+ Post New Thread
Results 1 to 6 of 6
Windows Server 2012 Thread, Groups in Technical; Hi all OK as of today I have a spanking brand new flat 2012R2 domain, my question is what do ...
  1. #1

    Join Date
    Nov 2009
    Posts
    71
    Thank Post
    57
    Thanked 2 Times in 2 Posts
    Rep Power
    10

    Groups

    Hi all

    OK as of today I have a spanking brand new flat 2012R2 domain, my question is what do you guys do with groups, I know MS used to say in the days of 2000\2003 server, users into global\universal and then into domain local but I just wondered if anyone sticks them straight into global. We have one domain and I cant ever see us having another domain requiring access to our resources.

    Also what groups do you have setup for access to resources? I'm guessing a student group and a staff group but any other groups? As I say, I have a flat network that I am going to start work on tomorrow in preparation for data migration in the summer.

    Cheers.

  2. #2

    Join Date
    Jul 2006
    Location
    London
    Posts
    1,256
    Thank Post
    111
    Thanked 242 Times in 193 Posts
    Blog Entries
    1
    Rep Power
    74
    Last edited by psydii; 8th May 2014 at 07:46 PM.

  3. Thanks to psydii from:

    jertsy (9th May 2014)

  4. #3
    ADMaster's Avatar
    Join Date
    May 2012
    Posts
    325
    Thank Post
    5
    Thanked 33 Times in 28 Posts
    Rep Power
    23
    I stick them directly into global.
    I have a lot of groups to manage many different things, I created an OU just to put the groups in.
    The basic Staff, student groups, then I have groups broken out by year group for students and building for staff. I also have computer groups broken out by OU and OS. I then have a number of smaller groups such as color printer, student password policy, math, etc. In one of my schools there is a group for each grade level, and department.
    Many of these groups are synced with GAFE so they double as email lists, particularly the department / grade level groups.
    I use GPP targeting to deploy printers, the larger MFP’s everyone gets, but for smaller printers I target a group, then add users or computers to the group vs updating the policy.
    The password policy is used to allow younger students to have a weaker password, I just nest the appropriate year group groups into that group.
    The OS and OU groups are used for SCCM.

    You need to think of what resources you need to control / or provide access to and how granular of control you need / want.

    The majority of my groups are email, or used to target settings / policies. To directly answer your second question, I think I only have four groups setup for NTFS permissions access.
    Staff, Students, Fiscal, and Food Service.

    Cheers

  5. Thanks to ADMaster from:

    jertsy (9th May 2014)

  6. #4
    mrbios's Avatar
    Join Date
    Jun 2007
    Location
    Stroud, Gloucestershire
    Posts
    2,458
    Thank Post
    349
    Thanked 256 Times in 211 Posts
    Rep Power
    98
    Personally my AD is laid out as:
    "Schoolname Computers"
    "Schoolname Groups"
    "Schoolname Users"
    "Schoolname Servers"

    Each of those as an OU then OUs within each one.

    As for groups i have Staff Security groups OU, Staff Distributions groups (I have an internal exchange server) and the same for students. Tend to use Global groups. If you're a single domain single forest setup there's no need to bother with the universal ones at all really, but if you're new domain is along side another and you want to migrate things across then i'd suggest going with universal, you can change it later if you really want, but there's not really any need.

    The Computers OU is defined by building then by room, and users are a little more complex, servers are basically just all servers in one ou, bar a sub ou for terminal servers. Makes policies quite easy and means i can be very granular with how i choose to apply them.
    Last edited by mrbios; 8th May 2014 at 11:30 PM.

  7. Thanks to mrbios from:

    jertsy (9th May 2014)

  8. #5

    Join Date
    Nov 2009
    Posts
    71
    Thank Post
    57
    Thanked 2 Times in 2 Posts
    Rep Power
    10
    Thanks for that ADMaster.

    Quote Originally Posted by ADMaster View Post
    I stick them directly into global.
    I have a lot of groups to manage many different things, I created an OU just to put the groups in.
    The basic Staff, student groups, then I have groups broken out by year group for students and building for staff. I also have computer groups broken out by OU and OS. I then have a number of smaller groups such as color printer, student password policy, math, etc. In one of my schools there is a group for each grade level, and department.
    Many of these groups are synced with GAFE so they double as email lists, particularly the department / grade level groups.
    I use GPP targeting to deploy printers, the larger MFP’s everyone gets, but for smaller printers I target a group, then add users or computers to the group vs updating the policy.
    The password policy is used to allow younger students to have a weaker password, I just nest the appropriate year group groups into that group.
    The OS and OU groups are used for SCCM.

    You need to think of what resources you need to control / or provide access to and how granular of control you need / want.

    The majority of my groups are email, or used to target settings / policies. To directly answer your second question, I think I only have four groups setup for NTFS permissions access.
    Staff, Students, Fiscal, and Food Service.

    Cheers

  9. #6

    Join Date
    Nov 2009
    Posts
    71
    Thank Post
    57
    Thanked 2 Times in 2 Posts
    Rep Power
    10
    Our IT support said don't bother with domain local just use global but I just wanted to see what other folks thought as when I did my exams in 2000\2003 domain local was all the rage. Cheers for the info on OU's too as this is something I am tackling in conjunction with the groups.

    Quote Originally Posted by mrbios View Post
    Personally my AD is laid out as:
    "Schoolname Computers"
    "Schoolname Groups"
    "Schoolname Users"
    "Schoolname Servers"

    Each of those as an OU then OUs within each one.

    As for groups i have Staff Security groups OU, Staff Distributions groups (I have an internal exchange server) and the same for students. Tend to use Global groups. If you're a single domain single forest setup there's no need to bother with the universal ones at all really, but if you're new domain is along side another and you want to migrate things across then i'd suggest going with universal, you can change it later if you really want, but there's not really any need.

    The Computers OU is defined by building then by room, and users are a little more complex, servers are basically just all servers in one ou, bar a sub ou for terminal servers. Makes policies quite easy and means i can be very granular with how i choose to apply them.

SHARE:
+ Post New Thread

Similar Threads

  1. Group Membership Woes (Need Help)
    By ICTNUT in forum Windows
    Replies: 11
    Last Post: 2nd December 2005, 03:19 PM
  2. Disable Internet using Groups
    By mattpant in forum Wireless Networks
    Replies: 17
    Last Post: 1st December 2005, 11:26 AM
  3. Sort By Name Group Policy
    By mattpant in forum Wireless Networks
    Replies: 6
    Last Post: 16th November 2005, 02:59 PM
  4. Blocking Batch Files using Group Policy in Server 2003
    By markwilliamson2001 in forum Windows
    Replies: 13
    Last Post: 4th October 2005, 05:28 PM
  5. Group Policy Settings Examples
    By mattpant in forum Wireless Networks
    Replies: 20
    Last Post: 17th September 2005, 11:12 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •