RE: [ActiveDir] Groups and OU's

Thu, 14 Aug 2003 12:34:44 -0700

Title: Message

What are the reasons for delegating the AD Root Identifier?  Why delegate read?

 

From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED]
Sent: Friday, August 08, 2003 6:25 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Groups and OU's

 

Per delegation I do the following

 

AD <-----------Root Identifier

    +Delegation <Description = Del-ID (5 Char Max)>  Give FC to the Directory Administrators, Enterprise Admins, and System; Read to the Data Administrators & Authenticated Users.

        +OU or CN = Users <Description = Del_IDUsers>  Give R/C/M to Full Data Admins, Jr Data Admins, and R/M to Helpdesk. (Contains all Mail-Enabled Users in Delegation)

        +OU or CN = Groups <Description = Del_ID-Groups> Give R/C/M to Full Data Admins, Jr Data Admins, and R/M to Helpdesk. (Contains all Org Level Global Groups in delegation)

        +OU or CN = Computers <Description = Del_ID-Computers> Give R/C/M to Full Data Admins, Jr Data Admins, and R/M to Helpdesk. (Contains all Workstations in delegation)

        +OU = OPS <Description = Del-ID-OPS>  Give R/C to the Full Data Administrators. FC to the Create Owner (Contains Custom OU's for the delegation)

            + OU or CN = Accounts <Description = Del_ID-Accounts> Give R/C/M to Full Data Admins, R/C to Jr Data Admins, and R to Helpdesk. (Contains Alt-Admin credentials)

            + OU or CN = Services <Description = Del_ID-Services> Give R/C/M to Full Data Admins, R to Jr Data Admins and to Helpdesk. (Contains Service Accounts)

            + OU or CN = Resources <Description = Del_ID-Resources> Give R/C/M to Full Data Admins, R/C to Jr Data Admins and R to Helpdesk. (Contains DLG for Each Share Resource {Each type of Access})

            + OU or CN = DL = <Description =Del_ID-DL> Give R/C/M to Full Data Admins, R/C to Jr Data Admins and R to Helpdesk. (Contains Mail Enabled UG for each level of org in del)

            + OU or CN = Contacts <Description =Del_ID-Contacts> Give R/C/M to Full Data Admins, R/C to Jr Data Admins and R to Helpdesk. (Contains Contacts for the Del)

            + OU or CN = Servers  <Description =Del_ID-Servers> Give R/C/M to Full Data Admins, R/C to Jr Data Admins and R to Helpdesk. (Contains Servers for the Delegation)

            + OU or CN = SecGroup <Description =Del_ID-SecGroup> Give R/G/M to Full Data Admins, R/C Jr Data Admins and R to Helpdesk. (Contains GPO Filter Security Groups, and Special Security Groups)

 

The main driver for this tight model is for easier scriptable delegations.

 

Principles of the design

=================

All OU/CN is identified with a small 1 word identifier to facilitate searches.

Each objects Description field is filled out with the delegation ID a "-" and the CN name to facilitate with proper identification from searches.

OU's allow for additional OU's within the OU.  CN's don't I believe by default do.

Data Administration is delegated as Full, Jr, and Helpdesk.

Full DA's can create mail enabled DL UG only.

GPO linking can be done on the Users/Computers/Accounts/Services/Servers containers for easy troubleshooting and modeling of changes.

Full DA's are the only ones who can modify GPO's.  FDA and Jr. DA can Link GPO's.  Use Security Groups for GPO filtering.

Dir Admins create GPO's and delegate them to the Data Admins.

All accounts in the Users container are Mail Enabled.

All accounts in the Accounts and Services are not mail enabled.  (ME Service accounts are normally a Directory Admin, Exchange Admin function in my mind)

Groups contains only GG and uses nesting to create organizational groups.

Computers contains all workstations.  Use GPO Security Groups for filtering.

DL contains mail enabled Organizational UG.  Use nesting like in the Groups container.

Resources contains a DLG for Each resource with specific permissions, R/C/Deny.  On the Network Share add each DLG for each Access type to the Share and assign permissions.  Administer the DLG for Dir.

 

 

As you can see I like to control were object creation happens, and also limit the creation of additional OU's if possible to a specific location under OPS.

The reason is for Scriptability.  If the name space Path is consistent, it is easier to create additional delegations through scripts and ACL them.

With a good third-party tool, you can also do form validation, hide OU's from the Data Admins to make the provisioning or resources more focused, and automate certain Administration operations.  Like Account Creation validation, transfers, enforcing only certain types of object creation (Like no LG or UG creation), mailbox creation, etc.

 

What do you all think?

 

What are the Principles of AD delegation!

What are the Rules for Native Access Control Delegation

What are the Rules for Proxy Access Control Delegation

What are the Rules for Native and Proxy Access Control Delegation.

 

Toddler 

   

-----Original Message-----
From: Ellis, Debbie [mailto:[EMAIL PROTECTED]
Sent: Friday, August 08, 2003 4:20 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Groups and OU's

Is it advisible to have an OU for Groups? What are the pros and cons?  I want a very simple and basic OU structure.

Reply via email to