Though my AD is smaller in scale, maybe this would help. I have an AD with 700 OU's where the OU's are defined by business unit. For example, We have a Southwest division, inside Southwest there is Los Angeles, San Diego, etc. and inside San Diego there are all the business units in San Diego.
This has proved to be very easy for management with everything grouped in this fashion. Each OU holds the users, groups, etc. for that particular OU and delegation is set so that a local OU Admin can manage the entire OU without the central office having to get involved for things like user management, etc. Of course the central office can also manage individual OU's as well. I had previously tried an approach similar to what you described in "Camp One", but decided personally I didn't want to implement and manage in that fashion. r/ Lou -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Baudino Sent: Thursday, March 04, 2004 12:19 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] OU design quandary All, We are in the final stages of a global AD design for our company. The design will have two user domains -- one for North America and one for Europe -- and it will have an empty root. Each of the user domains will have approximately 35,000 users. Software distribution will be via Tivoli. Two camps have emerged regarding OU structure and there's a rather large gap between them. I'm asking for your expert and experienced input to help resolve this issue. Camp one: We're going to search instead of browse. So put all users in a single users OU, put all desktop machines in a single desktops OU, put all laptops in a single laptops OU, put all IIS servers in a single OU, all SQL servers in a single, etc, etc, etc. Manage by groups instead of by OU in which the object resides. Camp two: Regardless of whether we're going to search or browse, at some point having office heirarchy in the OU design will be helpful enough that it's necessary to build it now. Users, desktops and laptops will be grouped as child OUs to the office OUs. Servers for applications will be grouped by function and then by the , by the application suite or ASP that is responsible for the application. Allows more granular delegation and application of group policy. We have too little actual deployement and management experience in Active Directory, especially this size, to make a definitive decision so I would appreciate any and all feedback regarding the pros and cons. Thanks, Mike ******************* PLEASE NOTE ******************* This E-Mail/telefax message and any documents accompanying this transmission may contain privileged and/or confidential information and is intended solely for the addressee(s) named above. If you are not the intended addressee/recipient, you are hereby notified that any use of, disclosure, copying, distribution, or reliance on the contents of this E-Mail/telefax information is strictly prohibited and may result in legal action against you. Please reply to the sender advising of the error in transmission and immediately delete/destroy the message and any accompanying documents. Thank you. List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
