Thursday, January 7, 2010

Grouping and Re-Grouping for Group Policy

Must be the moon phase or something, but in the past two weeks I’ve had three people ask me about Organizational Units and Active Directory.  As in: how and why to create, name, organize and manage them.

It’s actually pretty simple:  OU’s are primarily used for targeting by Group Policy settings.  As in Group Policy Object (GPO) links.  Most of the time however, it seems they are seen through the green-tinted goggles of file server folders and shares.  The paradigm is very similar, so the mistake is actually understandable. But that’s the wrong way to look at them.

OU’s *can* be used to organize AD objects (users, groups, computers, printers, contacts, etc.) but that’s not really very useful since you also have Saved Queries and a buttload (yes, that’s a scientific term) of public-domain scripts to fetch and filter anything and everything you can probably dream up.

So, before you ask how you should create and organize OU’s, stop and consider how you plan on using GPO settings and on what types of objects.

Chances are you’re going to have policies that apply only to users, and some that apply only to computers.  So you might start there.  But if you have geographic issues, such as London office versus New York office, and maybe they need different GPO settings applied, then you have another aspect to consider.  Don’t stop here.  Map out (or draw, list, scribble, whatever) all the other dissections of your AD objects that may need to be controlled with GPO settings and how they relate from a logical grouping standpoint.  A graphic map or diagram works pretty well for this.  Start drawing circles around the common groups of objects.  Then use this to design your OU structure and it should start to fall in place all by itself.

Now, just to help kick you in the brain, ask yourself how these things play into your logical structuring:

  • Special users or groups
  • Special computers
  • Special printers
  • Service or Proxy user accounts (ok, special user again)

Depending on how large the portion of these “special” things are compared to your “normal” things, you may or may not need to consider altering your OU structure design.  Maybe you can leave them and use other techniques to exclude them from certain policy settings, or to only get certain policy settings, and well, you can figure it out.  Anyhow, the point I was trying to make before I forgot the point of making a point to point out, was that it’s kind of pointless to make OU’s for nothing more than moving things around into neat little folders.  They have a much greater purpose.  I hope this point had a point to point out. Eh.

Post a Comment