First, I’ll provide a summary of OU benefits as I see them and the resultant OU design that takes advantage of these benefits. Note that an OU design cannot be considered in isolation, and must at least take into account the forest/domain design, site design, DC placement and delegation of administration.
OU Benefits
There are several uses for OUs, often not fully considered when creating or changing an OU structure. An OU structure can be modified with unexpected results if the resultant set of policy and delegation of administration is not taken into consideration.
Delegation of Administration
Administration of objects can be logically set at the container level. The DACL for any objects in the container, and typically sub-containers/sub-objects, will also be modified to provide an inherited security model.
Grouping of objects
Grouping objects by container – such as for different types of servers – can help from a visibility perspective when administering those objects. However, logical grouping of objects requires more management to ensure that objects are grouped correctly on an ongoing basis.
The major disadvantages of this method are that the grouping types used become blurred over time and often one server fits into multiple groups.
Targets for Group Policy Objects
The OU containers provide a logical target for GPOs, generally indicating that a particular GPO should apply to the objects in that container, as well as sub-containers and their objects.
Again, the major disadvantage of this method is that a computer object can exist only in one OU, limiting the flexibility in GPO application.
OU Design
The design is a combination of OU and container objects, useful for taking advantage of the three major uses for OUs described above. As a summary, this OU solution includes:
1. A top-level OU, used for targeting security-filtered GPOs
2. Sub-containers, used for logical grouping of objects and delegation of administration. Note these are container objects, not OU objects
In my opinion, using a combination of OUs and container objects provides the most flexibility with the least risk and lowest ongoing management costs. There is no possibility of assigning policies to sub-OUs and then having to resort to policy blocking, GPOs are applied at one level and simple security group membership controls application.
This design provides the most flexibility when:
- Applying multiple GPOs to a single object without relying on blocking inheritance or complicated tree structures
- Delegating administration to groups of objects. Containers can be created to delegate administration for groups of objects, without changing the GPO application.
- Grouping objects for administration. Containers can be created for visibility of like objects, without changing GPO application.
There are several caveats when using this solution, but correct communication and following due process will negate any issues:
- Container objects cannot be created through dsa.msc, adsiedit.msc or something equivalent must be used.
- Standard utilities such as dsquery provide functions targeting OUs, but not containers. Dsquery * can still be used to manage any object in the AD.
OU/Container structure example
To provide logical grouping of objects and delegated access to those objects with flexible group policy application, the following structure could be used to manage domain member servers:
| Name | Type | Use |
|---|---|---|
| OU=SERVERS | OU | Security filtered GPO Target, Delegation of Administration |
| CN=Citrix,OU=SERVERS | Container | Computer grouping, Delegation of Administration |
| CN=Exchange,OU=SERVERS | Container | Computer grouping, Delegation of Administration |
| CN=%APPLICATION%,OU=SERVERS | Container | Computer grouping, Delegation of Administration |
| OU=%COMPANY%,OU=SERVERS | OU | Security filtered GPO Target, Delegation of Administration based on companies within one domain |
OU/Container Security example
| Name | Type | ACL |
|---|---|---|
| OU=SERVERS | OU | Manage_All_Servers |
| CN=Citrix,OU=SERVERS | Container | Manage_Citrix_Servers |
| CN=Exchange,OU=SERVERS | Container | Manage_Exchange_Servers |
| CN=%APPLICATION%,OU=SERVERS | Container | Manage_%application%_Servers |
| OU=%COMPANY%,OU=SERVERS | OU | Manage_%Company%_Servers |
Note that the ACLs would typically propagate to child objects and containers as appropriate.
References:
Designing an OU Structure that Supports Group Policy
http://technet2.microsoft.com/windowsserver/en/library/bf5437ce-389c-4dc9-953c-999f854b98d11033.mspx
Designing Organizational Units for Delegation of Administration
Creating an Organizational Unit Design
Group Policy Settings Reference
Wayne's World of IT (WWoIT), Copyright 2008 Wayne Martin.
No comments:
Post a Comment