Skip this Video
Download Presentation
Windows 2000 Deployment Conference

Loading in 2 Seconds...

play fullscreen
1 / 68

Windows 2000 Deployment Conference - PowerPoint PPT Presentation

  • Uploaded on

Windows 2000 Deployment Conference. Windows 2000 Active Directory Organizational Unit and Group Policy Planning Adam Gordon MCS Senior Consultant Microsoft Corporation. Agenda. OU concepts OU planning & design principles OU for delegation OU for Group Policy

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' Windows 2000 Deployment Conference' - mercer

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

Windows 2000 Deployment Conference

Windows 2000 Active Directory Organizational Unit and Group Policy PlanningAdam GordonMCS Senior ConsultantMicrosoft Corporation

  • OU concepts
  • OU planning & design principles
  • OU for delegation
  • OU for Group Policy
  • OU for publishing (and hiding) directory objects
  • OU design exercise
what is an organization unit


What Is an Organization Unit?
  • A container inside a domain
  • The element of hierarchical structure within the domain
ous vs domains
OUs vs. Domains

OUs are easily changed

    • Moved, renamed, deleted
  • Within a domain, objects move easily between Ous
  • Less impact on performance
domains vs ous
Domains vs. OUs
  • Replication Boundary
  • Boundary for Security Polices and Domain Administrators
    • Rights intrinsic to Domain Admins
ous what are they good for
OUs: What Are They Good For
  • Delegating Administration
  • Group Policies
  • Organizing Published Objects in the directory
ou planning
OU Planning

Forest plan

  • Create an OU plan for each domain

Domain plan

OU plan

Site topology

ou planning methodology
OU PlanningMethodology

Forest plan



Domain plan

Apply Group


OU plan

Site topology



ou design principles
OU Design Principles
  • Keep it simple
  • Think supportability
  • Know your customer’s organizational and political boundaries
  • Detach the user from the workstation
  • Abstract the service from the server
current environment analysis
Current Environment Analysis
  • Logon Scripts
    • “Functional” Groups (ifmember)
  • Current Administrative Boundaries
  • Current Domain Infrastructure
    • User Domains and Resource Domains: why are they there?
  • Users & Workstations
    • Restricted Labs, Kiosks, Factory Floors
    • Elevated Special Apps and Devices
ous for delegation1
OUs for Delegation
  • You can assign permissions to directory objects on a per-attribute basis
  • Use OUs to “group” objects with similar needs for administrative control
  • Use Administrative Delegation to reduce the number of Domain Admins
  • Like NT 4 User and Resource Domains…only better
class based delegation
Class-based Delegation
  • Delegate administrative control on a per-class basis for each OU:
    • Users & Groups
    • Computers
      • Note: Workstations and Member Servers are both “Computers”
      • Domain Controllers are a distinct class in their own OU
    • Folders
    • Printers
attribute based delegation
Attribute-based Delegation
  • You can also assign rights to specific attributes of an object class
    • Example: Telecom Department
ou delegation illustrated





(ENG Admins,

Full Control)




(EE Admins, FC/Groups)


(EE Admins, FC/Computers)

OU Delegation Illustrated

delegation made easy
Delegation Made Easy
  • Use the Delegation of Control Wizard
  • A demo…
delegation made hard

ACEs can apply to specific attributes




Delegation Made Hard
  • Directly modify object ACLs
  • Object Access Control
  • Go to chalk talk to discuss details
ou planning apply group policy
OU PlanningApply Group Policy
  • Group policy is used to control desktop configurations
    • Applied to Users and Computers
    • Associated with Sites, Domains, or Organizational Units
  • Create OUs to apply unique policy
    • Filter application of policy using access control
change and configuration management




User data management

Increased protection and availability of people’s data

“My Documents follow me!”

Software installation & maintenance

Increased availability of the applications that people need

“My Applications follow me!”

User settings management

Increased computer availability

“My Personal Settings follow me!”

Remote OS installation

Fast recovery, setup, (re)configuration of computer and operating system

Change And Configuration Management
change and configuration management1


Technology used


User data management

Active Directory, Group Policy, Offline Files, Synchronization Manager, Enhanced Shell Functionality, Disk Quotas

Software installation & maintenance

Active Directory, Group Policy, Windows installer, Application Deployment Editor, Add/Remove Programs, Dfs

User settings management

Active Directory, Group Policy, Offline Files, Roaming User Profiles, Enhanced Shell Functionality

Remote OS installation

Active Directory, Group Policy, Remote install server, remote install capable workstation (NetPC, PC98, Boot Floppy)

Change And Configuration Management
change and configuration management technologies


Technology Used

Group Policy


User Document Management

Active Directory, Group Policy, Offline Folders (CSC), Synchronization Manager, Enhanced Shell Functionality, Disk Quotas

Group Policy

Software Installation

Active Directory, Group Policy, Windows installer, Software installer snap-in, Add/Remove Programs, Dfs

Group Policy

User Settings Management

Active Directory, Group Policy, Offline Folders (CSC), Roaming User Profiles, Enhanced Shell Functionality

Group Policy

Remote OS Installation

Active Directory, Group Policy, Remote install server, remote install capable workstation (NetPC, PC98, Boot Floppy)

Change And Configuration ManagementTechnologies
what is group policy
What Is Group Policy?

Technology that enables you to specify requirements for your users’ environment and then rely on Windows 2000 to continually enforce them

what is group policy1
What Is Group Policy?
  • “Sales department will have Office 2000”
  • “Disable logoff from Start Menu for all Receptionist”
  • “Audit all failed logon attempts for all Computers in the Atlanta area, in the Peachtree office”
group policy requires
Group Policy Requires…
  • Windows 2000 Active Directory
  • Windows 2000 Professional clients
  • No support for Windows NT 4.0 or earlier
  • No support for Windows 9x or earlier
what can you do with group policy



Registry-based policy settings


Options for local, domain, and network security



Central management of software installation


Startup, shutdown, logon, and logoff scripts

Folder Redirection

Store users’ folders on the network

What Can You Do With Group Policy?
where does group policy live
Where Does Group Policy Live?
  • Within group policy objects (GPOs)
    • Created within a domain
    • Linked to any number of sites, domains, and organizational units (SDOUs)
    • Multiple GPOs can be linked to a single SDOU
when does group policy get applied
Applies Computer Settings from Group Policies

Startup Scripts Run

Applies User Settings from Group Policies

Logon Scripts Run

When Does Group Policy Get Applied?

Computer Starts

User Logs On

…and at periodic intervals

(more on this later)

where does my policy come from
Where Does My Policy Come From?
  • Site, Domain, OU hierarchy
  • Policy is inherited
  • “Closer” settings override farther” ones







modifying inheritance
Modifying Inheritance
  • No Override prevents child containers from overriding policies set at higher levels
  • Block Inheritance prevents inheritance of all policies from parent containers
  • Highest No Override takes precedence over lower No Overrides
  • No Override takes precedence over Block Inheritance
what if an sdou is linked to multiple gpos
What If An SDOU Is Linked To Multiple GPOs?
  • Higher GPOs override lower GPOs
  • GPOs are processed in the reverse order listed on the tab
what if i don t want everyone in an ou to be affected by a gpo
What If I Don’t Want Everyone InAn OU To Be Affected By A GPO?
  • You cannot link a GPO to a security group
  • You can “filter” GPOs by changing the default permissions on the GPO, using security groups
  • You need the Read and Apply Group Policy ACEs to have a GPO apply
  • You need Read and Write in order to read or modify a GPO
default gpo permissions
Default GPO Permissions
  • Authenticated Users
    • Read
    • Apply Group Policy
  • Local System, Domain Admins, Enterprise Admins
    • All permissionsexcept AGP
creating a domain or ou gpo

Delegate control…

Add members to a Group




All Tasks


New Window from Here




Export List…



dsa - [Active Directory Users and Computers]

Console Window Help

Active View

Active Directory




Domain Contr



Creating A Domain Or OU GPO



creating a site gpo
Creating A Site GPO
  • Use Active Directory Sites and Services
  • You must be a member of Enterprise Admins
  • By default, a site GPO is stored in the enterprise root domain
    • This may be altered at creation time, by changing the DC that the ADS&S snap-in is using and then creating a new GPO
disabling a gpo
Disabling A GPO
  • You can disable a GPO or just the User or Computer Settings nodes
deleting a gpo
Deleting A GPO
  • “Deleting” a GPO from an SDOU gives you a choice between
    • Unlinking the GPO from the SDOU
    • Permanently deleting the GPO
registry based policy settings
Registry-Based Policy Settings



Do not implement,


administrative templates
Administrative Templates
  • Framework for defining registry-based policies
  • Text file with .adm extension
  • Windows 2000 ships with system.adm and inetres.adm
script settings




Computer Configuration


User Configuration




Script Settings
  • You can assign multiple scripts and set the processing order
  • Default timeout is 10 minutes
    • Computer Configuration\Administrative Templates\System\Logon
    • “Maximum wait time for Group Policy scripts”
security policy settings

Account Policies

Configure password, account,

and Kerberos policies (domain only)

Local Policies

Configure auditing, user rights,

and security options

Event Log

Configure settings for application logs, system logs, and security logs

Restricted Group

Configure group memberships for security sensitive groups

System Services

Configure security and startup settings for services running on a computer


Configure security on registry keys

File System

Configure security on specific file paths

Public Key Policies

Configure encrypted data recovery agents, domain roots,

trusted certificate authorities

IP Security Policies

Configure IP security on a network

Security Policy Settings
software installation and maintenance

Assigning Applications to UsersAssign applications to users if users needthose applications to do their job

  • Assigning Applications to ComputersAssign applications to computers if the applicationsare required by anyone using a specific computer
  • Publishing ApplicationsPublish applications that are not required by users, but might be useful to them
Software Installation And Maintenance
folder redirection settings
Folder Redirection Settings
  • You can redirect
    • Application Data
    • Desktop
    • My Documents
    • My Pictures
    • Start Menu
  • …To reduce logon time and increase availability
folder redirection options
Folder Redirection Options
  • For each folder, you can choose between
    • No policy
    • Basic, which redirects all users to the same place
    • Advanced, which allows you to specify different locations for users based on security group membership
group policy best practices
Group Policy Best Practices
  • Limit how often group policy is updated (to reduce replication)
  • Limit the number of admins who can edit GPOs (to reduce possibility of simultaneous editing)
  • Limit inheritance modification, filtering, and loopback (to simplify troubleshooting)
  • Limit the number of GPOs that apply to an SDOU (to improve logon performance)
  • Test! (to reduce Help desk calls)
  • Use the Support Tools
published objects
Published Objects
  • Shared Folders
  • Printers
  • Users & Groups
  • Application-Specific
shared folder objects





Shared Folder Objects


  • A shared folder directory object abstracts a shared folder or Dfs volume
    • A UNC path points to the resource
printer objects
Printer Objects


  • A printer directory object abstracts a shared printer
    • The printer object attributes include:
      • The printer’s UNC path
      • Printer model and capabilities




locating resources
Locating Resources
  • Resources are located by searching or walking the directory
  • A search of the entire directory sends a LDAP query to the global catalog
  • Use UI, ADSI or LDAP
  • Search by:
    • Name
    • Class (e.g. Printer)
    • Attribute (e.g. location)
organize objects into ous
Organize Objects into OUs
  • May help users to find resources
    • Avoid too much granularity
    • There are other ways…
  • Apply ACLs on OUs to collectively apply visibility to objects with the same visibility requirements
    • Example: Chargeback Printers
    • Note: ACLs on directory objects do not equate to ACLs on their referenced resources
ou review
OU Review
  • Use OUs for:
    • Delegating Administration
    • Group Policy
    • Publishing, organizing and hiding directory objects
  • You can apply a variety of access controls to OUs and the various classes of objects therein
  • OU hierarchies support inheritance and filtering of inheritance
ou design principles1
OU Design Principles
  • Keep it simple
  • Think supportability
  • Know your customer’s organizational and political boundaries
  • Detach the user from the workstation
  • Abstract the service from the server
and some more
And Some More
  • Balance between the Enterprise and its business units (division, departments, whatever)
  • Where possible, align administrative delegation, group policies and resource publication
    • If you can’t, consider parallel hierarchies (instead of OU spaghetti)
  • Focus on reuse of GPOs
    • Leverage those links
  • The “Chutes and Ladders” School of Active Directory Design
keep in mind
Keep in Mind
  • There’s no one right answer
    • Understand the technologies
    • Understand your administrative hierarchy
    • Create the simplest design possible that meets your needs
    • Think about future reorganization
    • Ask the question “How will I troubleshoot this?”
    • Document the design
some design approaches
Some Design Approaches
  • Shallow and Wide
  • Deep
    • Advantage: Inheritance & Filtering
    • Disadvantage: Inheritance & Filtering
  • Parallel Hierarchies
  • Separate OUs for Users and Workstations
for more information
For More Information
  • Introduction to Windows 2000 Group Policy
  • Group Policy Scenarios
  • Group Policy Step-by-Step

Windows 2000 Deployment Conference