1998–2000: Windows 98, Windows 2000, Windows Me—Windows evoluciona para trabajar y jugar.
Windows 2000 Active Directory Organizational Unit and Group Policy Planning Adam Gordon MCS Senior...
-
Upload
percival-shaw -
Category
Documents
-
view
219 -
download
0
Transcript of Windows 2000 Active Directory Organizational Unit and Group Policy Planning Adam Gordon MCS Senior...
Windows 2000 Active Windows 2000 Active Directory Organizational Directory Organizational Unit and Group Policy Unit and Group Policy PlanningPlanning
Adam GordonAdam GordonMCS Senior ConsultantMCS Senior Consultant
Microsoft CorporationMicrosoft Corporation
Windows 2000 Deployment ConferenceWindows 2000 Deployment Conference
Windows 2000 Deployment ConferenceWindows 2000 Deployment Conference
AgendaAgenda
OU conceptsOU concepts OU planning & design principlesOU planning & design principles OU for delegationOU for delegation OU for Group PolicyOU for Group Policy OU for publishing (and hiding) OU for publishing (and hiding)
directory objectsdirectory objects OU design exerciseOU design exercise
Windows 2000 Deployment ConferenceWindows 2000 Deployment Conference
OU ConceptsOU Concepts
Windows 2000 Deployment ConferenceWindows 2000 Deployment Conference
What Is an Organization Unit?What Is an Organization Unit?
A container inside a domainA container inside a domain The element of hierarchical structure The element of hierarchical structure
within the domainwithin the domainForest
Bioquest.com
sales.bioquest.comrsrch.bioquest.com
Maggipharm.com
dev.bioquest.com
Windows 2000 Deployment ConferenceWindows 2000 Deployment Conference
OUs vs. DomainsOUs vs. Domains
OUs are easily changedOUs are easily changed Moved, renamed, deletedMoved, renamed, deleted
Within a domain, objects move easily Within a domain, objects move easily between Ousbetween Ous
Less impact on performanceLess impact on performance
Windows 2000 Deployment ConferenceWindows 2000 Deployment Conference
Domains vs. OUsDomains vs. OUs
Replication BoundaryReplication Boundary Boundary for Security Polices and Boundary for Security Polices and
Domain AdministratorsDomain Administrators Rights intrinsic to Domain AdminsRights intrinsic to Domain Admins
Windows 2000 Deployment ConferenceWindows 2000 Deployment Conference
OUs: What Are They Good ForOUs: What Are They Good For
Delegating AdministrationDelegating Administration Group PoliciesGroup Policies Organizing Published Objects in the Organizing Published Objects in the
directorydirectory
Windows 2000 Deployment ConferenceWindows 2000 Deployment Conference
OU PlanningOU Planning
Create an OU plan for Create an OU plan for each domaineach domain
Forest planForest plan
Domain planDomain plan
OU planOU planOU planOU plan
Site topologySite topology
Windows 2000 Deployment ConferenceWindows 2000 Deployment Conference
OU PlanningOU PlanningMethodologyMethodology
Forest planForest plan
Domain planDomain plan
OU planOU planOU planOU plan
Site topologySite topology
DelegateDelegateAdministrationAdministration
DelegateDelegateAdministrationAdministration
Apply GroupApply GroupPolicyPolicy
Apply GroupApply GroupPolicyPolicy
OrganizeOrganizeObjectsObjects
OrganizeOrganizeObjectsObjects
Windows 2000 Deployment ConferenceWindows 2000 Deployment Conference
OU Design PrinciplesOU Design Principles
Keep it simpleKeep it simple Think supportabilityThink supportability Know your customer’s organizational Know your customer’s organizational
and political boundariesand political boundaries Detach the user from the workstationDetach the user from the workstation Abstract the service from the serverAbstract the service from the server
Windows 2000 Deployment ConferenceWindows 2000 Deployment Conference
Current Environment AnalysisCurrent Environment Analysis
Logon ScriptsLogon Scripts ““Functional” Groups (ifmember)Functional” Groups (ifmember)
Current Administrative BoundariesCurrent Administrative Boundaries Current Domain InfrastructureCurrent Domain Infrastructure
User Domains and Resource Domains: User Domains and Resource Domains: why are they there?why are they there?
Users & WorkstationsUsers & Workstations Restricted Labs, Kiosks, Factory FloorsRestricted Labs, Kiosks, Factory Floors Elevated Special Apps and DevicesElevated Special Apps and Devices
Windows 2000 Deployment ConferenceWindows 2000 Deployment Conference
OUs for DelegationOUs for Delegation
Windows 2000 Deployment ConferenceWindows 2000 Deployment Conference
OUs for DelegationOUs for Delegation
You can assign permissions to You can assign permissions to directory objects on a per-attribute directory objects on a per-attribute basisbasis
Use OUs to “group” objects with Use OUs to “group” objects with similar needs for administrative controlsimilar needs for administrative control
Use Administrative Delegation to Use Administrative Delegation to reduce the number of Domain Adminsreduce the number of Domain Admins
Like NT 4 User and Resource Like NT 4 User and Resource Domains…only betterDomains…only better
Windows 2000 Deployment ConferenceWindows 2000 Deployment Conference
Class-based DelegationClass-based Delegation
Delegate administrative control on a Delegate administrative control on a per-class basis for each OU:per-class basis for each OU: Users & GroupsUsers & Groups ComputersComputers
Note: Workstations and Member Servers are Note: Workstations and Member Servers are both “Computers”both “Computers”
Domain Controllers are a distinct class in their Domain Controllers are a distinct class in their own OUown OU
FoldersFolders PrintersPrinters
Windows 2000 Deployment ConferenceWindows 2000 Deployment Conference
Attribute-based DelegationAttribute-based Delegation
You can also assign rights to specific You can also assign rights to specific attributes of an object classattributes of an object class Example: Telecom DepartmentExample: Telecom Department
Windows 2000 Deployment ConferenceWindows 2000 Deployment Conference
CivilCivil ElectricalElectrical
OU Delegation IllustratedOU Delegation Illustrated
LawLawEngineeringEngineering MedicineMedicine(ENG Admins, Full Control)
aceace
aceace (EE Admins, FC/Groups)
aceace (EE Admins, FC/Computers)
domain.edudomain.edu
Windows 2000 Deployment ConferenceWindows 2000 Deployment Conference
Delegation Made EasyDelegation Made Easy
Use the Delegation of Control WizardUse the Delegation of Control Wizard A demo…A demo…
Windows 2000 Deployment ConferenceWindows 2000 Deployment Conference
Delegation Made HardDelegation Made Hard
Directly modify object ACLsDirectly modify object ACLs Object Access ControlObject Access Control
DirectoryObject
DirectoryObject
ACL
ACE
ACEs can apply to specific attributes
Go to chalk talk to discuss detailsGo to chalk talk to discuss details
Windows 2000 Deployment ConferenceWindows 2000 Deployment Conference
OUs for Group PolicyOUs for Group Policy
Windows 2000 Deployment ConferenceWindows 2000 Deployment Conference
OU PlanningOU PlanningApply Group PolicyApply Group Policy
Group policy is used to control Group policy is used to control desktop configurationsdesktop configurations Applied to Users and ComputersApplied to Users and Computers Associated with Sites, Domains, or Associated with Sites, Domains, or
Organizational UnitsOrganizational Units
Create OUs to apply unique policyCreate OUs to apply unique policy Filter application of policy using Filter application of policy using
access controlaccess control
Windows 2000 Deployment ConferenceWindows 2000 Deployment Conference
User data User data managementmanagement
Software Software installation & installation & maintenancemaintenance
User settings User settings managementmanagement
Increased protection and availability Increased protection and availability of people’s dataof people’s data““My Documents follow me!”My Documents follow me!”
Increased availability of the Increased availability of the applications that people needapplications that people need““My Applications follow me!”My Applications follow me!”
Increased computer availabilityIncreased computer availability““My Personal Settings follow me!”My Personal Settings follow me!”In
telli
Mir
ror
Inte
lliM
irro
r
Remote OS Remote OS installationinstallation
Fast recovery, setup, Fast recovery, setup, (re)configuration of computer and (re)configuration of computer and operating systemoperating system
FeaturesFeatures BenefitsBenefits
Change And Configuration Change And Configuration ManagementManagement
Windows 2000 Deployment ConferenceWindows 2000 Deployment Conference
User data User data managementmanagement
Software Software installation & installation & maintenancemaintenance
User settings User settings managementmanagementIn
telli
Mir
ror
Inte
lliM
irro
r
Remote OS Remote OS installationinstallation
FeaturesFeaturesActive Directory, Group Policy, Offline Active Directory, Group Policy, Offline Files, Synchronization Manager, Files, Synchronization Manager, Enhanced Shell Functionality, Disk Enhanced Shell Functionality, Disk QuotasQuotas
Active Directory, Group Policy, Windows Active Directory, Group Policy, Windows installer, Application Deployment Editor, installer, Application Deployment Editor, Add/Remove Programs, DfsAdd/Remove Programs, Dfs
Active Directory, Group Policy, Offline Active Directory, Group Policy, Offline Files, Roaming User Profiles, Enhanced Files, Roaming User Profiles, Enhanced Shell FunctionalityShell Functionality
Active Directory, Group Policy, Remote Active Directory, Group Policy, Remote install server, remote install capable install server, remote install capable workstation (NetPC, PC98, Boot Floppy)workstation (NetPC, PC98, Boot Floppy)
Technology usedTechnology used
Change And Configuration Change And Configuration ManagementManagement
Windows 2000 Deployment ConferenceWindows 2000 Deployment Conference
User Document User Document Management Management
Software Software InstallationInstallation
User Settings User Settings ManagementManagement
Active Directory, Group Policy, Offline Active Directory, Group Policy, Offline Folders (CSC), Synchronization Folders (CSC), Synchronization Manager, Enhanced Shell Functionality, Manager, Enhanced Shell Functionality, Disk QuotasDisk Quotas
Active Directory, Group Policy, Windows Active Directory, Group Policy, Windows installer, Software installer snap-in, installer, Software installer snap-in, Add/Remove Programs, DfsAdd/Remove Programs, Dfs
Active Directory, Group Policy, Offline Active Directory, Group Policy, Offline Folders (CSC), Roaming User Profiles, Folders (CSC), Roaming User Profiles, Enhanced Shell FunctionalityEnhanced Shell Functionality
Inte
lliM
irro
rIn
tell
iMir
ror
Remote OS InstallationRemote OS InstallationActive Directory, Group Policy, Remote Active Directory, Group Policy, Remote install server, remote install capable install server, remote install capable workstation (NetPC, PC98, Boot Floppy)workstation (NetPC, PC98, Boot Floppy)
FeaturesFeatures Technology UsedTechnology Used
Group PolicyGroup Policy
Group PolicyGroup Policy
Group PolicyGroup Policy
Group PolicyGroup Policy
Change And Configuration Change And Configuration ManagementManagementTechnologiesTechnologies
Group PolicyGroup PolicyThe BasicsThe Basics
Windows 2000 Deployment ConferenceWindows 2000 Deployment Conference
Technology that enables you to Technology that enables you to specify requirements for your users’ specify requirements for your users’ environment and then rely on environment and then rely on Windows 2000 to continually enforce Windows 2000 to continually enforce themthem
What Is Group Policy?What Is Group Policy?
Windows 2000 Deployment ConferenceWindows 2000 Deployment Conference
““Sales department will have Office Sales department will have Office 2000”2000”
““Disable logoff from Start Menu for Disable logoff from Start Menu for all Receptionist”all Receptionist”
““Audit all failed logon attempts for Audit all failed logon attempts for all Computers in the Atlanta area, in all Computers in the Atlanta area, in the Peachtree office”the Peachtree office”
What Is Group Policy?What Is Group Policy?
Windows 2000 Deployment ConferenceWindows 2000 Deployment Conference
Group Policy Requires…Group Policy Requires… Windows 2000 Active DirectoryWindows 2000 Active Directory Windows 2000 Professional clientsWindows 2000 Professional clients No support for Windows NT 4.0 No support for Windows NT 4.0
or earlieror earlier No support for Windows 9x or No support for Windows 9x or
earlierearlier
Windows 2000 Deployment ConferenceWindows 2000 Deployment Conference
What Can You Do With What Can You Do With Group Policy?Group Policy?AdministrativeAdministrativeTemplatesTemplates
SecuritySecurity
Software Software InstallationInstallation
ScriptsScripts
Folder Folder RedirectionRedirection
Registry-based policy settingsRegistry-based policy settings
Options for local, domain, and Options for local, domain, and network securitynetwork security
Central management of Central management of software installationsoftware installation
Startup, shutdown, logon, and Startup, shutdown, logon, and logoff scriptslogoff scripts
Store users’ folders on the networkStore users’ folders on the network
Windows 2000 Deployment ConferenceWindows 2000 Deployment Conference
Where Does Group Where Does Group Policy Live?Policy Live?
Within group policy objects (GPOs)Within group policy objects (GPOs) Created within a domainCreated within a domain Linked to any number of sites, Linked to any number of sites,
domains, and organizational units domains, and organizational units (SDOUs)(SDOUs)
Multiple GPOs can be linked to a Multiple GPOs can be linked to a single SDOUsingle SDOU
Windows 2000 Deployment ConferenceWindows 2000 Deployment Conference
ComputerComputer Starts Starts
User Logs OnUser Logs On
……and at periodic intervalsand at periodic intervals(more on this later)(more on this later)
When Does Group When Does Group Policy Get Applied?Policy Get Applied?
Applies Computer Applies Computer Settings from Settings from Group PoliciesGroup Policies
Startup Scripts RunStartup Scripts Run
Applies User Applies User Settings from Settings from Group PoliciesGroup Policies
Logon Scripts RunLogon Scripts Run
Windows 2000 Deployment ConferenceWindows 2000 Deployment Conference
SiteSite
DomainDomain
OUOU
22
33
11
Where Does My Policy Where Does My Policy Come From?Come From?
Site, Domain, OU hierarchySite, Domain, OU hierarchy Policy is inheritedPolicy is inherited ““Closer” settings override Closer” settings override
farther” onesfarther” ones
Windows 2000 Deployment ConferenceWindows 2000 Deployment Conference
SDOU OrderingSDOU OrderingGroup Policy and the Active Directory
Site
OU’s
Resources
Group PolicyObjects
A1
A2
A3
A5A4
Streetmarket.com
Domain
Accounts
DesktopsHeadquarters Marketing Servers
A6
Server OU GPOs applied = A3, A1, A2, A4, A6Marketing OU GPOs applied = A3, A1, A2, A5
Windows 2000 Deployment ConferenceWindows 2000 Deployment Conference
Modifying InheritanceModifying Inheritance No OverrideNo Override prevents child containers from prevents child containers from
overriding policies set at higher levelsoverriding policies set at higher levels Block InheritanceBlock Inheritance prevents inheritance prevents inheritance
of all policies from parent containersof all policies from parent containers Highest Highest No OverrideNo Override takes precedence takes precedence
over lower over lower No OverridesNo Overrides No OverrideNo Override takes precedence takes precedence
over over Block InheritanceBlock Inheritance
Windows 2000 Deployment ConferenceWindows 2000 Deployment Conference
What If An SDOU Is Linked What If An SDOU Is Linked To Multiple GPOs?To Multiple GPOs?
Higher GPOs Higher GPOs override lower override lower GPOsGPOs
GPOs are GPOs are processed in processed in the reverse the reverse order listed order listed on the tabon the tab
Windows 2000 Deployment ConferenceWindows 2000 Deployment Conference
What If I Don’t Want Everyone InWhat If I Don’t Want Everyone InAn OU To Be Affected By A GPO?An OU To Be Affected By A GPO?
You You cannotcannot link a GPO to a security link a GPO to a security groupgroup
You can “filter” GPOs by changing the You can “filter” GPOs by changing the default permissions on the GPO, using default permissions on the GPO, using security groupssecurity groups
You need the Read You need the Read andand Apply Group Apply Group Policy ACEs to have a GPO applyPolicy ACEs to have a GPO apply
You need Read and Write in order to You need Read and Write in order to readread or modify a GPOor modify a GPO
Windows 2000 Deployment ConferenceWindows 2000 Deployment Conference
Default GPO PermissionsDefault GPO Permissions Authenticated UsersAuthenticated Users
ReadRead Apply Group PolicyApply Group Policy
Local System, Domain Local System, Domain Admins, Enterprise Admins, Enterprise AdminsAdmins All permissionsAll permissions
except AGPexcept AGP
The MechanicsThe Mechanics
Windows 2000 Deployment ConferenceWindows 2000 Deployment Conference
dsa - [Active Directory Users and Computers]dsa - [Active Directory Users and Computers]
CConsole onsole WWindow indow HHelpelp
AActive ctive VViewiew
Active DirectoryActive DirectorySamerica1.nwtra.Samerica1.nwtra.
BuiltinBuiltinComputersComputersDomain ContrDomain ContrOhioOhio
Delegate control…Delegate control…Add members to a GroupAdd members to a GroupMove...Move...Find….Find….
NewNewAll TasksAll TasksViewViewNew Window from HereNew Window from Here
DeleteDeleteRenameRenameRefreshRefreshExport List…Export List…
PropertiesProperties
HelpHelp
Delegate control…Delegate control…Add members to a GroupAdd members to a GroupMove...Move...Find….Find….
NewNewAll TasksAll TasksViewViewNew Window from HereNew Window from Here
DeleteDeleteRenameRenameRefreshRefreshExport List…Export List…
PropertiesProperties
HelpHelp
PropertiesPropertiesPropertiesProperties
NewNew
Creating A Domain Creating A Domain Or OU GPOOr OU GPO
Windows 2000 Deployment ConferenceWindows 2000 Deployment Conference
Creating A Site GPOCreating A Site GPO Use Active Directory Sites Use Active Directory Sites
and Servicesand Services You must be a member of You must be a member of
Enterprise AdminsEnterprise Admins By default, a site GPO is stored By default, a site GPO is stored
in the enterprise root domainin the enterprise root domain This may be altered at creation This may be altered at creation
time, by changing the DC that time, by changing the DC that the ADS&S snap-in is using the ADS&S snap-in is using and then creating a new GPOand then creating a new GPO
Windows 2000 Deployment ConferenceWindows 2000 Deployment Conference
Disabling A GPODisabling A GPO
You can disable a You can disable a GPO or just the GPO or just the User or Computer User or Computer Settings nodesSettings nodes
Windows 2000 Deployment ConferenceWindows 2000 Deployment Conference
Deleting A GPODeleting A GPO ““Deleting” a GPO from an SDOU gives Deleting” a GPO from an SDOU gives
you a choice betweenyou a choice between Unlinking the GPO from the SDOUUnlinking the GPO from the SDOU Permanently deleting the GPOPermanently deleting the GPO
Windows 2000 Deployment ConferenceWindows 2000 Deployment Conference
Group Policy Snap-InGroup Policy Snap-In
Registry-Based PoliciesRegistry-Based Policies
Windows 2000 Deployment ConferenceWindows 2000 Deployment Conference
Registry-Based Policy UIRegistry-Based Policy UI
Windows 2000 Deployment ConferenceWindows 2000 Deployment Conference
Registry-Based Registry-Based Policy SettingsPolicy Settings
ImplementImplementDo not implement,Do not implement,
removeremove
IgnoreIgnore
Windows 2000 Deployment ConferenceWindows 2000 Deployment Conference
The Explain TabThe Explain Tab
Windows 2000 Deployment ConferenceWindows 2000 Deployment Conference
Administrative TemplatesAdministrative Templates Framework for defining registry-based Framework for defining registry-based
policiespolicies Text file with .adm extensionText file with .adm extension Windows 2000 ships with system.adm Windows 2000 ships with system.adm
and inetres.admand inetres.adm
Other Policy TypesOther Policy Types
Windows 2000 Deployment ConferenceWindows 2000 Deployment Conference
Startup/ShutdownStartup/Shutdown
UserUser
ComputerComputer
Logon/LogoffLogon/Logoff
ScriptsScripts
Logon/LogoffLogon/Logoff
Computer ConfigurationComputer Configuration
Startup/ShutdownStartup/Shutdown
User ConfigurationUser Configuration
Script SettingsScript Settings You can assign multiple scripts and set the You can assign multiple scripts and set the
processing orderprocessing order Default timeout is 10 minutesDefault timeout is 10 minutes
Computer Configuration\Administrative Computer Configuration\Administrative Templates\System\LogonTemplates\System\Logon
““Maximum wait time for Group Policy scripts”Maximum wait time for Group Policy scripts”
Windows 2000 Deployment ConferenceWindows 2000 Deployment Conference
Security Policy SettingsSecurity Policy SettingsAccount Account PoliciesPolicies
Local Local PoliciesPolicies
Event LogEvent Log
Restricted Restricted GroupGroup
System System ServicesServices
Configure password, account, Configure password, account, and Kerberos policies (domain only)and Kerberos policies (domain only)
Configure auditing, user rights, Configure auditing, user rights, and security optionsand security options
Configure settings for application logs, system logs, and Configure settings for application logs, system logs, and security logssecurity logs
Configure group memberships for security sensitive Configure group memberships for security sensitive groupsgroups
Configure security and startup settings for services Configure security and startup settings for services running on a computerrunning on a computer
RegistryRegistry Configure security on registry keysConfigure security on registry keys
File SystemFile System Configure security on specific file pathsConfigure security on specific file paths
Public Key Public Key PoliciesPolicies
Configure encrypted data recovery agents, domain roots, Configure encrypted data recovery agents, domain roots, trusted certificate authoritiestrusted certificate authorities
IP Security IP Security PoliciesPolicies
Configure IP security on a networkConfigure IP security on a network
Windows 2000 Deployment ConferenceWindows 2000 Deployment Conference
Software Installation Software Installation And MaintenanceAnd Maintenance
Publishing ApplicationsPublishing ApplicationsPublish applications that are not required Publish applications that are not required by users, but might be useful to themby users, but might be useful to them
Assigning Applications to ComputersAssigning Applications to ComputersAssign applications to computers if the applicationsAssign applications to computers if the applicationsare required by anyone using a specific computerare required by anyone using a specific computer
Assigning Applications to UsersAssigning Applications to UsersAssign applications to users if users needAssign applications to users if users needthose applications to do their jobthose applications to do their job
Windows 2000 Deployment ConferenceWindows 2000 Deployment Conference
Folder Redirection SettingsFolder Redirection Settings You can redirectYou can redirect
Application DataApplication Data DesktopDesktop My DocumentsMy Documents My PicturesMy Pictures Start MenuStart Menu
……To reduce logon time To reduce logon time and increase availabilityand increase availability
Windows 2000 Deployment ConferenceWindows 2000 Deployment Conference
Folder Redirection OptionsFolder Redirection Options For each folder, you can For each folder, you can
choose betweenchoose between No policyNo policy Basic, which redirects all Basic, which redirects all
users to the same placeusers to the same place Advanced, which allows you Advanced, which allows you
to specify different locations for to specify different locations for users based on security users based on security group membership group membership
Windows 2000 Deployment ConferenceWindows 2000 Deployment Conference
Group Policy Best PracticesGroup Policy Best Practices Limit how often group policy is updated (to Limit how often group policy is updated (to
reduce replication)reduce replication) Limit the number of admins who can edit Limit the number of admins who can edit
GPOs (to reduce possibility of simultaneous GPOs (to reduce possibility of simultaneous editing)editing)
Limit inheritance modification, filtering, and Limit inheritance modification, filtering, and loopback (to simplify troubleshooting)loopback (to simplify troubleshooting)
Limit the number of GPOs that applyLimit the number of GPOs that apply to an SDOU (to improve logon performance) to an SDOU (to improve logon performance)
Test! (to reduce Help desk calls)Test! (to reduce Help desk calls) Use the Support ToolsUse the Support Tools
Windows 2000 Deployment ConferenceWindows 2000 Deployment Conference
OUs for Organizing OUs for Organizing Directory ObjectsDirectory Objects
Windows 2000 Deployment ConferenceWindows 2000 Deployment Conference
Published ObjectsPublished Objects
Shared FoldersShared Folders PrintersPrinters Users & GroupsUsers & Groups Application-SpecificApplication-Specific
Windows 2000 Deployment ConferenceWindows 2000 Deployment Conference
Shared Folder ObjectsShared Folder Objects
A shared folder directory object A shared folder directory object abstracts a shared folder or Dfs abstracts a shared folder or Dfs volumevolume A UNC path points to the resourceA UNC path points to the resource
OU OU OU
OU
Domain
Windows 2000 Deployment ConferenceWindows 2000 Deployment Conference
Printer ObjectsPrinter Objects
A printer directory object abstracts a A printer directory object abstracts a shared printershared printer The printer object attributes include:The printer object attributes include:
The printer’s UNC pathThe printer’s UNC path Printer model and capabilitiesPrinter model and capabilities
OU OU OU
Domain
Windows 2000 Deployment ConferenceWindows 2000 Deployment Conference
Locating ResourcesLocating Resources Resources are located by searching Resources are located by searching
or walking the directoryor walking the directory A search of the entire directory sends A search of the entire directory sends
a LDAP query to the global cataloga LDAP query to the global catalog Use UI, ADSI or LDAPUse UI, ADSI or LDAP Search by:Search by:
NameName Class (e.g. Printer)Class (e.g. Printer) Attribute (e.g. location) Attribute (e.g. location)
Windows 2000 Deployment ConferenceWindows 2000 Deployment Conference
Organize Objects into OUsOrganize Objects into OUs
May help users to find resourcesMay help users to find resources Avoid too much granularityAvoid too much granularity There are other ways…There are other ways…
Apply ACLs on OUs to collectively Apply ACLs on OUs to collectively apply apply visibilityvisibility to objects with the same to objects with the same visibility requirementsvisibility requirements Example: Chargeback PrintersExample: Chargeback Printers Note: ACLs on directory objects do not Note: ACLs on directory objects do not
equate to ACLs on their referenced equate to ACLs on their referenced resourcesresources
Windows 2000 Deployment ConferenceWindows 2000 Deployment Conference
OU ReviewOU Review Use OUs for:Use OUs for:
Delegating AdministrationDelegating Administration Group PolicyGroup Policy Publishing, organizing and hiding Publishing, organizing and hiding
directory objectsdirectory objects
You can apply a variety of access You can apply a variety of access controls to OUs and the various controls to OUs and the various classes of objects thereinclasses of objects therein
OU hierarchies support inheritance and OU hierarchies support inheritance and filtering of inheritancefiltering of inheritance
Windows 2000 Deployment ConferenceWindows 2000 Deployment Conference
OU Design PrinciplesOU Design Principles
Keep it simpleKeep it simple Think supportabilityThink supportability Know your customer’s organizational Know your customer’s organizational
and political boundariesand political boundaries Detach the user from the workstationDetach the user from the workstation Abstract the service from the serverAbstract the service from the server
Windows 2000 Deployment ConferenceWindows 2000 Deployment Conference
And Some MoreAnd Some More Balance between the Enterprise and its Balance between the Enterprise and its
business units (division, departments, business units (division, departments, whatever)whatever)
Where possible, align administrative Where possible, align administrative delegation, group policies and resource delegation, group policies and resource publicationpublication If you can’t, consider parallel hierarchies (instead If you can’t, consider parallel hierarchies (instead
of OU spaghetti)of OU spaghetti)
Focus on reuse of GPOsFocus on reuse of GPOs Leverage those linksLeverage those links
The “Chutes and Ladders” School of Active The “Chutes and Ladders” School of Active Directory DesignDirectory Design
Windows 2000 Deployment ConferenceWindows 2000 Deployment Conference
Keep in MindKeep in Mind
There’s no one right answer There’s no one right answer Understand the technologiesUnderstand the technologies Understand your administrative Understand your administrative
hierarchyhierarchy Create the simplest design possible that Create the simplest design possible that
meets your needsmeets your needs Think about future reorganizationThink about future reorganization Ask the question Ask the question
“How will I troubleshoot this?”“How will I troubleshoot this?” Document the design Document the design
Windows 2000 Deployment ConferenceWindows 2000 Deployment Conference
Some Design ApproachesSome Design Approaches
Shallow and WideShallow and Wide DeepDeep
Advantage: Inheritance & FilteringAdvantage: Inheritance & Filtering Disadvantage: Inheritance & FilteringDisadvantage: Inheritance & Filtering
Parallel HierarchiesParallel Hierarchies Separate OUs for Users and Separate OUs for Users and
WorkstationsWorkstations
Windows 2000 Deployment ConferenceWindows 2000 Deployment Conference
For More InformationFor More Information Introduction to Windows 2000 Group Policy Introduction to Windows 2000 Group Policy
http://www.microsoft.com/windows2000/library/howitworks/management/grouppolicyintro.asp
Group Policy ScenariosGroup Policy Scenarioshttp://www.microsoft.com/windows2000/library/howitworks/management/grouppolicy.asp
Group Policy Step-by-Step Group Policy Step-by-Step http://www.microsoft.com/windows2000/library/planning/management/groupsteps.asp
Windows 2000 Deployment ConferenceWindows 2000 Deployment Conference
Breakout SessionsBreakout SessionsBest for Digital Best for Digital
BusinessBusinessEasier to Manage Easier to Manage
and Useand UseReliabilityReliability
101: Developing Scalable E-Commerce
Windows DNA Applications on Windows 2000
201: The Power of Pro 301: Namespace Planning for Windows 2000 Active Directory
102: Windows 2000 Reliability, Scalability
and Availability
202: Planning a Migration from Windows 9x/NTW 4.0 to Windows
2000 Pro
302: Windows 2000 Active Directory
Planning
103: Upgrading an E-Commerce Company to
Windows 2000
203: Strategies for Rapid Deployment of Windows
2000 Professional
303: Windows 2000 Active Directory
Organizational Unit and Group Policy Planning
104104: Thin Client : Thin Client Solutions using Solutions using
Windows 2000 Server Windows 2000 Server FamilyFamily
204204: Managing the : Managing the Desktop with Windows Desktop with Windows 2000 Active Directory 2000 Active Directory
and Group Policyand Group Policy
304304: Cluster in a Box : Cluster in a Box with Windows 2000 with Windows 2000 Advanced ServerAdvanced Server
WhereWhere dodoyouyouwantwant toto gogo today?today?
Windows 2000 Deployment ConferenceWindows 2000 Deployment Conference