I'm catching up on this thread, sorry for being late to the party. Don't necessarily look at it as an either or situation. Listen to the folks who all started mentioning delegation and GPOs as that what it comes down to...
If you are going to delegate out powers, break things up, it will be a pain otherwise, but think of how you are going to do all of that delegation before deciding whole hog what you are doing. What we did is actually break out machine accounts/groups into local site OUs because they were all going to be managed by local site people. Userids are all managed through a provisioning system so are all in one small set of OUs (six actually to match our six layers of User GPOs). No the groups and servers are broken out into a subou of each site ou and that subou is delegated to the centralized support group to do create/delete and local site to do membership modifications for groups and joins for servers. Workstations on the other hand are completely in the hands of the local site. Our logic was, users are completely handled by provisioning system. No point in segregating out to all of the sites. Workstations will be managed completely locally so that has to be broken out into OUs. Servers we wanted delegated join but centralized delete/create, groups delegated membership mods but centralized delete/create. It all kind of made sense how it came together. joe ------------- http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Baudino Sent: Friday, March 05, 2004 3:49 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OU design quandary Thanks for the replies and sorry about my delay posting more. Conference calls and meetings sucking up lots o' time. We do have a fairly centralized administration team in that user administration, helpdesk, provisioning, and deskside support has been outsourced globally. They'll have a staff in North America and a staff in Europe. Our link to Europe isn't robust enough to support having a single user domain across the Atlantic thus why we have a European domain and a North American domain. However, those of us not outsourced are considering ourselves to be the "managers" of active directory. We create the OU structure, GPO's, troubleshooting of things, group creation, ACL'ing, etc. The staff performing this function is very decentralized but we're working with a common framework in place. Software distribution will not be done via GPO. I liked the "self-documenting statement below". I also liked Hunter's comments regarding GPO. Got them on that one. OK, I'll fess up. I'm definitely in Camp 2. I see no benefit at all to lumping all users into a single OU. As long as we don't get absurd with the number of OUs and work out a logical rationale for how we're going to breakdown the structure I believe that it creates a superior design. Yes, it will be a bit more work, especially in provisioning. When a user is created or moves from one office to another (permanently) we'll have to move some things around. The people in the project in North America are all in Camp 2. Our European counterparts are in Camp 1. Not at all sure why. I don't believe it's cultural. Maybe Microsoft in Europe? Our design was reviewed and "blessed" by Microsoft a while back. They've had Microsoft in recently and changed their position and said simpler is better. Can't get much more simple than they have it. Our CEO is requiring "site transparency". Our belief is that we will accomplish this via GPO's linked to sites to enable and define printing to local printers in each office and that office's "group share" (if any). We believe that if we create an OU structure that matches the sites then we'll be able to make it much easier to create and maintain the site GPOs. Or even if we do this by logon script (not linked to site) then having the OU structure in place will still make this a lot easier. Lastly, the staff around to manage this will be minimal. Don't know how minimal yet but roughly a dozen in North America and a dozen in Europe. Not counting the administrative staff. Thanks, Mike "Arden Pineda" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent by: cc: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OU design quandary tivedir.org 03/04/2004 12:40 PM Please respond to ActiveDir I would think that the 1st approach may work well for a small environment. However, for larger organizations and as you start to use GPOs and delegation, you may see that it makes more sense to create an OU hierarchy that reflects your IT administration management model. As has been said before, this makes it a easier to granularly assign Group Policies and delegation of administration. As much as possible, I avoid using the GPO inheritance changing options, such as Filter GPO permission, but this is what you'll end up having to do if you take approach 1. Instead, I group objects with common management requirements and create separate child OUs. This, you can assign standard GPO settings at the top-level OU, and create and link custom GPOs and link those at the lower-level child Ous. This approach also makes your life easier when you are troubleshooting GPOs or permissions, as you are not changing the default GPO inheritance rules. Another point that I like with this approach is that it ends up as visual documentation of your management model, I call it "self-documenting", but there might be a better term out there. Just my opinion. Regards, arden > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, > Hunter > Sent: Thursday, March 04, 2004 10:12 AM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] OU design quandary > > Mike- > > I think you'll want to lean towards Camp Two. Do you have a single > group that handles all aspects of user account management (creation, > modification, deletion, password resets, etc)? If you don't, and you > put all 35,000 users in one OU, then you're going to have a bunch of > IT support staff who can modify user objects outside of their areas of > responsibilties. Same with workstations, servers, and anything else > that you dump into one generic OU. > > Same thing for Group Policies. If you have a group of 1,000 users that > need a specific group policy, why assign that GPO to an OU with 35,000 > users and then have to filter out 34,000 of them so they don't get the > GPO? Or have dueling admins in GP wars? > > You don't have to go crazy with an elaborate OU structure, but I think > you'll quickly run into all kinds of hassles if you try the all-in-one > approach. > > Hunter > > -----Original Message----- > From: Mike Baudino [mailto:[EMAIL PROTECTED] > Sent: Thursday, March 04, 2004 10:19 AM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] OU design quandary > > > > > > All, > > We are in the final stages of a global AD design for our company. The > design will have two user domains -- one for North America and one for > Europe -- and it will have an empty root. Each of the user domains > will have approximately 35,000 users. Software distribution will be > via Tivoli. > > Two camps have emerged regarding OU structure and there's a rather > large gap between them. I'm asking for your expert and experienced > input to help resolve this issue. > > Camp one: > We're going to search instead of browse. So put all users in a single > users OU, put all desktop machines in a single desktops OU, put all > laptops in a single laptops OU, put all IIS servers in a single OU, > all SQL servers in a single, etc, etc, etc. Manage by groups instead > of by OU in which the object resides. > > Camp two: > Regardless of whether we're going to search or browse, at some point > having office heirarchy in the OU design will be helpful enough that > it's necessary to build it now. Users, desktops and laptops will be > grouped as child OUs to the office OUs. Servers for applications will > be grouped by function and then by the , by the application suite or > ASP that is responsible for the application. Allows more granular > delegation and application of group policy. > > > We have too little actual deployement and management experience in > Active Directory, especially this size, to make a definitive decision > so I would appreciate any and all feedback regarding the pros and > cons. > > > Thanks, > Mike > > > ******************* PLEASE NOTE ******************* This > E-Mail/telefax message and any documents accompanying this > transmission may contain privileged and/or confidential information > and is intended solely for the > addressee(s) named above. If you are not the intended > addressee/recipient, you are hereby notified that any use of, > disclosure, copying, distribution, or reliance on the contents of this > E-Mail/telefax information is strictly prohibited and may result in > legal action against you. Please reply to the sender advising of the > error in transmission and immediately delete/destroy the message and > any accompanying documents. Thank you. > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ******************* PLEASE NOTE ******************* This E-Mail/telefax message and any documents accompanying this transmission may contain privileged and/or confidential information and is intended solely for the addressee(s) named above. If you are not the intended addressee/recipient, you are hereby notified that any use of, disclosure, copying, distribution, or reliance on the contents of this E-Mail/telefax information is strictly prohibited and may result in legal action against you. Please reply to the sender advising of the error in transmission and immediately delete/destroy the message and any accompanying documents. Thank you. List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
