![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
Windows Server 2003/AD/Group Policy Help
- Thread starter dx2
- Start date
dbwillis
[H]F Junkie
- Joined
- Jul 9, 2002
- Messages
- 9,435
try Microsoft.com?
Ive gotten some great tips from http://www.petri.co.il/ (namely the ones that give additional info in AD users and computers)
Ive gotten some great tips from http://www.petri.co.il/ (namely the ones that give additional info in AD users and computers)
Well here is the deal....we are creating a "child" domain on an open academic network. However our child domain needs much more restrictive policies than the typical university hospital computers.
The AD we are going to draw objects from is a good couple thousand objects, very loosely organized.
Any tips on implementing/going this child domain route? or better ways?
The AD we are going to draw objects from is a good couple thousand objects, very loosely organized.
Any tips on implementing/going this child domain route? or better ways?
Child domains are a good way to segment out something that needs a different set of standards from the rest of the organization. I would suggest getting organized. Decide what your "ideal" structure is. Decide where you want to place user, computers, etc in the directory. Keep a consistant structure. Limit who can modify that structure. Here's one way that I have done this:dx2 said:
Code:
(root)
>Users
>Computers
>(etc)
>Departments
>(Department 1)
>Users
>Computers
>(Department 2)
>Users
>Computers
>(etc)We've started meeting to plan the directory structure. What concerns me is how many branches my manager wants it broken down into.
We have 25 sites, each with doctors, 3 kinds of nurses, and various other workers.
Is there any point that a directory structure can become to deep that it makes management a chore or impacts performance?
We have 25 sites, each with doctors, 3 kinds of nurses, and various other workers.
Is there any point that a directory structure can become to deep that it makes management a chore or impacts performance?
Yes. Where that point is must be decided by the business/administrators. There will be some middle ground though. The main goal should be standardization. Once that standard is defined, everything else should fall into place.dx2 said:
Given some of your information, here is the direction I might go:
Code:
(root)
>Users
>Computers
>(etc)
>Sites
>(Site 1)
>Users
>Computers
>(Site 2)
>Users
>Computers
>(etc)You can always subdivide each site into more detail. That's up to you. If you are using policy inheritance (recommended), most policies will be assiged to a site. You should only use the "more detailed" when a specific case requires it as this will reduce administrative effort to manage the system.
There are some things that are a domain-wide settings. Password policy is one of them. You can only have one password policy per domain. So, if you need to implement multiple password policies, then the only way to accomplish this is to create another domain in the forest or use a third party tool.Dan_D said:
Dan_D said:
Since we are seperate from the data-center where the majority of the servers are...they want to delegate control to us as a child domain instead of risking us accidentally misconfiguring something and having the dns stop working in the ER.
an even scarier thought being an ER is using microsoft