User and Computer OUs

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

At the risk of getting my head bitten off, or called stupid, can someone
explain why computer objects and user objects should be placed in separate
OUs, or at least point me to some info on this subject.

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

There is no requirement to do such however it may make it easier from an
organizing perspective. For smaller numbers of users and computers that may
not be a problem. If you have a larger number you may want to split them.
For instance if you have a group of users and computers in the sales
department, you could create an OU called sales with a child OU's of users
and computers. Group Policy could still be applied to the "sales" OU and
both the user's and computer's OU's would inherit the settings. Or you could
simply have one OU called sales and put both users and computers in it. Do
not however remove domain controllers from the domain controllers container,
in order to have consistent policy apply to domain controllers. You can
however create child OU's in the domain controllers container if you have
special Group/security policy needs for particular domain controllers. ---
Steve


"Ageing Brilliantine Stick Insect"
<AgeingBrilliantineStickInsect@discussions.microsoft.com> wrote in message
news:3D21DCD5-61D5-4642-843F-DDAE77BE4DC2@microsoft.com...
> At the risk of getting my head bitten off, or called stupid, can someone
> explain why computer objects and user objects should be placed in separate
> OUs, or at least point me to some info on this subject.

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hi Steven,

Thanks for that......much obliged.



"Steven L Umbach" wrote:

> There is no requirement to do such however it may make it easier from an
> organizing perspective. For smaller numbers of users and computers that may
> not be a problem. If you have a larger number you may want to split them.
> For instance if you have a group of users and computers in the sales
> department, you could create an OU called sales with a child OU's of users
> and computers. Group Policy could still be applied to the "sales" OU and
> both the user's and computer's OU's would inherit the settings. Or you could
> simply have one OU called sales and put both users and computers in it. Do
> not however remove domain controllers from the domain controllers container,
> in order to have consistent policy apply to domain controllers. You can
> however create child OU's in the domain controllers container if you have
> special Group/security policy needs for particular domain controllers. ---
> Steve
>
>
> "Ageing Brilliantine Stick Insect"
> <AgeingBrilliantineStickInsect@discussions.microsoft.com> wrote in message
> news:3D21DCD5-61D5-4642-843F-DDAE77BE4DC2@microsoft.com...
> > At the risk of getting my head bitten off, or called stupid, can someone
> > explain why computer objects and user objects should be placed in separate
> > OUs, or at least point me to some info on this subject.
>
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Ageing Brilliantine Stick Insect wrote:
> At the risk of getting my head bitten off, or called stupid, can
> someone explain why computer objects and user objects should be
> placed in separate OUs, or at least point me to some info on this
> subject.

Group policies you'd want to apply to one OU and not another, etc?
Order rather than chaos? I mean, you wouldn't put all your network files in
a single folder/share called "FILES" with no subfolders, right?

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hi Lanwench,

(I sure hope you are a girl, coz with that name, I'm getting to like you
already!!....and please accept my humble apologies for that insensitive piece
of male crassness!)

I have some order in my AD.....probably too much. Delegated administration
is not an issue - there are a couple of people here who all have full
unrestrained access to the AD, and that's not likely to change, so we don't
need to take delegated administration into account

We have 4 divisions here, so I've created an OU for each of them. Within
each of those divisions there are a number of workgroups (bad choice of name
within an AD environment, but you know what I mean), so I have created OUs
for each of them, and put both the users in those workgroups, and the
computers they use into those OUs as follows

AD Root
----- Divisional OU 1
-----------Workgroup1 (users and computers)
-----------Workgroup2 (users and computers)
----- Divisional OU 2
-----------Workgroup1 (users and computers)
etc

I have left all the domain controllers in the default Domain Controllers OU,
but all our member servers are still in the default Computers container -
they have all worked since our system was set up (not by us - we just run the
thing after high-paid consultants do all the preparation), and I don't want
to break anything, so I have just left them there.

"Lanwench [MVP - Exchange]" wrote:

> Ageing Brilliantine Stick Insect wrote:
> > At the risk of getting my head bitten off, or called stupid, can
> > someone explain why computer objects and user objects should be
> > placed in separate OUs, or at least point me to some info on this
> > subject.
>
> Group policies you'd want to apply to one OU and not another, etc?
> Order rather than chaos? I mean, you wouldn't put all your network files in
> a single folder/share called "FILES" with no subfolders, right?
>
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Ageing Brilliantine Stick Insect wrote:
> Hi Lanwench,
>
> (I sure hope you are a girl

I was, once, but that was back in the early Pleistocene.

> , coz with that name, I'm getting to like
> you already!!....and please accept my humble apologies for that
> insensitive piece of male crassness!)

OK. Which other pieces of insensitive male crassness shall I then refuse to
forgive?
>
> I have some order in my AD.....probably too much. Delegated
> administration is not an issue - there are a couple of people here
> who all have full unrestrained access to the AD, and that's not
> likely to change, so we don't need to take delegated administration
> into account
>
> We have 4 divisions here, so I've created an OU for each of them.
> Within each of those divisions there are a number of workgroups (bad
> choice of name within an AD environment, but you know what I mean),
> so I have created OUs for each of them, and put both the users in
> those workgroups, and the computers they use into those OUs as follows
>
> AD Root
> ----- Divisional OU 1
> -----------Workgroup1 (users and computers)
> -----------Workgroup2 (users and computers)
> ----- Divisional OU 2
> -----------Workgroup1 (users and computers)
> etc
>
> I have left all the domain controllers in the default Domain
> Controllers OU, but all our member servers are still in the default
> Computers container - they have all worked since our system was set
> up (not by us - we just run the thing after high-paid consultants do
> all the preparation), and I don't want to break anything, so I have
> just left them there.

I reckon my next question is, is this config causing you problems? What do
you need the "workgroups" for? Perhaps those are excessive....but the
departmental ones may make sense to leave in place. It's all really up to
you, and whatever sense of order your personal tech-OCD desires.
>
> "Lanwench [MVP - Exchange]" wrote:
>
>> Ageing Brilliantine Stick Insect wrote:
>>> At the risk of getting my head bitten off, or called stupid, can
>>> someone explain why computer objects and user objects should be
>>> placed in separate OUs, or at least point me to some info on this
>>> subject.
>>
>> Group policies you'd want to apply to one OU and not another, etc?
>> Order rather than chaos? I mean, you wouldn't put all your network
>> files in a single folder/share called "FILES" with no subfolders,
>> right?

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Another rational you may find useful is at
http://members.shaw.ca/bsanders/WindowsGeneralWeb/HappyGPOs.htm.

When we first set up our OU structure we set it up like this:

Office (location) or (head office) department
users
groups
computers

However, we are now finding that, for administrative purposes and for ease
of application of GPOs, this structure is not as useful as it might be, so
we are in the process of inverting it to:

users
location or department
groups
Resource Groups for administering servers
Resource Groups for administering workstations
Role groups (various)
computers
servers
administrative
Terminal Services
workstations
location

Whatever works in your situation is right - organise the OUs etc. to
facilitate administration and management. Not all organanizations
distribute work among the support staff the same way.

For example, in our situation:
1. different people administer/manage users than, for example, administer
servers and workstations, thus we set the AD object security differently for
the users OU than for the computers OU
2. we require, for security purposes, that password resets be done only be
someone that knows the person asking for the password reset, which is
usually someone in the same location or department, thus the security on the
user accounts is different depending on office or department
3. some group memberships are critical to correct operation - e.g. who can
administer servers, so we adjust who can change group membership differently
for groups with different purposes.
4. we apply User specific GPOs to the Users OU and Computer specific GPOs to
the appropriate computers OU.

Organising the OU hierarchy helps with keeping the administration as simple
as possible commensurate with business requirements.

--
Bruce Sanderson MVP Printing
http://members.shaw.ca/bsanders

It is perfectly useless to know the right answer to the wrong question.



"Ageing Brilliantine Stick Insect"
<AgeingBrilliantineStickInsect@discussions.microsoft.com> wrote in message
news:6F911BC6-2085-468B-94F7-888ED37F4C04@microsoft.com...
> Hi Steven,
>
> Thanks for that......much obliged.
>
>
>
> "Steven L Umbach" wrote:
>
>> There is no requirement to do such however it may make it easier from an
>> organizing perspective. For smaller numbers of users and computers that
>> may
>> not be a problem. If you have a larger number you may want to split them.
>> For instance if you have a group of users and computers in the sales
>> department, you could create an OU called sales with a child OU's of
>> users
>> and computers. Group Policy could still be applied to the "sales" OU and
>> both the user's and computer's OU's would inherit the settings. Or you
>> could
>> simply have one OU called sales and put both users and computers in it.
>> Do
>> not however remove domain controllers from the domain controllers
>> container,
>> in order to have consistent policy apply to domain controllers. You can
>> however create child OU's in the domain controllers container if you have
>> special Group/security policy needs for particular domain
>> ontrollers. ---
>> Steve
>>
>>
>> "Ageing Brilliantine Stick Insect"
>> <AgeingBrilliantineStickInsect@discussions.microsoft.com> wrote in
>> message
>> news:3D21DCD5-61D5-4642-843F-DDAE77BE4DC2@microsoft.com...
>> > At the risk of getting my head bitten off, or called stupid, can
>> > someone
>> > explain why computer objects and user objects should be placed in
>> > separate
>> > OUs, or at least point me to some info on this subject.
>>
>>
>>