I would think that the 1st approach may work well for a small environment.
However, for larger organizations and as you start to use GPOs and delegation, you may see that it makes more sense to create an OU hierarchy that reflects your IT administration management model. As has been said before, this makes it a easier to granularly assign Group Policies and delegation of administration. As much as possible, I avoid using the GPO inheritance changing options, such as Filter GPO permission, but this is what you'll end up having to do if you take approach 1. Instead, I group objects with common management requirements and create separate child OUs. This, you can assign standard GPO settings at the top-level OU, and create and link custom GPOs and link those at the lower-level child Ous. This approach also makes your life easier when you are troubleshooting GPOs or permissions, as you are not changing the default GPO inheritance rules. Another point that I like with this approach is that it ends up as visual documentation of your management model, I call it "self-documenting", but there might be a better term out there. Just my opinion. Regards, arden > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Coleman, Hunter > Sent: Thursday, March 04, 2004 10:12 AM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] OU design quandary > > Mike- > > I think you'll want to lean towards Camp Two. Do you have a > single group that handles all aspects of user account > management (creation, modification, deletion, password > resets, etc)? If you don't, and you put all 35,000 users in > one OU, then you're going to have a bunch of IT support staff > who can modify user objects outside of their areas of > responsibilties. Same with workstations, servers, and > anything else that you dump into one generic OU. > > Same thing for Group Policies. If you have a group of 1,000 > users that need a specific group policy, why assign that GPO > to an OU with 35,000 users and then have to filter out 34,000 > of them so they don't get the GPO? Or have dueling admins in GP wars? > > You don't have to go crazy with an elaborate OU structure, > but I think you'll quickly run into all kinds of hassles if > you try the all-in-one approach. > > Hunter > > -----Original Message----- > From: Mike Baudino [mailto:[EMAIL PROTECTED] > Sent: Thursday, March 04, 2004 10:19 AM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] OU design quandary > > > > > > All, > > We are in the final stages of a global AD design for our company. The > design will have two user domains -- one for North America and one for > Europe -- and it will have an empty root. Each of the user > domains will > have approximately 35,000 users. Software distribution will > be via Tivoli. > > Two camps have emerged regarding OU structure and there's a > rather large gap > between them. I'm asking for your expert and experienced > input to help > resolve this issue. > > Camp one: > We're going to search instead of browse. So put all users in > a single users > OU, put all desktop machines in a single desktops OU, put all > laptops in a > single laptops OU, put all IIS servers in a single OU, all > SQL servers in a > single, etc, etc, etc. Manage by groups instead of by OU in which the > object resides. > > Camp two: > Regardless of whether we're going to search or browse, at > some point having > office heirarchy in the OU design will be helpful enough that > it's necessary > to build it now. Users, desktops and laptops will be grouped > as child OUs > to the office OUs. Servers for applications will be grouped > by function and > then by the , by the application suite or ASP that is > responsible for the > application. Allows more granular delegation and application of group > policy. > > > We have too little actual deployement and management > experience in Active > Directory, especially this size, to make a definitive > decision so I would > appreciate any and all feedback regarding the pros and cons. > > > Thanks, > Mike > > > ******************* PLEASE NOTE ******************* This > E-Mail/telefax > message and any documents accompanying this transmission may contain > privileged and/or confidential information and is intended > solely for the > addressee(s) named above. If you are not the intended > addressee/recipient, > you are hereby notified that any use of, disclosure, copying, > distribution, > or reliance on the contents of this E-Mail/telefax > information is strictly > prohibited and may result in legal action against you. Please > reply to the > sender advising of the error in transmission and immediately > delete/destroy > the message and any accompanying documents. Thank you. > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
