Complete Active Directory redesign and GPO application

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Posted by Wolfgang Kuehne on Server Fault See other posts from Server Fault or by Wolfgang Kuehne
Published on 2014-08-18T10:04:32Z Indexed on 2014/08/18 16:29 UTC
Read the original article Hit count: 386

Filed under:
|

after much testing and hundreds of tries and hours invested I decided to consult you experts here.

Overview:

I want to apply some GPO to our users which will add some specific site to the Trusted Sites in Internet Explorer settings for all users. However, the more I try the more confusing the results become. The GPO is either applied to one group of users, or to another one. Finally, I came to the conclusion that this weird behavior is cause rather by the poor organization in Users and Groups in Active Directory. As such I want to kick the problem from the root: Redesign the Active Directory Users and Groups.

Scenario:

There is one Domain Controller, and we use Terminal Services (so there is a Terminal Server as well). Users usually log on to the Terminal Server using Remote Desktop to perform their daily tasks. I would classify the users in the following way:

  • IT: Admins, Software Development
  • Business: Administration, Management

The current structure of the Active Directory Users and Groups is a result of the previous IT management. The company has used Small Business Server which has created multiple default user groups and containers.

Unfortunately, the guys working before me have do no documentation at all. Now, as I inherit this structure I am in the no mans land. No idea which direction to head first.

enter image description here

As you can see, the Active Directory User and Groups have become a bit confusing. There is no SBS anymore, but when migrating from SBS to the current Windows Server 2008 R2 environment the guys before me have simply copied the same structure.

The real question:

Where should I start cleaning from, ensuring that I won't break totally the current infrastructure? What is a nice organization for the scenario that I have explained above?

Possible useful info for the current structure:

  1. Computers folder contains Terminal Services Computers user group

    • Members: TerminalServer computer located at Server -> Terminalserver OU
    • Member of: NONE

  2. Foreign Security Principals : EMPTY

  3. Managed Service Accounts : EMPTY

  4. Microsoft Exchange Security Groups : not sure if needed, our emails are administered by external service provider

  5. Distribution Groups : not sure if needed

  6. Security Groups : there are couple of groups which are needed

  7. SBS users : contains all the users

  8. Terminalserver : contains only the TerminalServer machine

© Server Fault or respective owner

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Related posts about active-directory

Related posts about group-policy

Categories cloud

.NET ASP.NET iphone linux python Windows mysql android sql windows-7 html c ruby-on-rails css objective-c ubuntu networking sql-server wpf asp.net-mvc ruby database Xml apache AJAX osx security regex django Performance 12.04 windows-xp mac web-development iphone-sdk vb.net Silverlight apache2 flash server perl best-practices email installation eclipse visual-studio algorithm windows-server-2008 winforms wcf firefox bash dns /Oracle