real-world: OUs and Groups

ssampier

I'm studying for 70-290. I am enjoying it so far; most of the stuff is review for me, since I have administered MS servers before (although only in a NT4/Novell Netware directory). I need some help understanding some of the sticky environments questions, specifically someone who has worked in a bigger environment than I have (SMB, one central datacenter with roaming users).

Here's the parts I am not getting or understanding as well as I should.

Groups
I understand there are 3 types of groups: global, universal, and domain local. Global groups can contain any members from the domain. Universal groups can contain any domain members in the forest.

You usually assign users to either global or universal groups. Then you assign resources to domain local groups. You nest global or universal groups in those domain local groups.

What I don't understand is why you would do that. You can add Universal and Global Groups to ACLs. To me this is easier since you could create a global groups for users, one for admins, executives, and so forth. With DLG groups I am imagining you have separate DLGs for all your resources--this would be a lot of groups!

I am sure there is something I am not grokking here. Please share your experience with me.

Second, OUs. I understand you use them for GPOs and to delegate administration (as well as logical separation, so you don't need to see 10,000 users in one place). That is great and all.

The design of OUs I'm missing the forest for the trees.

From my days of Novell classes I am remembering that OUs are usually created for departments. Is this really the most efficient structure?

If you had 3 physical locations, say New York, Tokyo, and London and you had a three sets of marketing departments for localized/culture marketing, would you nest OUs by location and then department?

Or would it be better to give each location its own domain?

I realize this question is probably better suited to the higher MS exams. But it would help my thinking to understand how and why companies do things the way they do them.

Thanks! TE has been a big help to me.

Devilsbane

There are probably an infinite number of ways to set up your OU structure. Your job is to use the one that works best for you. From my brief period in IT, I haven't seen very elaborate OU schemes. Usually they just **** all of the average users into a single OU and then have a couple other ones for testing and administrative purposes.

Groups on the other hand are abundant. There are probably 300+ groups at the place I'm working. Each application seems to have at least one group associated with it. Adding individual users/computers to a universal group is a big no no. You only want to assign resources that never change to universals. Every time the membership of a universal changes, there is an instant replication across your forest. It doesn't make sense to flood your traffic every time a new employee starts work or leaves (which is likely at least once a day in a larger environment). So that is why you assign global groups as the members. Even if the membership of the global changes, the universal doesn't so no replication.

Why not assign to Globals? Because Globals are limited across your domains. For some companies, this isn't an issue. But what happens 5 years down the road when a new company is purchased. Do you really want to go through and revamp your entire group structure? Besides taking a massive amount of time, you will likely break something. So do it right the first time. The company I am with right now has 2 or 3 other companies that it owns, and the domains are trusted. I bet that wasn't expected 10 years ago when the initial domain was created.

Mojo_666

Real world you usually just use domain global groups which is the default option unless you have a reason not to like a trust relationships in place in which case you would make domain local groups so you can put users from other domains into them etc. You can change a global to a universal then to a local and back so tbh you can change them on the fly and you know when you have the wrong group type because you cannot for example select or browse the other domain for users when you are trying to add users to a global group but you can when it is domain local.

As far as OU's you have 2 basics designs, geographic and departmental, but if I had 3 sites I would have geographic OU's with departmental inside, unless the departments did actually do the same job and share the same recourse etc which the rarley do. (This also make things easy when you need to delegate to local IT guys btw and is akin to having a sperate domain, if wll managed OU's can and should be treated as a security boundry, no need for silly ammounts of domains like the NT days)

Real world things are usually messy and badly designed, I keep things simple and IMO you are better off the a slightly more complex and maybe duplicated OU and group structure than something simple which might require lots of policies, exceptions, denies and so on and so forth because everyone is lumped together, but again real world you usually go with what is in place or organise it to whatever works for you.

That's my opinion on things anyhow.

ssampier

That makes more sense. Thanks for help.

As for universal groups, yuck! Replication from changing one member...

In my test network I stuck primarily with GG and DLGs. Glad I made the right decision

In my test OU, I made a top level employee OU then location and then users . My philosophy was employees had different permissions/rights than external employees. I was wondering if this really made sense.

(cohowinery.com > Employees > Boston > (Users & Groups) > Computers)

ssampier

Passed this exam today. Even though the real-world stuff didn't help me pass, I'm sure it will help in the real world.

Thanks again.

MentholMoose

Congrats on the pass. Going for 293 next, or something else?

earweed

congrats on passing!

ssampier

Thanks!

Next is Security+. That gives me my MCSA. I will probably take a week or 2 off studying for the real world job hunt stuff Then plunge into 70-293 followed closely by 70-294 and a combo of 70-298 and 70-299.

Whew! Should be a busy (but satisfying) year.