Dave, You could always remove authenticated users from the various policies that are causing issue and create a few more that are scoped more towards that group of users and computers, then permission on a group membership basis.
That's what we do and it works very well. Mark -----Original Message----- From: Dave Hochstaetter <[EMAIL PROTECTED]> Date: Tue, 24 May 2005 14:45:30 To:[email protected] Subject: [ActiveDir] When is an AD structure too deep? Good Afternoon, A specific item was brought up in the following thread regarding deep AD structures, http://www.mail-archive.com/[email protected]/msg28979.html Coincidentially I have been thinking about AD structures and the depth or complexitiy of them. I was hoping to explore this topic in a bit greater detail. My scenario is, I am involved with desktop administration, but currently do not do the hands on design/policy implementation. This is what I would term a "black hole" in our organization. I am suggesting changes to the AD structure to the management groups followed by delegation of polcy right to allow us to perform the functions that IMO are vital. The current structure stops at the location level with only desktops, servers, users, laptops below each location. Thus all business units would get the same policies, however the operations of the units do not currently allow that (nor does the current company culture), thus we are hampered on taking many necessary actions for managing a medium sized organization due to the wider impact at the location level. My example: Root domain <Region Domain (e.g. North America, etc.)> <Location> <Business Unit> Desktop Laptops Users <Business Unit> Desktop Laptops Users <Business Unit> Desktop Laptops Users <Location> This is a structure I am proposing to increase the manageability of our environment with policies, sofitware assignments, and IMO a more logical structure. Questions: Any comments on the structure? What is considered a deep structure? What is considered too deep a structure? How many here are running a deep structure? Any problems or caveats to this? Can anyone provide some links to resources covering pros and cons of different structures? I am new to this list and will be searching the archives in detail as I get more time, however if this has been covered and someone has a quick link handy please let me know. Thanks Dave List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
