difficult to manage then create new OUs as required.    Here is some on-line info about scope filtering:   http://www.microsoft.com/technet/treeview/default.asp?url="">   The benefit of this approach is that you start of with a simple design and then grow it organically as required,  rather than beginning with (potentially) an over-complicated OU structure.   Tony   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Donnerstag, 30. Oktober 2003 20:37 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OUs by server function? Heh, yeah I understand those are the 2 primary criteria for creating OUs. Let me try again :-) Here's the thing, I am not sure delegation of computer objects buys you much for servers, so that leaves us with GPO. On the surface there seems to be a case to dividing them up for this purpose, but I have to wonder if the reality bears that out or not. So perhaps my question, more focused, ought to have been: for those who have done this, in reality is it practical to try to deploy GPO based on a server's role? One problem we have is that some servers share roles, and since a server cannot be in two OUs a tthe same time... I was wondering if there other similar "gotchas", and conversely if anyone has enjoyed some successes in going this route... Michael Parent MCSE MCT Analyst I - Web Services ITOS - Systems Enablement Maritime Life Assurance Company (902) 453-7300 x3456   "Tony Murray" <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 10/30/2003 03:11 PM Please respond to ActiveDir                 To:        <[EMAIL PROTECTED]>         cc:                 Subject:        RE: [ActiveDir] OUs by server function? Some good questions to ask when thinking about creating an OU structure are:   1.  Will the delegation of administration be different for the various computers? 2.  Will the application of group policy be different for the various computers?   If the answer to either of these is yes, then you should consider creating separate OUs.  If not, lump them all under the same OU.   In my company, we have separate OUs for client machines and servers, because they are administered by different teams.  Administration is delegated at this OU level and is inherited by the OUs at the level below.  Beneath these OUs we have a level for applying different group policies, e.g. under the Clients OU we have something like, W2K, Lab, Legacy, etc.   Tony From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Donnerstag, 30. Oktober 2003 16:34 To: [EMAIL PROTECTED] Subject: [ActiveDir] OUs by server function? I am currently erdesigning our OU structure and was wondering: Has anyone done an OU structure that accounts for server function i.e. file and print, web, database? Was it useful? What other computer structures have you use successfully? Michael Parent MCSE MCT Analyst I - Web Services ITOS - Systems Enablement Maritime Life Assurance Company (902) 453-7300 x3456 -------APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE------- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system.