+ Post New Thread
Results 1 to 6 of 6
Windows Server 2012 Thread, Groups in Technical; Hi all OK as of today I have a spanking brand new flat 2012R2 domain, my question is what do ...
  1. #1

    Join Date
    Nov 2009
    Posts
    102
    Thank Post
    66
    Thanked 3 Times in 3 Posts
    Rep Power
    11

    Groups

    Hi all

    OK as of today I have a spanking brand new flat 2012R2 domain, my question is what do you guys do with groups, I know MS used to say in the days of 2000\2003 server, users into global\universal and then into domain local but I just wondered if anyone sticks them straight into global. We have one domain and I cant ever see us having another domain requiring access to our resources.

    Also what groups do you have setup for access to resources? I'm guessing a student group and a staff group but any other groups? As I say, I have a flat network that I am going to start work on tomorrow in preparation for data migration in the summer.

    Cheers.

  2. #2

    Join Date
    Jul 2006
    Location
    London
    Posts
    1,279
    Thank Post
    115
    Thanked 247 Times in 197 Posts
    Blog Entries
    1
    Rep Power
    76
    Last edited by psydii; 8th May 2014 at 08:46 PM.

  3. Thanks to psydii from:

    jertsy (9th May 2014)

  4. #3
    ADMaster's Avatar
    Join Date
    May 2012
    Posts
    356
    Thank Post
    5
    Thanked 39 Times in 34 Posts
    Rep Power
    25
    I stick them directly into global.
    I have a lot of groups to manage many different things, I created an OU just to put the groups in.
    The basic Staff, student groups, then I have groups broken out by year group for students and building for staff. I also have computer groups broken out by OU and OS. I then have a number of smaller groups such as color printer, student password policy, math, etc. In one of my schools there is a group for each grade level, and department.
    Many of these groups are synced with GAFE so they double as email lists, particularly the department / grade level groups.
    I use GPP targeting to deploy printers, the larger MFP’s everyone gets, but for smaller printers I target a group, then add users or computers to the group vs updating the policy.
    The password policy is used to allow younger students to have a weaker password, I just nest the appropriate year group groups into that group.
    The OS and OU groups are used for SCCM.

    You need to think of what resources you need to control / or provide access to and how granular of control you need / want.

    The majority of my groups are email, or used to target settings / policies. To directly answer your second question, I think I only have four groups setup for NTFS permissions access.
    Staff, Students, Fiscal, and Food Service.

    Cheers

  5. Thanks to ADMaster from:

    jertsy (9th May 2014)

  6. #4
    mrbios's Avatar
    Join Date
    Jun 2007
    Location
    Stroud, Gloucestershire
    Posts
    2,659
    Thank Post
    383
    Thanked 273 Times in 225 Posts
    Rep Power
    103
    Personally my AD is laid out as:
    "Schoolname Computers"
    "Schoolname Groups"
    "Schoolname Users"
    "Schoolname Servers"

    Each of those as an OU then OUs within each one.

    As for groups i have Staff Security groups OU, Staff Distributions groups (I have an internal exchange server) and the same for students. Tend to use Global groups. If you're a single domain single forest setup there's no need to bother with the universal ones at all really, but if you're new domain is along side another and you want to migrate things across then i'd suggest going with universal, you can change it later if you really want, but there's not really any need.

    The Computers OU is defined by building then by room, and users are a little more complex, servers are basically just all servers in one ou, bar a sub ou for terminal servers. Makes policies quite easy and means i can be very granular with how i choose to apply them.
    Last edited by mrbios; 9th May 2014 at 12:30 AM.

  7. Thanks to mrbios from:

    jertsy (9th May 2014)

  8. #5

    Join Date
    Nov 2009
    Posts
    102
    Thank Post
    66
    Thanked 3 Times in 3 Posts
    Rep Power
    11
    Thanks for that ADMaster.

    Quote Originally Posted by ADMaster View Post
    I stick them directly into global.
    I have a lot of groups to manage many different things, I created an OU just to put the groups in.
    The basic Staff, student groups, then I have groups broken out by year group for students and building for staff. I also have computer groups broken out by OU and OS. I then have a number of smaller groups such as color printer, student password policy, math, etc. In one of my schools there is a group for each grade level, and department.
    Many of these groups are synced with GAFE so they double as email lists, particularly the department / grade level groups.
    I use GPP targeting to deploy printers, the larger MFP’s everyone gets, but for smaller printers I target a group, then add users or computers to the group vs updating the policy.
    The password policy is used to allow younger students to have a weaker password, I just nest the appropriate year group groups into that group.
    The OS and OU groups are used for SCCM.

    You need to think of what resources you need to control / or provide access to and how granular of control you need / want.

    The majority of my groups are email, or used to target settings / policies. To directly answer your second question, I think I only have four groups setup for NTFS permissions access.
    Staff, Students, Fiscal, and Food Service.

    Cheers

  9. #6

    Join Date
    Nov 2009
    Posts
    102
    Thank Post
    66
    Thanked 3 Times in 3 Posts
    Rep Power
    11
    Our IT support said don't bother with domain local just use global but I just wanted to see what other folks thought as when I did my exams in 2000\2003 domain local was all the rage. Cheers for the info on OU's too as this is something I am tackling in conjunction with the groups.

    Quote Originally Posted by mrbios View Post
    Personally my AD is laid out as:
    "Schoolname Computers"
    "Schoolname Groups"
    "Schoolname Users"
    "Schoolname Servers"

    Each of those as an OU then OUs within each one.

    As for groups i have Staff Security groups OU, Staff Distributions groups (I have an internal exchange server) and the same for students. Tend to use Global groups. If you're a single domain single forest setup there's no need to bother with the universal ones at all really, but if you're new domain is along side another and you want to migrate things across then i'd suggest going with universal, you can change it later if you really want, but there's not really any need.

    The Computers OU is defined by building then by room, and users are a little more complex, servers are basically just all servers in one ou, bar a sub ou for terminal servers. Makes policies quite easy and means i can be very granular with how i choose to apply them.



SHARE:
+ Post New Thread

Similar Threads

  1. Group Membership Woes (Need Help)
    By ICTNUT in forum Windows
    Replies: 11
    Last Post: 2nd December 2005, 04:19 PM
  2. Disable Internet using Groups
    By mattpant in forum Wireless Networks
    Replies: 17
    Last Post: 1st December 2005, 12:26 PM
  3. Sort By Name Group Policy
    By mattpant in forum Wireless Networks
    Replies: 6
    Last Post: 16th November 2005, 03:59 PM
  4. Blocking Batch Files using Group Policy in Server 2003
    By markwilliamson2001 in forum Windows
    Replies: 13
    Last Post: 4th October 2005, 06:28 PM
  5. Group Policy Settings Examples
    By mattpant in forum Wireless Networks
    Replies: 20
    Last Post: 18th September 2005, 12:12 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •