both structures have their values - the functional groupings will allow you to better control other things (mostly security related) specific to the machines grouped into an OU, e.g. to ensure that IIS is disabled on all non-web machines etc (or that it is _enabled_ on all that need it). This can become even more important once you're running Win2k3 SP1 and leverage the FW feature - you'll want to apply the defined set of policies created with the SCW (Security Configuration Wizard) to a specific set of servers with the same role. This is more easily done when servers are grouped into functional OUs, even if it's not the coolest thing for assigning delegated admin rights.
But whichever model you've implemented, there is nothing that keeps you from further grouping your machines into security groups (i.e. AD security groups) and then apply specific GPOs with group-filtering for those groups to reach your goal. I'm not a huge fan of group-filtering, but it certainly can help out in situation such as yours. It would allow you to either grant the logon locally Userright to whatever group of admins you need to grant it to, or to add that group to the local admin groups of the target servers using the "restricted groups" option in GPO. /Guido -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Abbiss, Mark Sent: Monday, January 24, 2005 4:05 PM To: [email protected] Subject: RE: [ActiveDir] Controlling log on locally in an AD domain Unfortunately, we have already imposed an OU structure which groups servers into functional groupings (as recommended by Microsoft consultants who heled us !) Thanks for the suggestion though -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gabriel O. Zabal Sent: Montag, 24. Januar 2005 15:54 To: [email protected] Subject: RE: [ActiveDir] Controlling log on locally in an AD domain You should consider placing those servers in a special OU (ie: Administered Servers) and then delegate the administrative rights to the sub-administrators. That would allow them to modify not only the "log on locally" but also other things that will help them on their duties. Gabriel Zabal MCSE 2003 -----Mensaje original----- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de Abbiss, Mark Enviado el: Lunes, 24 de Enero de 2005 03:22 p.m. Para: [email protected] Asunto: [ActiveDir] Controlling log on locally in an AD domain I am having a real problem getting my head round setting the "log on locally" policy for a group of computers. What I am hoping to achieve is the ability to allow different groups of sub-administrators the rights to log on locally to the servers they are responsible for. Currently, log on locally is only allowed to the Enterprise admins but as the number of servers grows and we need to delegate responsibuility to other nominated administrators, we find they are blocked from logging on and we can't find a clean solution. Can someone please point me in the direction of a tidy solution to the problem. Many thanks List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
