On the other hand, if you're stuck with that flat model, you could use conditional GPOs based on group membership to manage application of different settings to different user groups. Probably harder to manage going forward than just delegating rights on child OUs ...
alan > -----Original Message----- > From: Stephen Wimberly [mailto:[email protected]] > Sent: Wednesday, February 04, 2009 7:37 AM > To: Active Directory Admin Issues > Subject: Auto Created Users > > Our enterprise domain automatically creates users based on a feed from > our HR PeopleSoft. During that design it was decided that all user > objects should reside in a single flat OU and that only a few select > domain admins would have any rights to that OU. > > This means we cannot apply any Preferences to the user object. > (Policies > can operate in a LoopBack processing model.) > > We have asked that our Enterprise Domain change this to allow user > objects to reside in other OU locations, but they tell us that 'every > large scale domain' is done this way and that to do otherwise would be > 'unheard of.' > Is > this true? Is there 'no way' to effectively move user objects to > other AD locations to allow OU Admins the ability to apply user > preferences? Is there another way to apply user preferences? > > We have just over 15,000 user objects. > > ~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! ~ ~ <http://www.sunbelt-software.com/product.cfm?id=400> ~
