| Author | Messages | |
prankmonkey
Posts:5
 | | 04/19/2008 7:07 AM |
| With XP SP3 round the corner we thought it may be a good idea to cleanup old
workstations out AD. We currently have it designed with a parent OU of XP
and child containers of Desktop and Laptop. No matter what site it's in if
it's a desktop it's in desktop, a laptop in the laptop container. We
currently use Group Policy and security groups to filter WSUS update groups
but if we had say a geographic structure it would make things a little more
organised. SO I was thinking something along the lines of a parent OU of
XPSP3 a child container of LocationX and a child container of Desktop and
Laptop one. I know the mantra is to KISS but from a management standpoint it
makes things seem organised. Is it worthwhile doing this?
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| bdesmond
Posts:291
| | 04/19/2008 1:09 PM |
| I've done both models many times. If you want to apply policies by location
then it makes great sense. IMO it's easier to manage than group memberships.
If your naming convention implies location you can have a scheduled job
which sorts computers out of the default location (e.g computers container)
and moves them to the right OU.
--brian
On Sat, Apr 19, 2008 at 7:04 AM, prankmonkey <prankmonkey@gmail.com> wrote:
> With XP SP3 round the corner we thought it may be a good idea to cleanup
> old
> workstations out AD. We currently have it designed with a parent OU of XP
> and child containers of Desktop and Laptop. No matter what site it's in if
> it's a desktop it's in desktop, a laptop in the laptop container. We
> currently use Group Policy and security groups to filter WSUS update
> groups
> but if we had say a geographic structure it would make things a little
> more
> organised. SO I was thinking something along the lines of a parent OU of
> XPSP3 a child container of LocationX and a child container of Desktop and
> Laptop one. I know the mantra is to KISS but from a management standpoint
> it
> makes things seem organised. Is it worthwhile doing this?
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
--
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
| | | |
| bhopkins
Posts:7
| | 04/19/2008 1:24 PM |
| We have something similar to what you are suggesting here and it does make things easier to manage. One thing I would caution is to not nest the OU's too deep in hoping to make it more organized. While it may make sense on some levels it makes managing your GPO's more complicated than it needs to be and introduces risks for introducing unanticipated features with your policies.
Thanks
Bruce Hopkins
770-528-4574
Director Information Systems
Chattahoochee Technical College
http://www.chattcollege.com
(\__/)
(='.'=) This is Bunny. Copy and paste bunny into your
(")_(") signature to help him gain world domination.
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of prankmonkey
Sent: Saturday, April 19, 2008 7:04 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OU structure for workstations
With XP SP3 round the corner we thought it may be a good idea to cleanup old
workstations out AD. We currently have it designed with a parent OU of XP
and child containers of Desktop and Laptop. No matter what site it's in if
it's a desktop it's in desktop, a laptop in the laptop container. We
currently use Group Policy and security groups to filter WSUS update groups
but if we had say a geographic structure it would make things a little more
organised. SO I was thinking something along the lines of a parent OU of
XPSP3 a child container of LocationX and a child container of Desktop and
Laptop one. I know the mantra is to KISS but from a management standpoint it
makes things seem organised. Is it worthwhile doing this?
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| robertsingers
Posts:116
| | 04/20/2008 5:31 PM |
| Is that apply policies via physical location rather than AD site? If so
how practical is that in the long run?
________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Sunday, 20 April 2008 5:07 a.m.
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OU structure for workstations
I've done both models many times. If you want to apply policies by
location then it makes great sense. IMO it's easier to manage than group
memberships.
If your naming convention implies location you can have a scheduled job
which sorts computers out of the default location (e.g computers
container) and moves them to the right OU.
--brian
On Sat, Apr 19, 2008 at 7:04 AM, prankmonkey <prankmonkey@gmail.com>
wrote:
With XP SP3 round the corner we thought it may be a good idea to
cleanup old
workstations out AD. We currently have it designed with a parent
OU of XP
and child containers of Desktop and Laptop. No matter what site
it's in if
it's a desktop it's in desktop, a laptop in the laptop
container. We
currently use Group Policy and security groups to filter WSUS
update groups
but if we had say a geographic structure it would make things a
little more
organised. SO I was thinking something along the lines of a
parent OU of
XPSP3 a child container of LocationX and a child container of
Desktop and
Laptop one. I know the mantra is to KISS but from a management
standpoint it
makes things seem organised. Is it worthwhile doing this?
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
--
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
________________________________
This e-mail message has been scanned for Viruses and cleared by NetIQ
MailMarshal
________________________________
############################################################
PLEASE NOTE:
The information contained in this email message and any
attached files may be confidential and subject to privilege.
Any opinions expressed in this message are not necessarily
those of the Department of Building and Housing. All technical
opinions are offered on a ?no-liability? basis. This message
and any files transmitted with it are confidential and solely
for the use of the intended recipient. If you are not the
intended recipient, you are notified that any use, disclosure
or copying of this email is unauthorised. If you have received
this email in error, please notify us immediately by reply email
and delete the original and any attachment(s). Thank you.
############################################################
| | | |
| bdesmond
Posts:291
| | 04/20/2008 7:23 PM |
| I have customers that do that. Personally I think it's confusing because
it's not the first place you remember to check for policies, but, it works.
--brian
On Sun, Apr 20, 2008 at 5:30 PM, Robert Singers <robert.singers@dbh.govt.nz>
wrote:
> Is that apply policies via physical location rather than AD site? If so
> how practical is that in the long run?
>
> ------------------------------
> *From:* ActiveDir-owner@mail.activedir.org [mailto:
> ActiveDir-owner@mail.activedir.org] *On Behalf Of *Brian Desmond
> *Sent:* Sunday, 20 April 2008 5:07 a.m.
> *To:* ActiveDir@mail.activedir.org
> *Subject:* Re: [ActiveDir] OU structure for workstations
>
> I've done both models many times. If you want to apply policies by
> location then it makes great sense. IMO it's easier to manage than group
> memberships.
>
> If your naming convention implies location you can have a scheduled job
> which sorts computers out of the default location (e.g computers container)
> and moves them to the right OU.
>
> --brian
>
> On Sat, Apr 19, 2008 at 7:04 AM, prankmonkey <prankmonkey@gmail.com>
> wrote:
>
> > With XP SP3 round the corner we thought it may be a good idea to cleanup
> > old
> > workstations out AD. We currently have it designed with a parent OU of
> > XP
> > and child containers of Desktop and Laptop. No matter what site it's in
> > if
> > it's a desktop it's in desktop, a laptop in the laptop container. We
> > currently use Group Policy and security groups to filter WSUS update
> > groups
> > but if we had say a geographic structure it would make things a little
> > more
> > organised. SO I was thinking something along the lines of a parent OU of
> > XPSP3 a child container of LocationX and a child container of Desktop
> > and
> > Laptop one. I know the mantra is to KISS but from a management
> > standpoint it
> > makes things seem organised. Is it worthwhile doing this?
> >
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.activedir.org/ma/default.aspx
> >
>
>
>
> --
> Thanks,
> Brian Desmond
> brian@briandesmond.com
>
> c - 312.731.3132
> ------------------------------
> This e-mail message has been scanned for Viruses and cleared by *NetIQ
> MailMarshal *
> ------------------------------
>
> ------------------------------
> *Please Note: *
>
> The information contained in this email message and any attached files may
> be confidential and subject to privilege. Any opinions expressed in this
> message are not necessarily those of the Department of Building and Housing.
> All technical opinions are offered on a 'no-liability' basis. This message
> and any files transmitted with it are confidential and solely for the use of
> the intended recipient. If you are not the intended recipient, you are
> notified that any use, disclosure or copying of this email is unauthorised.
> If you have received this email in error, please notify us immediately by
> reply email and delete the original and any attachment(s). Thank you.
> ------------------------------
>
>
--
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
| | | |
| danholme
Posts:114
| | 04/20/2008 10:36 PM |
| You might take a look at Chapter 5, 6 and 8 of my Windows Administration
Resource Kit. There are some thoughts about delegation and computer
administration that might help.
My "bottom line" advice is that in all but the simplest environments:
1) OUs = delegation ONLY. If all computers are delegated the same,
keep them in one bucket
2) Groups = Scopes for GPOs (desktops vs. laptops, "location"
groups)
3) Saved Queries = administrative "views" of computers (dividing
them up by this or that attribute) for doing things like resetting
accounts, etc.
HTH
Dan
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Sunday, April 20, 2008 1:18 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OU structure for workstations
I have customers that do that. Personally I think it's confusing because
it's not the first place you remember to check for policies, but, it
works.
--brian
On Sun, Apr 20, 2008 at 5:30 PM, Robert Singers
<robert.singers@dbh.govt.nz> wrote:
Is that apply policies via physical location rather than AD site? If so
how practical is that in the long run?
________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Sunday, 20 April 2008 5:07 a.m.
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OU structure for workstations
I've done both models many times. If you want to apply policies by
location then it makes great sense. IMO it's easier to manage than group
memberships.
If your naming convention implies location you can have a scheduled job
which sorts computers out of the default location (e.g computers
container) and moves them to the right OU.
--brian
On Sat, Apr 19, 2008 at 7:04 AM, prankmonkey <prankmonkey@gmail.com>
wrote:
With XP SP3 round the corner we thought it may be a good idea to cleanup
old
workstations out AD. We currently have it designed with a parent OU of
XP
and child containers of Desktop and Laptop. No matter what site it's in
if
it's a desktop it's in desktop, a laptop in the laptop container. We
currently use Group Policy and security groups to filter WSUS update
groups
but if we had say a geographic structure it would make things a little
more
organised. SO I was thinking something along the lines of a parent OU of
XPSP3 a child container of LocationX and a child container of Desktop
and
Laptop one. I know the mantra is to KISS but from a management
standpoint it
makes things seem organised. Is it worthwhile doing this?
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
--
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
________________________________
This e-mail message has been scanned for Viruses and cleared by NetIQ
MailMarshal
________________________________
________________________________
Please Note:
The information contained in this email message and any attached files
may be confidential and subject to privilege. Any opinions expressed in
this message are not necessarily those of the Department of Building and
Housing. All technical opinions are offered on a 'no-liability' basis.
This message and any files transmitted with it are confidential and
solely for the use of the intended recipient. If you are not the
intended recipient, you are notified that any use, disclosure or copying
of this email is unauthorised. If you have received this email in
error, please notify us immediately by reply email and delete the
original and any attachment(s). Thank you.
________________________________
--
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
| | | |
| bdesmond
Posts:291
| | 04/20/2008 11:02 PM |
| So you're recommending that groups and security filtering be used to apply
GPOs in lieu of an OU Tree?
--brian
On Sun, Apr 20, 2008 at 10:32 PM, Dan Holme <dan.holme@intelliem.com> wrote:
> You might take a look at Chapter 5, 6 and 8 of my Windows Administration
> Resource Kit. There are some thoughts about delegation and computer
> administration that might help.
>
> My "bottom line" advice is that in all but the simplest environments:
>
> 1) OUs = delegation ONLY. If all computers are *delegated* the same,
> keep them in one bucket
>
> 2) Groups = Scopes for GPOs (desktops vs. laptops, "location" groups)
>
> 3) Saved Queries = administrative "views" of computers (dividing them
> up by this or that attribute) for doing things like resetting accounts, etc.
>
> HTH
>
>
> Dan
>
>
>
> *From:* ActiveDir-owner@mail.activedir.org [mailto:
> ActiveDir-owner@mail.activedir.org] *On Behalf Of *Brian Desmond
> *Sent:* Sunday, April 20, 2008 1:18 PM
>
> *To:* ActiveDir@mail.activedir.org
> *Subject:* Re: [ActiveDir] OU structure for workstations
>
>
>
> I have customers that do that. Personally I think it's confusing because
> it's not the first place you remember to check for policies, but, it works.
>
>
>
> --brian
>
> On Sun, Apr 20, 2008 at 5:30 PM, Robert Singers <
> robert.singers@dbh.govt.nz> wrote:
>
> Is that apply policies via physical location rather than AD site? If so
> how practical is that in the long run?
>
>
> ------------------------------
>
> *From:* ActiveDir-owner@mail.activedir.org [mailto:
> ActiveDir-owner@mail.activedir.org] *On Behalf Of *Brian Desmond
> *Sent:* Sunday, 20 April 2008 5:07 a.m.
>
>
> *To:* ActiveDir@mail.activedir.org
>
> *Subject:* Re: [ActiveDir] OU structure for workstations
>
> I've done both models many times. If you want to apply policies by
> location then it makes great sense. IMO it's easier to manage than group
> memberships.
>
>
>
> If your naming convention implies location you can have a scheduled job
> which sorts computers out of the default location (e.g computers container)
> and moves them to the right OU.
>
>
>
> --brian
>
> On Sat, Apr 19, 2008 at 7:04 AM, prankmonkey <prankmonkey@gmail.com>
> wrote:
>
> With XP SP3 round the corner we thought it may be a good idea to cleanup
> old
> workstations out AD. We currently have it designed with a parent OU of XP
> and child containers of Desktop and Laptop. No matter what site it's in if
> it's a desktop it's in desktop, a laptop in the laptop container. We
> currently use Group Policy and security groups to filter WSUS update
> groups
> but if we had say a geographic structure it would make things a little
> more
> organised. SO I was thinking something along the lines of a parent OU of
> XPSP3 a child container of LocationX and a child container of Desktop and
> Laptop one. I know the mantra is to KISS but from a management standpoint
> it
> makes things seem organised. Is it worthwhile doing this?
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
>
>
>
> --
> Thanks,
> Brian Desmond
> brian@briandesmond.com
>
> c - 312.731.3132
> ------------------------------
>
> This e-mail message has been scanned for Viruses and cleared by *NetIQ
> MailMarshal *
> ------------------------------
> ------------------------------
>
> *Please Note: *
>
> The information contained in this email message and any attached files may
> be confidential and subject to privilege. Any opinions expressed in this
> message are not necessarily those of the Department of Building and Housing.
> All technical opinions are offered on a 'no-liability' basis. This message
> and any files transmitted with it are confidential and solely for the use of
> the intended recipient. If you are not the intended recipient, you are
> notified that any use, disclosure or copying of this email is unauthorised.
> If you have received this email in error, please notify us immediately by
> reply email and delete the original and any attachment(s). Thank you.
> ------------------------------
>
>
>
>
> --
> Thanks,
> Brian Desmond
> brian@briandesmond.com
>
> c - 312.731.3132
>
--
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
| | | |
| mkline
Posts:15
| | 04/20/2008 11:27 PM |
| Dan,
Let's say all computers are delegated the same and in one OU. If you then
need to apply a GPO to a subset of machines then you create a security group
add those machines to the group and filter based on that group.
Do those computers need to be rebooted in order to become aware of their new
group(s)? That presents another big challenge especially if it is during
business hours.
I do have your book but it is at work so I can't look those chapters up to
see if you elaborated on this OU design recommendation.
Thanks
Mike
On Sun, Apr 20, 2008 at 10:32 PM, Dan Holme <dan.holme@intelliem.com> wrote:
> You might take a look at Chapter 5, 6 and 8 of my Windows Administration
> Resource Kit. There are some thoughts about delegation and computer
> administration that might help.
>
> My "bottom line" advice is that in all but the simplest environments:
>
> 1) OUs = delegation ONLY. If all computers are *delegated* the same,
> keep them in one bucket
>
> 2) Groups = Scopes for GPOs (desktops vs. laptops, "location" groups)
>
> 3) Saved Queries = administrative "views" of computers (dividing them
> up by this or that attribute) for doing things like resetting accounts, etc.
>
> HTH
>
>
> Dan
>
>
>
> *From:* ActiveDir-owner@mail.activedir.org [mailto:
> ActiveDir-owner@mail.activedir.org] *On Behalf Of *Brian Desmond
> *Sent:* Sunday, April 20, 2008 1:18 PM
>
> *To:* ActiveDir@mail.activedir.org
> *Subject:* Re: [ActiveDir] OU structure for workstations
>
>
>
> I have customers that do that. Personally I think it's confusing because
> it's not the first place you remember to check for policies, but, it works.
>
>
>
> --brian
>
> On Sun, Apr 20, 2008 at 5:30 PM, Robert Singers <
> robert.singers@dbh.govt.nz> wrote:
>
> Is that apply policies via physical location rather than AD site? If so
> how practical is that in the long run?
>
>
> ------------------------------
>
> *From:* ActiveDir-owner@mail.activedir.org [mailto:
> ActiveDir-owner@mail.activedir.org] *On Behalf Of *Brian Desmond
> *Sent:* Sunday, 20 April 2008 5:07 a.m.
>
>
> *To:* ActiveDir@mail.activedir.org
>
> *Subject:* Re: [ActiveDir] OU structure for workstations
>
> I've done both models many times. If you want to apply policies by
> location then it makes great sense. IMO it's easier to manage than group
> memberships.
>
>
>
> If your naming convention implies location you can have a scheduled job
> which sorts computers out of the default location (e.g computers container)
> and moves them to the right OU.
>
>
>
> --brian
>
> On Sat, Apr 19, 2008 at 7:04 AM, prankmonkey <prankmonkey@gmail.com>
> wrote:
>
> With XP SP3 round the corner we thought it may be a good idea to cleanup
> old
> workstations out AD. We currently have it designed with a parent OU of XP
> and child containers of Desktop and Laptop. No matter what site it's in if
> it's a desktop it's in desktop, a laptop in the laptop container. We
> currently use Group Policy and security groups to filter WSUS update
> groups
> but if we had say a geographic structure it would make things a little
> more
> organised. SO I was thinking something along the lines of a parent OU of
> XPSP3 a child container of LocationX and a child container of Desktop and
> Laptop one. I know the mantra is to KISS but from a management standpoint
> it
> makes things seem organised. Is it worthwhile doing this?
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
>
>
>
> --
> Thanks,
> Brian Desmond
> brian@briandesmond.com
>
> c - 312.731.3132
> ------------------------------
>
> This e-mail message has been scanned for Viruses and cleared by *NetIQ
> MailMarshal *
> ------------------------------
> ------------------------------
>
> *Please Note: *
>
> The information contained in this email message and any attached files may
> be confidential and subject to privilege. Any opinions expressed in this
> message are not necessarily those of the Department of Building and Housing.
> All technical opinions are offered on a 'no-liability' basis. This message
> and any files transmitted with it are confidential and solely for the use of
> the intended recipient. If you are not the intended recipient, you are
> notified that any use, disclosure or copying of this email is unauthorised.
> If you have received this email in error, please notify us immediately by
> reply email and delete the original and any attachment(s). Thank you.
> ------------------------------
>
>
>
>
> --
> Thanks,
> Brian Desmond
> brian@briandesmond.com
>
> c - 312.731.3132
>
| | | |
| bdesmond
Posts:291
| | 04/20/2008 11:53 PM |
| Yes they would need to get bounced to have their token refreshed.
Keep in mind also that when a machine processes GPOs, it will check the ones
it doesn't have access to in order to determine this. If you've got 12
"types" of machines in one OU, that's potentially 11 extra GPOs that have to
get looked at on startup.
--brian
On Sun, Apr 20, 2008 at 11:24 PM, mike kline <mkline@gmail.com> wrote:
> Dan,
>
>
>
> Let's say all computers are delegated the same and in one OU. If you then
> need to apply a GPO to a subset of machines then you create a security group
> add those machines to the group and filter based on that group.
>
>
>
> Do those computers need to be rebooted in order to become aware of their
> new group(s)? That presents another big challenge especially if it is
> during business hours.
>
>
>
> I do have your book but it is at work so I can't look those chapters up to
> see if you elaborated on this OU design recommendation.
>
>
>
> Thanks
>
> Mike
>
>
> On Sun, Apr 20, 2008 at 10:32 PM, Dan Holme <dan.holme@intelliem.com>
> wrote:
>
> > You might take a look at Chapter 5, 6 and 8 of my Windows
> > Administration Resource Kit. There are some thoughts about delegation and
> > computer administration that might help.
> >
> > My "bottom line" advice is that in all but the simplest environments:
> >
> > 1) OUs = delegation ONLY. If all computers are *delegated* the
> > same, keep them in one bucket
> >
> > 2) Groups = Scopes for GPOs (desktops vs. laptops, "location"
> > groups)
> >
> > 3) Saved Queries = administrative "views" of computers (dividing
> > them up by this or that attribute) for doing things like resetting accounts,
> > etc.
> >
> > HTH
> >
> >
> > Dan
> >
> >
> >
> > *From:* ActiveDir-owner@mail.activedir.org [mailto:
> > ActiveDir-owner@mail.activedir.org] *On Behalf Of *Brian Desmond
> > *Sent:* Sunday, April 20, 2008 1:18 PM
> >
> > *To:* ActiveDir@mail.activedir.org
> > *Subject:* Re: [ActiveDir] OU structure for workstations
> >
> >
> >
> > I have customers that do that. Personally I think it's confusing because
> > it's not the first place you remember to check for policies, but, it works.
> >
> >
> >
> > --brian
> >
> > On Sun, Apr 20, 2008 at 5:30 PM, Robert Singers <
> > robert.singers@dbh.govt.nz> wrote:
> >
> > Is that apply policies via physical location rather than AD site? If so
> > how practical is that in the long run?
> >
> >
> > ------------------------------
> >
> > *From:* ActiveDir-owner@mail.activedir.org [mailto:
> > ActiveDir-owner@mail.activedir.org] *On Behalf Of *Brian Desmond
> > *Sent:* Sunday, 20 April 2008 5:07 a.m.
> >
> >
> > *To:* ActiveDir@mail.activedir.org
> >
> > *Subject:* Re: [ActiveDir] OU structure for workstations
> >
> > I've done both models many times. If you want to apply policies by
> > location then it makes great sense. IMO it's easier to manage than group
> > memberships.
> >
> >
> >
> > If your naming convention implies location you can have a scheduled job
> > which sorts computers out of the default location (e.g computers container)
> > and moves them to the right OU.
> >
> >
> >
> > --brian
> >
> > On Sat, Apr 19, 2008 at 7:04 AM, prankmonkey <prankmonkey@gmail.com>
> > wrote:
> >
> > With XP SP3 round the corner we thought it may be a good idea to cleanup
> > old
> > workstations out AD. We currently have it designed with a parent OU of
> > XP
> > and child containers of Desktop and Laptop. No matter what site it's in
> > if
> > it's a desktop it's in desktop, a laptop in the laptop container. We
> > currently use Group Policy and security groups to filter WSUS update
> > groups
> > but if we had say a geographic structure it would make things a little
> > more
> > organised. SO I was thinking something along the lines of a parent OU of
> > XPSP3 a child container of LocationX and a child container of Desktop
> > and
> > Laptop one. I know the mantra is to KISS but from a management
> > standpoint it
> > makes things seem organised. Is it worthwhile doing this?
> >
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.activedir.org/ma/default.aspx
> >
> >
> >
> >
> > --
> > Thanks,
> > Brian Desmond
> > brian@briandesmond.com
> >
> > c - 312.731.3132
> > ------------------------------
> >
> > This e-mail message has been scanned for Viruses and cleared by *NetIQ
> > MailMarshal *
> > ------------------------------
> > ------------------------------
> >
> > *Please Note: *
> >
> > The information contained in this email message and any attached files
> > may be confidential and subject to privilege. Any opinions expressed in this
> > message are not necessarily those of the Department of Building and Housing.
> > All technical opinions are offered on a 'no-liability' basis. This message
> > and any files transmitted with it are confidential and solely for the use of
> > the intended recipient. If you are not the intended recipient, you are
> > notified that any use, disclosure or copying of this email is unauthorised.
> > If you have received this email in error, please notify us immediately by
> > reply email and delete the original and any attachment(s). Thank you.
> > ------------------------------
> >
> >
> >
> >
> > --
> > Thanks,
> > Brian Desmond
> > brian@briandesmond.com
> >
> > c - 312.731.3132
> >
>
>
--
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
| | | |
| danholme
Posts:114
| | 04/21/2008 2:17 PM |
| 1) Yes I am suggesting using sec group filtering rather than OUs in
complex environments, because I've seen the OU debate devolve every time
into political and religious wars about whether geography or system type
(or...) is "more important" when the reality is that in complex
environments both are important, in different C&CM scenarios. The
reality is an OU is a "one truth" container, since the object "lives" in
only one container. Groups reflect reality: a system is many things.
2) Yes systems need to reboot to get new groups
3) BUT how often are you adding new system categorization groups??
You start with something like desktops, laptops, tablets, workstations,
and geography-based groups and that doesn't change much over time. It's
not like you "change" a desktop into a laptop; and if a system changes
locations in most scenarios it would entail a physical transfer and I
hope the system is off when that happens, so a reboot is entailed as
well.
That's the challenge with "recommendations" is that there are ALWAYS
exceptions, and you must prepare to manage the exceptions based on the
unique characteristics of your environment, but I've seen TCO drop
significantly with group-based filtering. Microsoft itself is a perfect
example. 900+ GPOs linked to the domain and each user/system "gets"
only a dozen or two, all through group filtering. Can't talk about my
clients' environments since they're not published, but I can tell you it
worked very well for us. But as you know there are many roads to rome.
If you want a "specific" recommendation taking in your enterprise's
unique characteristics, several consultants on this list (me included)
can help, but this is one proven (not the only proven) method that works
J
HTH
Dan
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Sunday, April 20, 2008 5:48 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OU structure for workstations
Yes they would need to get bounced to have their token refreshed.
Keep in mind also that when a machine processes GPOs, it will check the
ones it doesn't have access to in order to determine this. If you've got
12 "types" of machines in one OU, that's potentially 11 extra GPOs that
have to get looked at on startup.
--brian
On Sun, Apr 20, 2008 at 11:24 PM, mike kline <mkline@gmail.com> wrote:
Dan,
Let's say all computers are delegated the same and in one OU. If you
then need to apply a GPO to a subset of machines then you create a
security group add those machines to the group and filter based on that
group.
Do those computers need to be rebooted in order to become aware of their
new group(s)? That presents another big challenge especially if it is
during business hours.
I do have your book but it is at work so I can't look those chapters up
to see if you elaborated on this OU design recommendation.
Thanks
Mike
On Sun, Apr 20, 2008 at 10:32 PM, Dan Holme <dan.holme@intelliem.com>
wrote:
You might take a look at Chapter 5, 6 and 8 of my Windows
Administration Resource Kit. There are some thoughts about delegation
and computer administration that might help.
My "bottom line" advice is that in all but the simplest
environments:
1) OUs = delegation ONLY. If all computers are delegated
the same, keep them in one bucket
2) Groups = Scopes for GPOs (desktops vs. laptops,
"location" groups)
3) Saved Queries = administrative "views" of computers
(dividing them up by this or that attribute) for doing things like
resetting accounts, etc.
HTH
Dan
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Sunday, April 20, 2008 1:18 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OU structure for workstations
I have customers that do that. Personally I think it's confusing
because it's not the first place you remember to check for policies,
but, it works.
--brian
On Sun, Apr 20, 2008 at 5:30 PM, Robert Singers
<robert.singers@dbh.govt.nz> wrote:
Is that apply policies via physical location rather than AD
site? If so how practical is that in the long run?
________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Sunday, 20 April 2008 5:07 a.m.
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OU structure for workstations
I've done both models many times. If you want to apply policies
by location then it makes great sense. IMO it's easier to manage than
group memberships.
If your naming convention implies location you can have a
scheduled job which sorts computers out of the default location (e.g
computers container) and moves them to the right OU.
--brian
On Sat, Apr 19, 2008 at 7:04 AM, prankmonkey
<prankmonkey@gmail.com> wrote:
With XP SP3 round the corner we thought it may be a good idea to
cleanup old
workstations out AD. We currently have it designed with a parent
OU of XP
and child containers of Desktop and Laptop. No matter what site
it's in if
it's a desktop it's in desktop, a laptop in the laptop
container. We
currently use Group Policy and security groups to filter WSUS
update groups
but if we had say a geographic structure it would make things a
little more
organised. SO I was thinking something along the lines of a
parent OU of
XPSP3 a child container of LocationX and a child container of
Desktop and
Laptop one. I know the mantra is to KISS but from a management
standpoint it
makes things seem organised. Is it worthwhile doing this?
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
--
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
________________________________
This e-mail message has been scanned for Viruses and cleared by
NetIQ MailMarshal
________________________________
________________________________
Please Note:
The information contained in this email message and any attached
files may be confidential and subject to privilege. Any opinions
expressed in this message are not necessarily those of the Department of
Building and Housing. All technical opinions are offered on a
'no-liability' basis. This message and any files transmitted with it are
confidential and solely for the use of the intended recipient. If you
are not the intended recipient, you are notified that any use,
disclosure or copying of this email is unauthorised. If you have
received this email in error, please notify us immediately by reply
email and delete the original and any attachment(s). Thank you.
________________________________
--
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
--
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
| | | |
| gabriel/tfi
Posts:96
| | 04/25/2008 5:47 PM |
| I think SecurityGroup-filtering and OUs to define GPO scope are NOT mutually
exclusive in complex environments, especially the ones that are
geographically distributed and have OU structure designed on a per-site
basis, very often delegation is enabled at OU level that represents a
geographic site, thus I agree with Dan that OU design should primarily
reflect the delegation requirements (ACLing is not a walk in AD!).
You can use either GPOs applied to OUs (filtered by Authenticated Users)
or GPOs applied to a higher level in the tree and filter them by security
group when the scope spans multiples OUs, this is the main advantage of
SeGroup-filtered GPOs!
But also OU-based GPOs have their nice advantages. For example, they are
easier to be managed within ADUC and GPMC from a visual perspective
(remember ADUC is also used by delegated dumb admins that could not easily
understand why they have to change a group membership if they placed an
object in the proper OU!).
Also they are useful when, mainly for political reasons (=managers
supporting the wrong side!), it is required that regional Admins are
delegated to edit site-specific GPOs (I dont like this condition, but it
happens!).
Also theyre OK when you really want to limit the scope of a GPO to a
specific OU because the GPO is very dangerous! (example an ADM that
tatooes risky registry hacks, what happens if you accidentally add Domain
Computers or Domain Users to the SecurityGroup used to filter a risky GPO
linked at the domain level?).
The Microsoft GPO design you cited is something any Domain Admin would
desire - I am personally a great fan of full SecGroup filtered GPOs! - , but
the not all corporate environments are like Microsofts. This discussion
reflects in a certain sense, the long discussed topic Centralized vs.
Distributed management.
So, with al that said, why not using both of them? J
Finally, I dont like separate OUs for desktops and laptops and formerly we
used security groups to distinguish them.
That management was a burden (one example: if the computer object is deleted
you need to remember to re-add it to the security group after the PC is
rejoined to the domain and restart the PC to update the access token). So
later on we tried to automate the process by implementing WMI filters
(Win32_SystemEnclosure class, ChassisTypes property type: ARRAY), but
unfortunately we were not successful as WQL (WMI Query Language) does not
support Array type. L (is this fixed in Win2K8???)
As a workaround today we use WMI filtering based on Computer Model
(Win32_ComputerSystem class) and it works like a charm!
Its almost a set-and-forget configuration (you have to change it only when
a new PC model is introduced), but of course it works ONLY if you have a
very standardized HW environment that is anyway a requirement to do IT in
an efficient manner.
Ive always asked myself how much latency is introduced in client-side GPO
processing when SecurityGroup and WMI filters are in place to define GPO
scope.
Regards Gabriele
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dan Holme
Sent: lunedì 21 aprile 2008 20.17
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OU structure for workstations
1) Yes I am suggesting using sec group filtering rather than OUs in
complex environments, because Ive seen the OU debate devolve every time
into political and religious wars about whether geography or system type
(or
) is more important when the reality is that in complex environments
both are important, in different C&CM scenarios. The reality is an OU is a
one truth container, since the object lives in only one container.
Groups reflect reality: a system is many things.
2) Yes systems need to reboot to get new groups
3) BUT how often are you adding new system categorization groups?? You
start with something like desktops, laptops, tablets, workstations, and
geography-based groups and that doesnt change much over time. Its not
like you change a desktop into a laptop; and if a system changes locations
in most scenarios it would entail a physical transfer and I hope the system
is off when that happens, so a reboot is entailed as well.
Thats the challenge with recommendations is that there are ALWAYS
exceptions, and you must prepare to manage the exceptions based on the
unique characteristics of your environment, but Ive seen TCO drop
significantly with group-based filtering. Microsoft itself is a perfect
example. 900+ GPOs linked to the domain and each user/system gets only a
dozen or two, all through group filtering. Cant talk about my clients
environments since theyre not published, but I can tell you it worked very
well for us. But as you know there are many roads to rome. If you want a
specific recommendation taking in your enterprises unique
characteristics, several consultants on this list (me included) can help,
but this is one proven (not the only proven) method that works J
HTH
Dan
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Sunday, April 20, 2008 5:48 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OU structure for workstations
Yes they would need to get bounced to have their token refreshed.
Keep in mind also that when a machine processes GPOs, it will check the ones
it doesn't have access to in order to determine this. If you've got 12
"types" of machines in one OU, that's potentially 11 extra GPOs that have to
get looked at on startup.
--brian
On Sun, Apr 20, 2008 at 11:24 PM, mike kline <mkline@gmail.com> wrote:
Dan,
Let's say all computers are delegated the same and in one OU. If you then
need to apply a GPO to a subset of machines then you create a security group
add those machines to the group and filter based on that group.
Do those computers need to be rebooted in order to become aware of their new
group(s)? That presents another big challenge especially if it is during
business hours.
I do have your book but it is at work so I can't look those chapters up to
see if you elaborated on this OU design recommendation.
Thanks
Mike
On Sun, Apr 20, 2008 at 10:32 PM, Dan Holme <dan.holme@intelliem.com> wrote:
You might take a look at Chapter 5, 6 and 8 of my Windows Administration
Resource Kit. There are some thoughts about delegation and computer
administration that might help.
My "bottom line" advice is that in all but the simplest environments:
1) OUs = delegation ONLY. If all computers are delegated the same,
keep them in one bucket
2) Groups = Scopes for GPOs (desktops vs. laptops, "location" groups)
3) Saved Queries = administrative "views" of computers (dividing them
up by this or that attribute) for doing things like resetting accounts, etc.
HTH
Dan
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Sunday, April 20, 2008 1:18 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OU structure for workstations
I have customers that do that. Personally I think it's confusing because
it's not the first place you remember to check for policies, but, it works.
--brian
On Sun, Apr 20, 2008 at 5:30 PM, Robert Singers <robert.singers@dbh.govt.nz>
wrote:
Is that apply policies via physical location rather than AD site? If so how
practical is that in the long run?
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Sunday, 20 April 2008 5:07 a.m.
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OU structure for workstations
I've done both models many times. If you want to apply policies by location
then it makes great sense. IMO it's easier to manage than group memberships.
If your naming convention implies location you can have a scheduled job
which sorts computers out of the default location (e.g computers container)
and moves them to the right OU.
--brian
On Sat, Apr 19, 2008 at 7:04 AM, prankmonkey <prankmonkey@gmail.com> wrote:
With XP SP3 round the corner we thought it may be a good idea to cleanup old
workstations out AD. We currently have it designed with a parent OU of XP
and child containers of Desktop and Laptop. No matter what site it's in if
it's a desktop it's in desktop, a laptop in the laptop container. We
currently use Group Policy and security groups to filter WSUS update groups
but if we had say a geographic structure it would make things a little more
organised. SO I was thinking something along the lines of a parent OU of
XPSP3 a child container of LocationX and a child container of Desktop and
Laptop one. I know the mantra is to KISS but from a management standpoint it
makes things seem organised. Is it worthwhile doing this?
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
--
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
_____
This e-mail message has been scanned for Viruses and cleared by NetIQ
MailMarshal
_____
_____
Please Note:
The information contained in this email message and any attached files may
be confidential and subject to privilege. Any opinions expressed in this
message are not necessarily those of the Department of Building and Housing.
All technical opinions are offered on a 'no-liability' basis. This message
and any files transmitted with it are confidential and solely for the use of
the intended recipient. If you are not the intended recipient, you are
notified that any use, disclosure or copying of this email is unauthorised.
If you have received this email in error, please notify us immediately by
reply email and delete the original and any attachment(s). Thank you.
_____
--
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
--
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
| | | |
| danholme
Posts:114
| | 04/25/2008 6:07 PM |
| Agreed 100%.
OU = delegation.
*IF* by doing that you create usable scopes for GPOs, then go bananas! (Geographic delegation à Geographic GPOs is a perfect example)
Else use SecGrp filtering.
*IF* you have 'special needs' that, by subdividing a delegation-based OU successfully gives you a scope for a GPO, great. But "use only for emergencies" - don't end up dividing often just to support GPOs, and definitely don't "rework" your delegation-based OU design to support GPOs.
BTW: 2cents on desktops laptops (see Chapter 6 of my Admin Resource Kit for details). I also like "dynamic groups" (scripts in RK will give them to you). I fought with the WMI issues that Gabriele cites below. My recommendation to clients NOW is to create groups "the hard way" (WMI or hard-wired) for desktops & laptops, then have a NAMING CONVENTION that helps you identify desktops & laptops (e.g. Lxxxxxx or Dxxxxx) and to use that to create "dynamic" groups to which systems are automatically added/removed to maintain your management capability over those classes of systems. I found even Win32_ComputerSystem hit limitations with the increasingly diverse device types that are appearing.
Dan
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
Sent: Friday, April 25, 2008 11:42 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OU structure for workstations
I think SecurityGroup-filtering and OUs to define GPO scope are NOT mutually exclusive in complex environments, especially the ones that are geographically distributed and have OU structure designed on a per-site basis, very often delegation is enabled at OU level that represents a geographic site, thus I agree with Dan that OU design should primarily reflect the delegation requirements (ACLing is not a walk in AD!).
You can use either GPOs applied to OUs (filtered by "Authenticated Users") or GPOs applied to a higher level in the tree and filter them by security group when the scope spans multiples OUs, this is the main advantage of SeGroup-filtered GPOs!
But also OU-based GPOs have their nice advantages. For example, they are "easier" to be managed within ADUC and GPMC from a "visual perspective" (remember ADUC is also used by delegated "dumb admins" that could not easily understand why they have to change a group membership if they placed an object in the proper OU!).
Also they are useful when, mainly for "political reasons" (=managers supporting the wrong side!), it is required that regional Admins are delegated to edit site-specific GPOs (I don't like this condition, but it happens!).
Also they're OK when you really want to limit the scope of a GPO to a specific OU because the GPO is very "dangerous"! (example an ADM that tatooes risky registry hacks, what happens if you accidentally add Domain Computers or Domain Users to the SecurityGroup used to filter a risky GPO linked at the domain level?).
The Microsoft GPO design you cited is something any Domain Admin would desire - I am personally a great fan of full SecGroup filtered GPOs! - , but the not all corporate environments are like Microsoft's. This discussion reflects in a certain sense, the long discussed topic Centralized vs. Distributed management.
So, with al that said, why not using both of them? J
Finally, I don't like separate OUs for desktops and laptops and formerly we used security groups to distinguish them.
That management was a burden (one example: if the computer object is deleted you need to remember to re-add it to the security group after the PC is rejoined to the domain and restart the PC to update the access token). So later on we tried to automate the process by implementing WMI filters (Win32_SystemEnclosure class, ChassisTypes property - type: ARRAY), but unfortunately we were not successful as WQL (WMI Query Language) does not support Array type. L (is this fixed in Win2K8???)
As a workaround today we use WMI filtering based on Computer Model (Win32_ComputerSystem class) and it works like a charm!
It's almost a set-and-forget configuration (you have to change it only when a new PC model is introduced), but of course it works ONLY if you have a very standardized HW environment - that is anyway a requirement to do IT in an efficient manner.
I've always asked myself how much latency is introduced in client-side GPO processing when SecurityGroup and WMI filters are in place to define GPO scope.
Regards - Gabriele
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dan Holme
Sent: lunedì 21 aprile 2008 20.17
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OU structure for workstations
1) Yes I am suggesting using sec group filtering rather than OUs in complex environments, because I've seen the OU debate devolve every time into political and religious wars about whether geography or system type (or...) is "more important" when the reality is that in complex environments both are important, in different C&CM scenarios. The reality is an OU is a "one truth" container, since the object "lives" in only one container. Groups reflect reality: a system is many things.
2) Yes systems need to reboot to get new groups
3) BUT how often are you adding new system categorization groups?? You start with something like desktops, laptops, tablets, workstations, and geography-based groups and that doesn't change much over time. It's not like you "change" a desktop into a laptop; and if a system changes locations in most scenarios it would entail a physical transfer and I hope the system is off when that happens, so a reboot is entailed as well.
That's the challenge with "recommendations" is that there are ALWAYS exceptions, and you must prepare to manage the exceptions based on the unique characteristics of your environment, but I've seen TCO drop significantly with group-based filtering. Microsoft itself is a perfect example. 900+ GPOs linked to the domain and each user/system "gets" only a dozen or two, all through group filtering. Can't talk about my clients' environments since they're not published, but I can tell you it worked very well for us. But as you know there are many roads to rome. If you want a "specific" recommendation taking in your enterprise's unique characteristics, several consultants on this list (me included) can help, but this is one proven (not the only proven) method that works J
HTH
Dan
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Sunday, April 20, 2008 5:48 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OU structure for workstations
Yes they would need to get bounced to have their token refreshed.
Keep in mind also that when a machine processes GPOs, it will check the ones it doesn't have access to in order to determine this. If you've got 12 "types" of machines in one OU, that's potentially 11 extra GPOs that have to get looked at on startup.
--brian
On Sun, Apr 20, 2008 at 11:24 PM, mike kline <mkline@gmail.com> wrote:
Dan,
Let's say all computers are delegated the same and in one OU. If you then need to apply a GPO to a subset of machines then you create a security group add those machines to the group and filter based on that group.
Do those computers need to be rebooted in order to become aware of their new group(s)? That presents another big challenge especially if it is during business hours.
I do have your book but it is at work so I can't look those chapters up to see if you elaborated on this OU design recommendation.
Thanks
Mike
On Sun, Apr 20, 2008 at 10:32 PM, Dan Holme <dan.holme@intelliem.com> wrote:
You might take a look at Chapter 5, 6 and 8 of my Windows Administration Resource Kit. There are some thoughts about delegation and computer administration that might help.
My "bottom line" advice is that in all but the simplest environments:
1) OUs = delegation ONLY. If all computers are delegated the same, keep them in one bucket
2) Groups = Scopes for GPOs (desktops vs. laptops, "location" groups)
3) Saved Queries = administrative "views" of computers (dividing them up by this or that attribute) for doing things like resetting accounts, etc.
HTH
Dan
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Sunday, April 20, 2008 1:18 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OU structure for workstations
I have customers that do that. Personally I think it's confusing because it's not the first place you remember to check for policies, but, it works.
--brian
On Sun, Apr 20, 2008 at 5:30 PM, Robert Singers <robert.singers@dbh.govt.nz> wrote:
Is that apply policies via physical location rather than AD site? If so how practical is that in the long run?
________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Sunday, 20 April 2008 5:07 a.m.
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OU structure for workstations
I've done both models many times. If you want to apply policies by location then it makes great sense. IMO it's easier to manage than group memberships.
If your naming convention implies location you can have a scheduled job which sorts computers out of the default location (e.g computers container) and moves them to the right OU.
--brian
On Sat, Apr 19, 2008 at 7:04 AM, prankmonkey <prankmonkey@gmail.com> wrote:
With XP SP3 round the corner we thought it may be a good idea to cleanup old
workstations out AD. We currently have it designed with a parent OU of XP
and child containers of Desktop and Laptop. No matter what site it's in if
it's a desktop it's in desktop, a laptop in the laptop container. We
currently use Group Policy and security groups to filter WSUS update groups
but if we had say a geographic structure it would make things a little more
organised. SO I was thinking something along the lines of a parent OU of
XPSP3 a child container of LocationX and a child container of Desktop and
Laptop one. I know the mantra is to KISS but from a management standpoint it
makes things seem organised. Is it worthwhile doing this?
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
--
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
________________________________
This e-mail message has been scanned for Viruses and cleared by NetIQ MailMarshal
________________________________
________________________________
Please Note:
The information contained in this email message and any attached files may be confidential and subject to privilege. Any opinions expressed in this message are not necessarily those of the Department of Building and Housing. All technical opinions are offered on a 'no-liability' basis. This message and any files transmitted with it are confidential and solely for the use of the intended recipient. If you are not the intended recipient, you are notified that any use, disclosure or copying of this email is unauthorised. If you have received this email in error, please notify us immediately by reply email and delete the original and any attachment(s). Thank you.
________________________________
--
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
--
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
| | | |
| robertsingers
Posts:116
| | 04/27/2008 6:34 PM |
| My two cents:
You can do what I do and have sysprep run a script in the [GuiRunOnce] section to name your computers based on whether they're a laptop or a PC
It renames the computer based on AD site, a code based on the on the value returned from Win32_SystemEnclosure, followed by the last five digits of the serial number (snippet of code below).
I do the rename itself using netdom because I couldn't rename both the local computer and the AD object from a script. I could get it to do one or the other but not both.
'Perform WMI queries to get hardware details
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colChassis = objWMIService.ExecQuery _
("Select * from Win32_SystemEnclosure")
For Each objChassis in colChassis
strChassisNum = objChassis.ChassisTypes(0)
' Chassis (case) type
strSerialNum = objChassis.SerialNumber
'Serial number
Next
'Create strings from WMI information
Select Case strChassisNum
Case "3"
strChassis = "DT"
' Desktop
Case "4"
strChassis = "DT"
' "Low Profile Desktop"
Case "6"
strChassis = "DT"
' "Mini Tower"
Case "7"
strChassis = "DT"
' "Tower"
Case "8"
strChassis = "LT"
' "Portable"
Case "9"
strChassis = "LT"
' "Laptop"
Case "10"
strChassis = "LT"
' "Notebook"
Case "11"
strChassis = "HH"
' "Handheld"
Case "12"
strChassis = "DT"
' "Docking Station"
Case "14"
strChassis = "LT"
' "Sub-Notebook"
Case "24"
strChassis = "DT"
' "Sealed-Case PC"
Case Else
strChassis = "XX"
End Select
________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dan Holme
Sent: Saturday, 26 April 2008 10:04 a.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OU structure for workstations
Agreed 100%.
OU = delegation.
*IF* by doing that you create usable scopes for GPOs, then go bananas! (Geographic delegation à Geographic GPOs is a perfect example)
Else use SecGrp filtering.
*IF* you have 'special needs' that, by subdividing a delegation-based OU successfully gives you a scope for a GPO, great. But "use only for emergencies" - don't end up dividing often just to support GPOs, and definitely don't "rework" your delegation-based OU design to support GPOs.
BTW: 2cents on desktops laptops (see Chapter 6 of my Admin Resource Kit for details). I also like "dynamic groups" (scripts in RK will give them to you). I fought with the WMI issues that Gabriele cites below. My recommendation to clients NOW is to create groups "the hard way" (WMI or hard-wired) for desktops & laptops, then have a NAMING CONVENTION that helps you identify desktops & laptops (e.g. Lxxxxxx or Dxxxxx) and to use that to create "dynamic" groups to which systems are automatically added/removed to maintain your management capability over those classes of systems. I found even Win32_ComputerSystem hit limitations with the increasingly diverse device types that are appearing.
Dan
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
Sent: Friday, April 25, 2008 11:42 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OU structure for workstations
I think SecurityGroup-filtering and OUs to define GPO scope are NOT mutually exclusive in complex environments, especially the ones that are geographically distributed and have OU structure designed on a per-site basis, very often delegation is enabled at OU level that represents a geographic site, thus I agree with Dan that OU design should primarily reflect the delegation requirements (ACLing is not a walk in AD!).
You can use either GPOs applied to OUs (filtered by "Authenticated Users") or GPOs applied to a higher level in the tree and filter them by security group when the scope spans multiples OUs, this is the main advantage of SeGroup-filtered GPOs!
But also OU-based GPOs have their nice advantages. For example, they are "easier" to be managed within ADUC and GPMC from a "visual perspective" (remember ADUC is also used by delegated "dumb admins" that could not easily understand why they have to change a group membership if they placed an object in the proper OU!).
Also they are useful when, mainly for "political reasons" (=managers supporting the wrong side!), it is required that regional Admins are delegated to edit site-specific GPOs (I don't like this condition, but it happens!).
Also they're OK when you really want to limit the scope of a GPO to a specific OU because the GPO is very "dangerous"! (example an ADM that tatooes risky registry hacks, what happens if you accidentally add Domain Computers or Domain Users to the SecurityGroup used to filter a risky GPO linked at the domain level?).
The Microsoft GPO design you cited is something any Domain Admin would desire - I am personally a great fan of full SecGroup filtered GPOs! - , but the not all corporate environments are like Microsoft's. This discussion reflects in a certain sense, the long discussed topic Centralized vs. Distributed management.
So, with al that said, why not using both of them? J
Finally, I don't like separate OUs for desktops and laptops and formerly we used security groups to distinguish them.
That management was a burden (one example: if the computer object is deleted you need to remember to re-add it to the security group after the PC is rejoined to the domain and restart the PC to update the access token). So later on we tried to automate the process by implementing WMI filters (Win32_SystemEnclosure class, ChassisTypes property - type: ARRAY), but unfortunately we were not successful as WQL (WMI Query Language) does not support Array type. L (is this fixed in Win2K8???)
As a workaround today we use WMI filtering based on Computer Model (Win32_ComputerSystem class) and it works like a charm!
It's almost a set-and-forget configuration (you have to change it only when a new PC model is introduced), but of course it works ONLY if you have a very standardized HW environment - that is anyway a requirement to do IT in an efficient manner.
I've always asked myself how much latency is introduced in client-side GPO processing when SecurityGroup and WMI filters are in place to define GPO scope.
Regards - Gabriele
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dan Holme
Sent: lunedì 21 aprile 2008 20.17
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OU structure for workstations
1) Yes I am suggesting using sec group filtering rather than OUs in complex environments, because I've seen the OU debate devolve every time into political and religious wars about whether geography or system type (or...) is "more important" when the reality is that in complex environments both are important, in different C&CM scenarios. The reality is an OU is a "one truth" container, since the object "lives" in only one container. Groups reflect reality: a system is many things.
2) Yes systems need to reboot to get new groups
3) BUT how often are you adding new system categorization groups?? You start with something like desktops, laptops, tablets, workstations, and geography-based groups and that doesn't change much over time. It's not like you "change" a desktop into a laptop; and if a system changes locations in most scenarios it would entail a physical transfer and I hope the system is off when that happens, so a reboot is entailed as well.
That's the challenge with "recommendations" is that there are ALWAYS exceptions, and you must prepare to manage the exceptions based on the unique characteristics of your environment, but I've seen TCO drop significantly with group-based filtering. Microsoft itself is a perfect example. 900+ GPOs linked to the domain and each user/system "gets" only a dozen or two, all through group filtering. Can't talk about my clients' environments since they're not published, but I can tell you it worked very well for us. But as you know there are many roads to rome. If you want a "specific" recommendation taking in your enterprise's unique characteristics, several consultants on this list (me included) can help, but this is one proven (not the only proven) method that works J
HTH
Dan
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Sunday, April 20, 2008 5:48 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OU structure for workstations
Yes they would need to get bounced to have their token refreshed.
Keep in mind also that when a machine processes GPOs, it will check the ones it doesn't have access to in order to determine this. If you've got 12 "types" of machines in one OU, that's potentially 11 extra GPOs that have to get looked at on startup.
--brian
On Sun, Apr 20, 2008 at 11:24 PM, mike kline <mkline@gmail.com> wrote:
Dan,
Let's say all computers are delegated the same and in one OU. If you then need to apply a GPO to a subset of machines then you create a security group add those machines to the group and filter based on that group.
Do those computers need to be rebooted in order to become aware of their new group(s)? That presents another big challenge especially if it is during business hours.
I do have your book but it is at work so I can't look those chapters up to see if you elaborated on this OU design recommendation.
Thanks
Mike
On Sun, Apr 20, 2008 at 10:32 PM, Dan Holme <dan.holme@intelliem.com> wrote:
You might take a look at Chapter 5, 6 and 8 of my Windows Administration Resource Kit. There are some thoughts about delegation and computer administration that might help.
My "bottom line" advice is that in all but the simplest environments:
1) OUs = delegation ONLY. If all computers are delegated the same, keep them in one bucket
2) Groups = Scopes for GPOs (desktops vs. laptops, "location" groups)
3) Saved Queries = administrative "views" of computers (dividing them up by this or that attribute) for doing things like resetting accounts, etc.
HTH
Dan
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Sunday, April 20, 2008 1:18 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OU structure for workstations
I have customers that do that. Personally I think it's confusing because it's not the first place you remember to check for policies, but, it works.
--brian
On Sun, Apr 20, 2008 at 5:30 PM, Robert Singers <robert.singers@dbh.govt.nz> wrote:
Is that apply policies via physical location rather than AD site? If so how practical is that in the long run?
________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Sunday, 20 April 2008 5:07 a.m.
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OU structure for workstations
I've done both models many times. If you want to apply policies by location then it makes great sense. IMO it's easier to manage than group memberships.
If your naming convention implies location you can have a scheduled job which sorts computers out of the default location (e.g computers container) and moves them to the right OU.
--brian
On Sat, Apr 19, 2008 at 7:04 AM, prankmonkey <prankmonkey@gmail.com> wrote:
With XP SP3 round the corner we thought it may be a good idea to cleanup old
workstations out AD. We currently have it designed with a parent OU of XP
and child containers of Desktop and Laptop. No matter what site it's in if
it's a desktop it's in desktop, a laptop in the laptop container. We
currently use Group Policy and security groups to filter WSUS update groups
but if we had say a geographic structure it would make things a little more
organised. SO I was thinking something along the lines of a parent OU of
XPSP3 a child container of LocationX and a child container of Desktop and
Laptop one. I know the mantra is to KISS but from a management standpoint it
makes things seem organised. Is it worthwhile doing this?
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
--
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
________________________________
This e-mail message has been scanned for Viruses and cleared by NetIQ MailMarshal
________________________________
________________________________
Please Note:
The information contained in this email message and any attached files may be confidential and subject to privilege. Any opinions expressed in this message are not necessarily those of the Department of Building and Housing. All technical opinions are offered on a 'no-liability' basis. This message and any files transmitted with it are confidential and solely for the use of the intended recipient. If you are not the intended recipient, you are notified that any use, disclosure or copying of this email is unauthorised. If you have received this email in error, please notify us immediately by reply email and delete the original and any attachment(s). Thank you.
________________________________
--
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
--
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
############################################################
PLEASE NOTE:
The information contained in this email message and any
attached files may be confidential and subject to privilege.
Any opinions expressed in this message are not necessarily
those of the Department of Building and Housing. All technical
opinions are offered on a no-liability basis. This message
and any files transmitted with it are confidential and solely
for the use of the intended recipient. If you are not the
intended recipient, you are notified that any use, disclosure
or copying of this email is unauthorised. If you have received
this email in error, please notify us immediately by reply email
and delete the original and any attachment(s). Thank you.
############################################################
| | | |
|
|