Hi Dave
We have something similar setup within our organization, in some cases
running up to 7 levels deep. Our sole reason for doing it this way is
delegation. We have IT specialists at each location that are former Domain
Admins in the NT days and pretty much have ownership of the location OUs.
Depending on the location we may or may not have business units under neath
of those - again for the purpose of delegation only (ie. a specific BU
within the location has their own helpdesk because of size that has full
access to users, groups and computers specifically within that BU). We
also have some locations that contain sublocations with BUs under them.
Our entire structure is based on our delegation model however, not on GPOs.
Policywise, if we have a policy that applies to a BU within a location that
does not have it's own IT staff and need for delegation we use Group
filtering to control the GPO.
We have not had any technical issues doing things this way (although we do
occasionally run into "where did the user go" questions and the large
number of OUs does add complexity there). From a social standpoint, this
was the structure that mirrored the way the organization works.
Regards;
James R. Day
Active Directory Core Team
Office of the Chief Information Officer
National Park Service
(202) 354-1464 (direct)
(202) 371-1549 (fax)
[EMAIL PROTECTED]
Dave Hochstaetter
<[EMAIL PROTECTED]> To:
[email protected]
Sent by: cc: (bcc: James
Day/Contractor/NPS)
[EMAIL PROTECTED] Subject: [ActiveDir] When is an
AD structure too deep?
tivedir.org
05/24/2005 02:45 PM AST
Please respond to
ActiveDir
Good Afternoon,
A specific item was brought up in the following thread regarding deep AD
structures,
http://www.mail-archive.com/[email protected]/msg28979.html
Coincidentially I have been thinking about AD structures and the depth or
complexitiy of them. I was hoping to explore this topic in a bit greater
detail. My scenario is, I am involved with desktop administration, but
currently do not do the hands on design/policy implementation. This is what
I would term a "black hole" in our organization.
I am suggesting changes to the AD structure to the management groups
followed by delegation of polcy right to allow us to perform the functions
that IMO are vital. The current structure stops at the location level with
only desktops, servers, users, laptops below each location. Thus all
business units would get the same policies, however the operations of the
units do not currently allow that (nor does the current company culture),
thus we are hampered on taking many necessary actions for managing a medium
sized organization due to the wider impact at the location level.
My example:
Root domain
<Region Domain (e.g. North America, etc.)>
<Location>
<Business Unit>
Desktop
Laptops
Users
<Business Unit>
Desktop
Laptops
Users
<Business Unit>
Desktop
Laptops
Users
<Location>
This is a structure I am proposing to increase the manageability of our
environment with policies, sofitware assignments, and IMO a more logical
structure.
Questions:
Any comments on the structure?
What is considered a deep structure?
What is considered too deep a structure?
How many here are running a deep structure?
Any problems or caveats to this?
Can anyone provide some links to resources covering pros and cons of
different structures?
I am new to this list and will be searching the archives in detail as I get
more time, however if this has been covered and someone has a quick link
handy please let me know.
Thanks
Dave
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
