1

At the company I am doing work for at the moment I am setting up a new server. It's going to be running Microsoft Server 2008 and be used as a domain controller with the DNS pointing to OpenDNS for filtering etc.

The orginisation is a medical practice with the usual levels of employee, such as:

  • Company Directors
  • Doctors
  • Nurses
  • Reception Staff
  • Office/Admin Staff
  • Work Experience Users
  • Contractors

I have set the server up on Microsoft Server 2003, but it has since been decided that before we go any further we should upgrade/reinstall to Microsoft Server 2008. I thought this would be an ideal time to clarify the 'normal' way of setting the users up.

Currently, each of the above levels of employee are Organisational Units. I did this because it appeared I could set the GPO etc. from the Organisational Unit level, rather than selecting all users within a Group and then applying the GPO that way.

Is this correct, can Organisational Units be used for User level orginisation - or - are they intended for location based organisation, such as Office 1, Reception etc.?

Thanks,

Danny

dannymcc
  • 2,717
  • 10
  • 48
  • 72

2 Answers2

3

There isn't really a right answer to this, the answer is "It depends".

You can apply GPO's to either an OU, or to a group of users or computers, or to a combination i.e. only members of a certain group that are also in a given OU.

It all comes back to "It depends".

flooble
  • 2,364
  • 8
  • 28
  • 32
  • 1
    +1. One big 'it depends' is how many user you're supporting -- for small companies or organizations, often the most straightforward thing is to have a single OU and organize/apply GPOs by groups. However, even in small settings lots of things can complicate this (geography, organizational structure, etc.) so, as you say, it really does depend. – nedm Oct 04 '10 at 00:44
1

You've got the right idea with putting people in different OU's depending on what Group Policies you want them to have. Generally, OU's are used to seperate people and computers to make it easier to be granular about which Group Policies you apply to each OU.

For example, my AD structure goes something like this with some pretty generic GPO's at the top, and more granular ones as it gets further down. For example, at the /Acme Widgets OU, I set things like download updates from our WSUS server (since this applies to ALL computers) and at the /Acme Widgets/Internal/Computers/Internet Cafe OU I have a GPO which restricts almost everything the user can do.

Basically, OU's are there to help you manage your GPO's, but how you do that is ultimately up to you.

corp.acme-widgets.local
----Acme Widgets
--------Internal
------------Computers
----------------Finance
----------------Human Resources
----------------Internet cafe
----------------IT
----------------Sales
--------------------Area 1
--------------------Area 2
------------Users
----------------Finance
----------------Human Resources
----------------IT
----------------Sales
--------------------Area 1
--------------------Area 2
--------External
------------Computers
------------Users

Ben Pilbrow
  • 12,041
  • 5
  • 36
  • 57