Need help with OU's



  • I have Server 2008r2 running AD and RDS (I know, it's a no-no) and I have 3 other Servers connected to it (2x2008r2 and 2012). I read about OUs and how it would allow specified restrictions per group versus per user. I have no OUs, just users.

    I would like to move my users out the "root" of AD into newly created OU's which I don't know how to do.

    From what I remember reading a few years back I can add "rules" to OU's after creating them.

    To create a new user, I usually use copy, so with OU's do you copy a user within that OU?

    Thanks for any input!



  • No, you move a user into an OU. They exist in a place. Then you can make a GPO and apply it to that OU.



  • I see, right click user and choose move and choose OU. Thanks.



  • @technobabble said:

    I see, right click user and choose move and choose OU. Thanks.

    Or just drag and drop 🙂



  • You can also do the same with computers. Some of the things you can do with proper AD structure are truly amazing!



  • You can actually change the default location in which new users get created if you want to do that as well as part of your project. I believe by default they go into the Users folder but not into any OU.



  • Oh, and just beware of moving administrative accounts in AD that may have been created for services like Exchange. That can break a lot of things. I remember moving either a user or a couple of groups out of the default Users folder in AD and not even being able to reach the desktop of my Exchange server after an attempted login until they were moved back.



  • Thanks everyone...lucky for me, no Exchange on premise.



  • it is a better practice to create OU for computers and OU for users, this separation will help you in dealing with computer and user configuration, then create and link group policy to your OUs, you will get a nice AD structure



  • @IT-ADMIN said:

    it is a better practice to create OU for computers and OU for users, this separation will help you in dealing with computer and user configuration, then create and link group policy to your OUs, you will get a nice AD structure

    And different OUs for servers and desktops too.



  • @scottalanmiller said:

    @IT-ADMIN said:

    it is a better practice to create OU for computers and OU for users, this separation will help you in dealing with computer and user configuration, then create and link group policy to your OUs, you will get a nice AD structure

    And different OUs for servers and desktops too.

    That makes sense, Now to plan my mods to the AD!



  • @technobabble also make sure that you create GPO for each policy, i mean don't set all your policies in a single GPO, each policy in a separate GPO, so if you want to remove a specific policy you will not have to remove all policies that reside in the same GPO, rather you will remove GPO that have only one policy,



  • @IT-ADMIN said:

    @technobabble also make sure that you create GPO for each policy, i mean don't set all your policies in a single GPO, each policy in a separate GPO, so if you want to remove a specific policy you will not have to remove all policies that reside in the same GPO, rather you will remove GPO that have only one policy,

    You have to be careful with this, multiple GPOs to a single user/device can slow things down for logon, etc. Separation is nice, but you do have to pay attention to how it affects logon times.



  • yes of course we have to be careful, i don't mean by having multiple GPO to have so many of them to the extent that having a slow login, but having a reasonable number of them and not having only one, for example 6 principle GPO that contain the main policies, and rename each GPO with a name that combine the roles of this GPO, like :
    "set proxy setting and prevent users from changing it"
    these are 2 policies but do the same purpose, so you know what this policy do



  • @Dashrender said:

    @IT-ADMIN said:

    @technobabble also make sure that you create GPO for each policy, i mean don't set all your policies in a single GPO, each policy in a separate GPO, so if you want to remove a specific policy you will not have to remove all policies that reside in the same GPO, rather you will remove GPO that have only one policy,

    You have to be careful with this, multiple GPOs to a single user/device can slow things down for logon, etc. Separation is nice, but you do have to pay attention to how it affects logon times.

    Yes! I like to keep one GPO per major unit, with sub-GPOs as needed. For example:
    Company.com - Default Domain Policy
    -HQ (No policies)
    --Computers - HQ Computers Policy
    ---Engineering - HQ Engineering Computers Policy
    --Users - HQ users Policy
    ---Engineering - HQ Engineering Users Policy

    This gives enough granularity to implement nearly any setting needed, while keeping the amount of GPOs to a minimum.



  • Fantastic information peeps...lol..peeps...its Easter! Hope everyone had a good day!



  • Peeps

    image.jpg


Log in to reply