No announcement yet.

AD Design Layout, Need Help!!

  • Filter
  • Time
  • Show
Clear All
new posts

  • AD Design Layout, Need Help!!

    Hello to all!

    I believe this may be my first post although I have been an avid reader for years.

    I recently took over a position as a Sys Admin for a small college. The AD was originally setup in more of a department / location configuration. I was informed that one of the first things that will need to be done is a restructure of AD. The change would be based on more of a role based OU structure instead of department or location based.

    Staff, Faculty, Alumni, Students, etc. When this was discussed I was informed that some users may have multiple rolls Staff / Faculty. or Staff / Student. Does any one have an idea on the best way to handle this since a user can be in only on OU at a time. Although I have a solid networking background years of experience. I am unfamiliar with the needs of an educational enviroment when it comes to AD.

    Any thoughts would be appreciated.

    Last edited by CDadmin; 13th July 2008, 02:16.

  • #2
    Re: AD Design Layout, Need Help!!

    How about a combination of the two?
    You can still use the location as the basis of your first OU level and then as a second ou layer you can have COMPUTERS and USERS you can then switch to Function based for the OU layer within USERS I.e. Student, Teaching staff, support etc.
    And then sort the computers based on their location within the COMPUTERS OU.
    Make sure your hierarchy is not very deep as it may affect the performance.

    It's hard to say what's the best structure because every environment is different.
    This is what we use in our school and it works fine for us.

    One thing to consider before you go ahead with the restructuring is to make sure you document all the GPO settings (If you are using GPO) and be aware of what setting applies to which user or computer.

    Good luck


    It'll be more appropriate if the Thread title was s'thing like "Restructuring OU Hierarchy" or similar.

    Last edited by L4ndy; 13th July 2008, 13:01.
    Caesar's cipher - 3




    • #3
      Re: AD Design Layout, Need Help!!

      another way, you can apply all GPOs on a higher OU for the campus
      That OU would contain all the GPOs roles you want (Students/Staff/etc) and filter the read permissions ,Under "Security Filtering" (very easy to handle using GPMC) to Students/Staff/etc per GPO corresponded to the role, all you have to do is add or remove Users/machines from those Groups, and here you get GPO's based on group membership rather then OU Levels.
      Last edited by Akila; 13th July 2008, 14:47.


      • #4
        Re: AD Design Layout, Need Help!!

        There are many ways to structure your AD environment with as many schools of thought. In fact, there's an entire Microsoft certification exam devoted to Active Directory design.

        Having worked with both logical and illogical AD designs, my advice to you would be to settle on a practical design that lends itself well to Group Policy Object deployment - assuming your organization uses GPOs. If there is anything that will uncover a pain in the *** AD structure that doesn't make sense for your organization, it will be GPOs. In a poor AD design, GPO linking will be a tangled mess of hell which makes GPOs much more difficult to troubleshoot. You want your GPO deployment to be as fluid and as minimal as possible with respect to parent/child OU inheritence.

        VCDX3 #34, VCDX4, VCDX5, VCAP4-DCA #14, VCAP4-DCD #35, VCAP5-DCD, VCPx4, vEXPERTx4, MCSEx3, MCSAx2, MCP, CCAx2, A+ - VMware Virtualization Evangelist
        My advice has no warranties. Follow at your own risk.


        • #5
          Re: AD Design Layout, Need Help!!

          Thank you for the input to all that replied. Yes, one of my goals is to make the structure as clean as possible and use GPMC. I actually just started reading Jeremy Moskowitz's 'Group Policy Fundamentals, Security and Troubleshooting" So far its been very informative and I think this will help with thew project.



          • #6
            Re: AD Design Layout, Need Help!!

            I guess the best hint I can give to someone about OU structure is draw it out, and show it to the "business people". See what type of controls or separation , delegation might be wanted in the short and long term.

            Draw a few different designs, find pros and cons, and get it approved by them.
            VCP on vSphere (4), MCITP:EA/DBA, MCTS:Blahblah