Thanks for the replies and sorry about my delay posting more. Conference
calls and meetings sucking up lots o' time.
We do have a fairly centralized administration team in that user
administration, helpdesk, provisioning, and deskside support has been
outsourced globally. They'll have a staff in North America and a staff in
Europe. Our link to Europe isn't robust enough to support having a single
user domain across the Atlantic thus why we have a European domain and a
North American domain. However, those of us not outsourced are considering
ourselves to be the "managers" of active directory. We create the OU
structure, GPO's, troubleshooting of things, group creation, ACL'ing, etc.
The staff performing this function is very decentralized but we're working
with a common framework in place.
Software distribution will not be done via GPO.
I liked the "self-documenting statement below".
I also liked Hunter's comments regarding GPO. Got them on that one.
OK, I'll fess up. I'm definitely in Camp 2. I see no benefit at all to
lumping all users into a single OU. As long as we don't get absurd with
the number of OUs and work out a logical rationale for how we're going to
breakdown the structure I believe that it creates a superior design. Yes,
it will be a bit more work, especially in provisioning. When a user is
created or moves from one office to another (permanently) we'll have to
move some things around. The people in the project in North America are
all in Camp 2. Our European counterparts are in Camp 1. Not at all sure
why. I don't believe it's cultural. Maybe Microsoft in Europe? Our
design was reviewed and "blessed" by Microsoft a while back. They've had
Microsoft in recently and changed their position and said simpler is
better. Can't get much more simple than they have it.
Our CEO is requiring "site transparency". Our belief is that we will
accomplish this via GPO's linked to sites to enable and define printing to
local printers in each office and that office's "group share" (if any). We
believe that if we create an OU structure that matches the sites then we'll
be able to make it much easier to create and maintain the site GPOs. Or
even if we do this by logon script (not linked to site) then having the OU
structure in place will still make this a lot easier.
Lastly, the staff around to manage this will be minimal. Don't know how
minimal yet but roughly a dozen in North America and a dozen in Europe. Not
counting the administrative staff.
Thanks,
Mike
"Arden Pineda"
<[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>
Sent by: cc:
[EMAIL PROTECTED] Subject: RE: [ActiveDir] OU design
quandary
tivedir.org
03/04/2004 12:40 PM
Please respond to
ActiveDir
I would think that the 1st approach may work well for a small environment.
However, for larger organizations and as you start to use GPOs and
delegation, you may see that it makes more sense to create an OU hierarchy
that reflects your IT administration management model. As has been said
before, this makes it a easier to granularly assign Group Policies and
delegation of administration.
As much as possible, I avoid using the GPO inheritance changing options,
such as Filter GPO permission, but this is what you'll end up having to do
if you take approach 1.
Instead, I group objects with common management requirements and create
separate child OUs. This, you can assign standard GPO settings at the
top-level OU, and create and link custom GPOs and link those at the
lower-level child Ous. This approach also makes your life easier when you
are troubleshooting GPOs or permissions, as you are not changing the
default
GPO inheritance rules. Another point that I like with this approach is
that
it ends up as visual documentation of your management model, I call it
"self-documenting", but there might be a better term out there.
Just my opinion.
Regards,
arden
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> Coleman, Hunter
> Sent: Thursday, March 04, 2004 10:12 AM
> To: '[EMAIL PROTECTED]'
> Subject: RE: [ActiveDir] OU design quandary
>
> Mike-
>
> I think you'll want to lean towards Camp Two. Do you have a
> single group that handles all aspects of user account
> management (creation, modification, deletion, password
> resets, etc)? If you don't, and you put all 35,000 users in
> one OU, then you're going to have a bunch of IT support staff
> who can modify user objects outside of their areas of
> responsibilties. Same with workstations, servers, and
> anything else that you dump into one generic OU.
>
> Same thing for Group Policies. If you have a group of 1,000
> users that need a specific group policy, why assign that GPO
> to an OU with 35,000 users and then have to filter out 34,000
> of them so they don't get the GPO? Or have dueling admins in GP wars?
>
> You don't have to go crazy with an elaborate OU structure,
> but I think you'll quickly run into all kinds of hassles if
> you try the all-in-one approach.
>
> Hunter
>
> -----Original Message-----
> From: Mike Baudino [mailto:[EMAIL PROTECTED]
> Sent: Thursday, March 04, 2004 10:19 AM
> To: [EMAIL PROTECTED]
> Subject: [ActiveDir] OU design quandary
>
>
>
>
>
> All,
>
> We are in the final stages of a global AD design for our company. The
> design will have two user domains -- one for North America and one for
> Europe -- and it will have an empty root. Each of the user
> domains will
> have approximately 35,000 users. Software distribution will
> be via Tivoli.
>
> Two camps have emerged regarding OU structure and there's a
> rather large gap
> between them. I'm asking for your expert and experienced
> input to help
> resolve this issue.
>
> Camp one:
> We're going to search instead of browse. So put all users in
> a single users
> OU, put all desktop machines in a single desktops OU, put all
> laptops in a
> single laptops OU, put all IIS servers in a single OU, all
> SQL servers in a
> single, etc, etc, etc. Manage by groups instead of by OU in which the
> object resides.
>
> Camp two:
> Regardless of whether we're going to search or browse, at
> some point having
> office heirarchy in the OU design will be helpful enough that
> it's necessary
> to build it now. Users, desktops and laptops will be grouped
> as child OUs
> to the office OUs. Servers for applications will be grouped
> by function and
> then by the , by the application suite or ASP that is
> responsible for the
> application. Allows more granular delegation and application of group
> policy.
>
>
> We have too little actual deployement and management
> experience in Active
> Directory, especially this size, to make a definitive
> decision so I would
> appreciate any and all feedback regarding the pros and cons.
>
>
> Thanks,
> Mike
>
>
> ******************* PLEASE NOTE ******************* This
> E-Mail/telefax
> message and any documents accompanying this transmission may contain
> privileged and/or confidential information and is intended
> solely for the
> addressee(s) named above. If you are not the intended
> addressee/recipient,
> you are hereby notified that any use of, disclosure, copying,
> distribution,
> or reliance on the contents of this E-Mail/telefax
> information is strictly
> prohibited and may result in legal action against you. Please
> reply to the
> sender advising of the error in transmission and immediately
> delete/destroy
> the message and any accompanying documents. Thank you.
>
> List info : http://www.activedir.org/mail_list.htm
> List FAQ : http://www.activedir.org/list_faq.htm
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info : http://www.activedir.org/mail_list.htm
> List FAQ : http://www.activedir.org/list_faq.htm
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
******************* PLEASE NOTE *******************
This E-Mail/telefax message and any documents accompanying this
transmission may contain privileged and/or confidential information and is
intended solely for the addressee(s) named above. If you are not the
intended addressee/recipient, you are hereby notified that any use of,
disclosure, copying, distribution, or reliance on the contents of this
E-Mail/telefax information is strictly prohibited and may result in legal
action against you. Please reply to the sender advising of the error in
transmission and immediately delete/destroy the message and any
accompanying documents. Thank you.
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
