Windows 2000 Deployment Conference
1 / 68

Windows 2000 Deployment Conference - PowerPoint PPT Presentation

  • Uploaded on

Windows 2000 Deployment Conference. Windows 2000 Active Directory Organizational Unit and Group Policy Planning Adam Gordon MCS Senior Consultant Microsoft Corporation. Agenda. OU concepts OU planning & design principles OU for delegation OU for Group Policy

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Windows 2000 Deployment Conference' - mercer

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Windows 2000 deployment conference

Windows 2000 Deployment Conference

Windows 2000 Active Directory Organizational Unit and Group Policy PlanningAdam GordonMCS Senior ConsultantMicrosoft Corporation


  • OU concepts

  • OU planning & design principles

  • OU for delegation

  • OU for Group Policy

  • OU for publishing (and hiding) directory objects

  • OU design exercise

What is an organization unit


What Is an Organization Unit?

  • A container inside a domain

  • The element of hierarchical structure within the domain

Ous vs domains
OUs vs. Domains

OUs are easily changed

  • Moved, renamed, deleted

  • Within a domain, objects move easily between Ous

  • Less impact on performance

  • Domains vs ous
    Domains vs. OUs

    • Replication Boundary

    • Boundary for Security Polices and Domain Administrators

      • Rights intrinsic to Domain Admins

    Ous what are they good for
    OUs: What Are They Good For

    • Delegating Administration

    • Group Policies

    • Organizing Published Objects in the directory

    Ou planning
    OU Planning

    Forest plan

    • Create an OU plan for each domain

    Domain plan

    OU plan

    Site topology

    Ou planning methodology
    OU PlanningMethodology

    Forest plan



    Domain plan

    Apply Group


    OU plan

    Site topology



    Ou design principles
    OU Design Principles

    • Keep it simple

    • Think supportability

    • Know your customer’s organizational and political boundaries

    • Detach the user from the workstation

    • Abstract the service from the server

    Current environment analysis
    Current Environment Analysis

    • Logon Scripts

      • “Functional” Groups (ifmember)

    • Current Administrative Boundaries

    • Current Domain Infrastructure

      • User Domains and Resource Domains: why are they there?

    • Users & Workstations

      • Restricted Labs, Kiosks, Factory Floors

      • Elevated Special Apps and Devices

    Ous for delegation1
    OUs for Delegation

    • You can assign permissions to directory objects on a per-attribute basis

    • Use OUs to “group” objects with similar needs for administrative control

    • Use Administrative Delegation to reduce the number of Domain Admins

    • Like NT 4 User and Resource Domains…only better

    Class based delegation
    Class-based Delegation

    • Delegate administrative control on a per-class basis for each OU:

      • Users & Groups

      • Computers

        • Note: Workstations and Member Servers are both “Computers”

        • Domain Controllers are a distinct class in their own OU

      • Folders

      • Printers

    Attribute based delegation
    Attribute-based Delegation

    • You can also assign rights to specific attributes of an object class

      • Example: Telecom Department

    Ou delegation illustrated





    (ENG Admins,

    Full Control)




    (EE Admins, FC/Groups)


    (EE Admins, FC/Computers)

    OU Delegation Illustrated

    Delegation made easy
    Delegation Made Easy

    • Use the Delegation of Control Wizard

    • A demo…

    Delegation made hard

    ACEs can apply to specific attributes




    Delegation Made Hard

    • Directly modify object ACLs

    • Object Access Control

    • Go to chalk talk to discuss details

    Ou planning apply group policy
    OU PlanningApply Group Policy

    • Group policy is used to control desktop configurations

      • Applied to Users and Computers

      • Associated with Sites, Domains, or Organizational Units

    • Create OUs to apply unique policy

      • Filter application of policy using access control

    Change and configuration management




    User data management

    Increased protection and availability of people’s data

    “My Documents follow me!”

    Software installation & maintenance

    Increased availability of the applications that people need

    “My Applications follow me!”

    User settings management

    Increased computer availability

    “My Personal Settings follow me!”

    Remote OS installation

    Fast recovery, setup, (re)configuration of computer and operating system

    Change And Configuration Management

    Change and configuration management1


    Technology used


    User data management

    Active Directory, Group Policy, Offline Files, Synchronization Manager, Enhanced Shell Functionality, Disk Quotas

    Software installation & maintenance

    Active Directory, Group Policy, Windows installer, Application Deployment Editor, Add/Remove Programs, Dfs

    User settings management

    Active Directory, Group Policy, Offline Files, Roaming User Profiles, Enhanced Shell Functionality

    Remote OS installation

    Active Directory, Group Policy, Remote install server, remote install capable workstation (NetPC, PC98, Boot Floppy)

    Change And Configuration Management

    Change and configuration management technologies


    Technology Used

    Group Policy


    User Document Management

    Active Directory, Group Policy, Offline Folders (CSC), Synchronization Manager, Enhanced Shell Functionality, Disk Quotas

    Group Policy

    Software Installation

    Active Directory, Group Policy, Windows installer, Software installer snap-in, Add/Remove Programs, Dfs

    Group Policy

    User Settings Management

    Active Directory, Group Policy, Offline Folders (CSC), Roaming User Profiles, Enhanced Shell Functionality

    Group Policy

    Remote OS Installation

    Active Directory, Group Policy, Remote install server, remote install capable workstation (NetPC, PC98, Boot Floppy)

    Change And Configuration ManagementTechnologies

    Group policy the basics

    Group PolicyThe Basics

    What is group policy
    What Is Group Policy?

    Technology that enables you to specify requirements for your users’ environment and then rely on Windows 2000 to continually enforce them

    What is group policy1
    What Is Group Policy?

    • “Sales department will have Office 2000”

    • “Disable logoff from Start Menu for all Receptionist”

    • “Audit all failed logon attempts for all Computers in the Atlanta area, in the Peachtree office”

    Group policy requires
    Group Policy Requires…

    • Windows 2000 Active Directory

    • Windows 2000 Professional clients

    • No support for Windows NT 4.0 or earlier

    • No support for Windows 9x or earlier

    What can you do with group policy



    Registry-based policy settings


    Options for local, domain, and network security



    Central management of software installation


    Startup, shutdown, logon, and logoff scripts

    Folder Redirection

    Store users’ folders on the network

    What Can You Do With Group Policy?

    Where does group policy live
    Where Does Group Policy Live?

    • Within group policy objects (GPOs)

      • Created within a domain

      • Linked to any number of sites, domains, and organizational units (SDOUs)

      • Multiple GPOs can be linked to a single SDOU

    When does group policy get applied

    Applies Computer Settings from Group Policies

    Startup Scripts Run

    Applies User Settings from Group Policies

    Logon Scripts Run

    When Does Group Policy Get Applied?

    Computer Starts

    User Logs On

    …and at periodic intervals

    (more on this later)

    Where does my policy come from
    Where Does My Policy Come From?

    • Site, Domain, OU hierarchy

    • Policy is inherited

    • “Closer” settings override farther” ones







    Modifying inheritance
    Modifying Inheritance

    • No Override prevents child containers from overriding policies set at higher levels

    • Block Inheritance prevents inheritance of all policies from parent containers

    • Highest No Override takes precedence over lower No Overrides

    • No Override takes precedence over Block Inheritance

    What if an sdou is linked to multiple gpos
    What If An SDOU Is Linked To Multiple GPOs?

    • Higher GPOs override lower GPOs

    • GPOs are processed in the reverse order listed on the tab

    What if i don t want everyone in an ou to be affected by a gpo
    What If I Don’t Want Everyone InAn OU To Be Affected By A GPO?

    • You cannot link a GPO to a security group

    • You can “filter” GPOs by changing the default permissions on the GPO, using security groups

    • You need the Read and Apply Group Policy ACEs to have a GPO apply

    • You need Read and Write in order to read or modify a GPO

    Default gpo permissions
    Default GPO Permissions

    • Authenticated Users

      • Read

      • Apply Group Policy

    • Local System, Domain Admins, Enterprise Admins

      • All permissionsexcept AGP

    Creating a domain or ou gpo

    Delegate control…

    Add members to a Group




    All Tasks


    New Window from Here




    Export List…



    dsa - [Active Directory Users and Computers]

    Console Window Help

    Active View

    Active Directory




    Domain Contr



    Creating A Domain Or OU GPO



    Creating a site gpo
    Creating A Site GPO

    • Use Active Directory Sites and Services

    • You must be a member of Enterprise Admins

    • By default, a site GPO is stored in the enterprise root domain

      • This may be altered at creation time, by changing the DC that the ADS&S snap-in is using and then creating a new GPO

    Disabling a gpo
    Disabling A GPO

    • You can disable a GPO or just the User or Computer Settings nodes

    Deleting a gpo
    Deleting A GPO

    • “Deleting” a GPO from an SDOU gives you a choice between

      • Unlinking the GPO from the SDOU

      • Permanently deleting the GPO

    Registry based policy settings
    Registry-Based Policy Settings



    Do not implement,


    Administrative templates
    Administrative Templates

    • Framework for defining registry-based policies

    • Text file with .adm extension

    • Windows 2000 ships with system.adm and inetres.adm

    Script settings




    Computer Configuration


    User Configuration




    Script Settings

    • You can assign multiple scripts and set the processing order

    • Default timeout is 10 minutes

      • Computer Configuration\Administrative Templates\System\Logon

      • “Maximum wait time for Group Policy scripts”

    Security policy settings

    Account Policies

    Configure password, account,

    and Kerberos policies (domain only)

    Local Policies

    Configure auditing, user rights,

    and security options

    Event Log

    Configure settings for application logs, system logs, and security logs

    Restricted Group

    Configure group memberships for security sensitive groups

    System Services

    Configure security and startup settings for services running on a computer


    Configure security on registry keys

    File System

    Configure security on specific file paths

    Public Key Policies

    Configure encrypted data recovery agents, domain roots,

    trusted certificate authorities

    IP Security Policies

    Configure IP security on a network

    Security Policy Settings

    Software installation and maintenance

    • Assigning Applications to ComputersAssign applications to computers if the applicationsare required by anyone using a specific computer

    • Publishing ApplicationsPublish applications that are not required by users, but might be useful to them

    Software Installation And Maintenance

    Folder redirection settings
    Folder Redirection Settings

    • You can redirect

      • Application Data

      • Desktop

      • My Documents

      • My Pictures

      • Start Menu

    • …To reduce logon time and increase availability

    Folder redirection options
    Folder Redirection Options

    • For each folder, you can choose between

      • No policy

      • Basic, which redirects all users to the same place

      • Advanced, which allows you to specify different locations for users based on security group membership

    Group policy best practices
    Group Policy Best Practices

    • Limit how often group policy is updated (to reduce replication)

    • Limit the number of admins who can edit GPOs (to reduce possibility of simultaneous editing)

    • Limit inheritance modification, filtering, and loopback (to simplify troubleshooting)

    • Limit the number of GPOs that apply to an SDOU (to improve logon performance)

    • Test! (to reduce Help desk calls)

    • Use the Support Tools

    Published objects
    Published Objects

    • Shared Folders

    • Printers

    • Users & Groups

    • Application-Specific

    Shared folder objects





    Shared Folder Objects


    • A shared folder directory object abstracts a shared folder or Dfs volume

      • A UNC path points to the resource

    Printer objects
    Printer Objects


    • A printer directory object abstracts a shared printer

      • The printer object attributes include:

        • The printer’s UNC path

        • Printer model and capabilities




    Locating resources
    Locating Resources

    • Resources are located by searching or walking the directory

    • A search of the entire directory sends a LDAP query to the global catalog

    • Use UI, ADSI or LDAP

    • Search by:

      • Name

      • Class (e.g. Printer)

      • Attribute (e.g. location)

    Organize objects into ous
    Organize Objects into OUs

    • May help users to find resources

      • Avoid too much granularity

      • There are other ways…

    • Apply ACLs on OUs to collectively apply visibility to objects with the same visibility requirements

      • Example: Chargeback Printers

      • Note: ACLs on directory objects do not equate to ACLs on their referenced resources

    Ou review
    OU Review

    • Use OUs for:

      • Delegating Administration

      • Group Policy

      • Publishing, organizing and hiding directory objects

    • You can apply a variety of access controls to OUs and the various classes of objects therein

    • OU hierarchies support inheritance and filtering of inheritance

    Ou design principles1
    OU Design Principles

    • Keep it simple

    • Think supportability

    • Know your customer’s organizational and political boundaries

    • Detach the user from the workstation

    • Abstract the service from the server

    And some more
    And Some More

    • Balance between the Enterprise and its business units (division, departments, whatever)

    • Where possible, align administrative delegation, group policies and resource publication

      • If you can’t, consider parallel hierarchies (instead of OU spaghetti)

    • Focus on reuse of GPOs

      • Leverage those links

    • The “Chutes and Ladders” School of Active Directory Design

    Keep in mind
    Keep in Mind

    • There’s no one right answer

      • Understand the technologies

      • Understand your administrative hierarchy

      • Create the simplest design possible that meets your needs

      • Think about future reorganization

      • Ask the question “How will I troubleshoot this?”

      • Document the design

    Some design approaches
    Some Design Approaches

    • Shallow and Wide

    • Deep

      • Advantage: Inheritance & Filtering

      • Disadvantage: Inheritance & Filtering

    • Parallel Hierarchies

    • Separate OUs for Users and Workstations

    For more information
    For More Information

    • Introduction to Windows 2000 Group Policy

    • Group Policy Scenarios

    • Group Policy Step-by-Step


    Windows 2000 Deployment Conference