AD Structure

M

millhouse

Limp Gawd
Joined
Jul 19, 2004
Messages
173
I'm curious to know how some of you have set up your AD OU structures. I am going to begin a project soon that requires me to do this and havent really stayed in touch with the latest and greatest design ideas (Silly me).

Curious about OU layout and how you delegated control to the lower ranks to admin users, etc....
 
Our OU's in AD Users and Computers have the following layout:

Domain
Domain Controllers​
Other default OU's​
Branch 1
Department 1​
Department 2​
Department 3​
Department 4​
Department 5​
Department 6​
Workstations​
Branch 2
Department 1​
Department 2​
Department 3​
Workstations​
Servers​
Users (for miscellaneous system users and security groups)​

etc. Everything listed above is an OU (except for the domain of course), and under each of those OU's falls the respective users or computers.

Since we are a smaller organization (around 65 employees in two branches) only we Domain Admins have control of AD stuff.
 
DOMAIN
==Domain Controllers

==Servers

==Dept1
===Users
===Workstations
===Mobile

==Dept2
===Users
===Workstations
===Mobile
.......
 
ne0-reloaded said:
DOMAIN
==Domain Controllers

==Servers

==Dept1
===Users
===Workstations
===Mobile

==Dept2
===Users
===Workstations
===Mobile
.......
Click to expand...
I usually use something similar to this.
 
Domain
Domain Controllers​
Default OU's​
Computer Accounts​
Department 1​
Department 2​
Department 3​
Department 4​
Department 5​
Department 6​

User Accounts​
Department 1​
Department 2​
Department 3​
Department 4​
Department 5​
Department 6​

Servers​
Global Groups​
 
Domain Controllers
-Workstations
- Servers

Groups
- Security
- Legacy
- Distribution

User Accounts
- Location 1
-Users
-Role Users
-Disabled

- Location 2
-Users
-Role Users
-Disabled

- Location 3
-etc -etc
- Location etc
 
speaking of AD structures, have u have had an OU corrupt?
 
DOMAIN
-Domain controllers
-Servers
-Employees
-Computer Accounts
 
Domain Controllers, default OUs
Groups (security groups)
--Software
--ISA
--Distribution
Users
--Secure/Admin
--Regular Accounts
PCs
--Laptops
--Desktops
Servers
 
Domain

-Domain Controllers

-Default OU's

-Servers

-Workstations
--Desktops
---2K
---XP
--Laptops
---2K
---XP

-Accounts
--Staff
--Students
---GY

-Groups
--Staff
---Distribution
---Security
--Students
 
Thanks all! There are some really good ideas I can take away from this. I know this is kind of an invovled question and I appreciate you all taking the time.
 
There isn't really a science. It's just whatever works for you.
 
shade91 said:
There isn't really a science. It's just whatever works for you.
Click to expand...

pretty much hit the nail on the head. matter fact you can through all object in one OU and get fancy with some security and wmi filtering if u wanted (it'd be more of a headache than anything else, but u get my point)
 
protias said:
speaking of AD structures, have u have had an OU corrupt?
Click to expand...

Never had problems with an OU going corrupt. Has an issue once where the HR department supplied a file for password resets. They were only supposed to supply me a list of users who had never used their accounts to reset (a web app authenticates versus AD for their emplyee self service app, and over half the employees never use computers for anything else, truck drivers, etc). They sent me the wrong list to process and whoops, 2100 too many user accounts reset.

I was sure glad I had set up a scheduled process to run a system state backup every night 18 months earlier. One hour and an authoritative restore of the users container later, problem resolved (Windows 2003 is a lot easier to do an authoritative restore than on 2k). An authoritative restore should handle any corrupted OU issue as long as you can determine the point at which it went corrupt.


Default domain policy

-domain management security groups

-server ou
--data center support team 1
- -data center support team 2

-centralized file security groups for data center servers

-AD authenticating app ou
--app managed team security group ou
--app service account users

-workstation ou
--testing
--training
--standard
--kiosk

-site ou
--machines exceptioned from workstation ou
--site managed security groups
--site managed service accounts

-Exchange
--whaterver sub OUs the Exchange admins want

-user container with all users (ancient app that required all users to be here, now we have 6 apps coded for here, too many issues with app redesign to move, have to use workstation loopback GPOs to affect users. ICK)

-computer container (machines exceptioned from all but default domain policy, all others are automatically moved to the appropriate workstation or server OU by scheduled vbscripts based on namaing convention, if something doesn't match, I check once a week and knock them off the domain)
 
Be very careful with an authoritative restore if you have other DC's you are replicating to.
Using the D4/D2 BurFlag registry change always helps me best and is fast and easy.
I sugest a nonauthoritative(D2) restore before you try an authoritative(D4) restore.
You leave open the possability of corupting your AD and then you'll have to run a demote and promote process of your AD/DNS/DHCP server. If your on a single server enviroment then all you would have to do is use a previous system state backup and restore that. A demote and promote process can take up to 12 hours depending on the situation.

Rebuilding an OU is rather simple as long as you don't have tons of users/objects/resuorces conected.

I have never had an OU get corupted (I have had one deleted by another admin) but I have rebuilt AD many times for many compaies and it sucks ass!
 
People OU

Workstations OU
--Building 1
----Room 1
----Room 2
--Building 2
...


OUs broken up by location, mainly to set default printers in a workstation logon script. Users jump between rooms and buildings with roaming profiles.

Never corrupted an OU before, did corrupt the schema though. On our Win2K servers, that wasn't pretty.
 
You must log in or register to reply here.
Back
Top