- This topic has 4 replies, 3 voices, and was last updated 4 years, 8 months ago by
.
-
Posts
-
-
Had anyone converted their organization from a traditional active directory group level administration to an OU based role based GPO based administration?
I am working on a fairly large project and wanted to change the way we administer accounts and access. I would like to discuss with anyone any pitfalls they may have ran into along their journey?
-
I have helped clients do this a few times. Traditionally, they want to move from a location based structure to a departmental based structure.
Personally, I find it easier to keep computers in a location based structure and just move users to a role based structure. This gives you a lot of flexibility when assigning settings.
If you go this route, map out user titles to a set of security groups and OUs. Set up a few powershell scripts to maintain that security group membership. If you can, try to create a test users for departments so that you can mirror what they have to what they need.
-
I recommend not only to look at your departmental based structure, but also on your organization’s structure with regard to IT services. You have to take account into account that your AD structure is for managing your IT, not for managing your organization. You have to ask the question what you really want to do with the OUs in your IT. For instance, executives often have the same privileges, security clearances, and requirements that are independent of their departments. Likewise, kiosk computers, typical office computers, file servers, etc. usually have the same requirements independent of their location and department.
So instead of going to HR, you better go to the admins who actually manage your IT systems and ask what organizational structure they need to get their work done. You goal is to create an AD structure with a flat hierarchy that is as simple as possible. Before you touch your AD, you should outline the different possible structures and then choose the one that reflects the requirements of your IT in the most efficient way.
-
I appreciate the advice, I am projecting about a year out to completion, possibly merging 18 domains, about 8k users and ton of endpoints. Trying to keep the strategy simple and clean. Waiting for an audit to force some needed changes before hand to give me the leverage needed to rip the band-aid off of some craziness I an not very familiar with? Wish me luck!
-
-
- You must be logged in to reply to this topic.
