David, We do something similar in our environment (15k computers, 25k users) with each of our campus buildings or remote sites as a "Branch" as you have it termed, with Computer sub-OU for workstations contained there, and some type of OU for user objects. In one domain we have ~18 branches (associated closely with our sites), the other domain has about 12.
However, because of our business needs to lockdown user desktops by functional user, we have a few more user OUs, and our GPOs are tied to the OUs. There are, however, areas where we have multiple GPOs on an OU, and have filtered by group. You will find that this can be very successful, and to manage it I would recommend grabbing a copy of the Group Policy Management Console - it will make things MUCH easier! Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: Monday, June 09, 2003 11:04 PM To: [EMAIL PROTECTED] I'm interested in feedback on the following OU and GPO design. Simple OU structure, something like: |--Branches |--Users |--Computers The "Users" OU would hold around 5000 users and the "Computers" OU an equal amount of workstations and servers. GPO's would be created for the users and linked to the OU, but only applied to certain global groups that the users would be members of. Similar for the computers. There would be an "All Users" and "All Computers" GPO with global settings, then more granular GPO's for departmental specific settings. Almost all administration would be done centrally, so there should be little need for delegation. This seems like it should be simple and effective, but we haven't tried it real-world, so I'm curious if people have any thoughts on possible gotcha's, issues, etc. -- David List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
