0

I asked a qestion here before and got some good responses. And I have read some books and articles about AD design and deployment.

Now I have another query: If I design AD in my head office and use OUs like below...then is it possible to manage my other site office's users by OU's?

I am planning AD design like this:

Domain

    (OU)--- Head Office
            (OU)--- Various Departments (Acc, Fin, Sales...)
                    (Objects)
    (OU)--- Site Office_1
            (OU)--- Various Departments (Production, Commercial, Power....)
                    (Objects)
    (OU)--- Site Office_2
            (OU)--- Various Departments
                    (Objects)

Is it a good idea to design my AD structure?

Community
  • 1
Shahidul
  • 11
  • 1
  • 4

2 Answers2

1

Yes, you would be able to manage all of your AD from any location (there might be issues if you use read only domain controllers at remote sites, but that's another subject).

You don't need to organise your AD objects into containers that group sites together (you can actually define an AD site, and assign policies on a per-site basis).

At the end of the day, make your OU structure work for you and your fellow administrators. If Site Office_1 also has the Acc deparment working from there (or might at some point in the future), then grouping objects by site might not be the best option, as to apply a policy to all Acc users and computers, you'd have to apply the policy in multiple locations in your AD structure.

It really does depend on your companies needs though. Organise the OU structure in whatever way will make your job easier. It is very difficult for somebody outside your organisation to know what the best solution is, as it really depends upon your requirements.

Bryan
  • 7,628
  • 15
  • 69
  • 94
0

That structure would work. This design would work great for companies that have enough users in each department to warrant an OU for that particular site. So the question you have to answer is this - do I have enough users and computers to justify that sort of design, or will it be overkill to give each department an OU if they only have 3-4 users. How will you deal with employees who split their time between multiple departments?

The nice thing about Active Directory is that there are multiple right ways to design the system to meet your needs. In addition to creating multiple OUs for each of your sites to handle your business functional areas, I've worked in a number of environments where there was just one or two OUs for users (one for production workers and one for office workers in a site that had about 5,000 employees), and I've seen reference designs where OUs were based around functional areas entirely.

Your design needs to reflect your business practice, and it needs to make sense to the people who maintain it.

smassey
  • 696
  • 5
  • 13