Organizational Unit structure suggestions

[criskrit]

Hello, i have a Windows 2003/2008 domain that spans two locations (and AD sites), West Coast and East Coast. Each location contains people from various departments (ie professional services, engineering etc). i am looking for suggestions in regards to OU design. I want some location-specific settings (ie printers etc) and also some departmental specific settings (shares etc). People also travel with their laptops between the two locations so the location-specific settings cannot be based on computer name. What's the best way to organize such an environment? thanks.

[jeff_longley]

There's no hard and fast way to lay out your AD structure; Its about what works for you with the policies you create.

First things first:
Do you have a good link connecting the two sites? Is AD replicating properly?
Next I'd look for the things you can standardise.
DFS shares mean you can have the same share path in both locations then let NTFS permissions deal with who gets access to what.
Are computer policies likely to be the same across both sites and/or departments?
What policies have you got in place on your laptop users currently? is their roaming habits likely to cause you issues?

[brad]

IP-Range.jpg

Remember that your OU structure has little to do with your physical sites. A GPO applied to a designated security group will apply to members of that group regardless of which site they are in. You could choose to apply GPOs to sites which would apply to those users logging on to the site itself. You could also use Group Policy Preferences and do an IP range which would apply to certain subnets. This way you could apply the GPO at the domain level and they would only apply to users as they logged onto each site's subnet. I have attached an screenshot for printers but you can do many other types of GPP based GPOs. That is the flexibility of Active Directory, there are many ways to go.

Brad Rudisail
Tech Support for GPanswers and PolicyPak Software