Information Technology Reference
In-Depth Information
Concord OU. Within the Concord OU, this system administrator could delegate control of
resources represented by the Printers and Scanners OUs.
Alternatively, the OU structure may create a functional representation of the business.
For example, the Engineering OU might contain other OUs that are based on office loca-
tions such as New York and Paris. A system administrator of the Engineering domain
could delegate permissions based on geography or job functions to the lower OUs.
Regardless of whether you build a departmental, functional, or geographical OU model,
keep in mind that each model excludes other models. This is one of the most important
decisions you need to make. When you are making this decision or modifying previous
decisions, your overriding concern is how it will affect the management and administra-
tion of the network. The good news is that, because Active Directory has so many fea-
tures, the model you choose can be based on specific business requirements rather than
imposed by architectural constraints.
Troubleshooting OUs
In general, you will find using OUs to be a relatively straightforward and painless process.
With adequate planning, you'll be able to implement an intuitive and useful structure for
OU objects.
The most common problems with OU configuration are related to the OU structure.
When troubleshooting OUs, pay careful attention to the following factors:
Inheritance
By default, Group Policy and other settings are transferred automatically
from parent OUs to child OUs and objects. Even if a specific OU is not given a set of per-
missions, objects within that OU might still get them from parent objects.
Delegation of Administration
If you allow the wrong user accounts or groups to perform
specific tasks on OUs, you might be violating your company's security policy. Be sure to
verify the delegations you have made at each OU level.
Organizational Issues
Sometimes, business practices do not easily map to the structure of
Active Directory. A few misplaced OUs, user accounts, computer accounts, or groups can
make administration difficult or inaccurate. In many cases, it might be beneficial to rear-
range the OU structure to accommodate any changes in the business organization. In oth-
ers, it might make more sense to change business processes.
If you regularly consider each of these issues when troubleshooting problems with OUs,
you will be much less likely to make errors in the Active Directory configuration.
Search WWH ::
Custom Search