OK as of today I have a spanking brand new flat 2012R2 domain, my question is what do you guys do with groups, I know MS used to say in the days of 2000\2003 server, users into global\universal and then into domain local but I just wondered if anyone sticks them straight into global. We have one domain and I cant ever see us having another domain requiring access to our resources.
Also what groups do you have setup for access to resources? I'm guessing a student group and a staff group but any other groups? As I say, I have a flat network that I am going to start work on tomorrow in preparation for data migration in the summer.
Last edited by psydii; 8th May 2014 at 08:46 PM.
I stick them directly into global.
I have a lot of groups to manage many different things, I created an OU just to put the groups in.
The basic Staff, student groups, then I have groups broken out by year group for students and building for staff. I also have computer groups broken out by OU and OS. I then have a number of smaller groups such as color printer, student password policy, math, etc. In one of my schools there is a group for each grade level, and department.
Many of these groups are synced with GAFE so they double as email lists, particularly the department / grade level groups.
I use GPP targeting to deploy printers, the larger MFP’s everyone gets, but for smaller printers I target a group, then add users or computers to the group vs updating the policy.
The password policy is used to allow younger students to have a weaker password, I just nest the appropriate year group groups into that group.
The OS and OU groups are used for SCCM.
You need to think of what resources you need to control / or provide access to and how granular of control you need / want.
The majority of my groups are email, or used to target settings / policies. To directly answer your second question, I think I only have four groups setup for NTFS permissions access.
Staff, Students, Fiscal, and Food Service.
Personally my AD is laid out as:
Each of those as an OU then OUs within each one.
As for groups i have Staff Security groups OU, Staff Distributions groups (I have an internal exchange server) and the same for students. Tend to use Global groups. If you're a single domain single forest setup there's no need to bother with the universal ones at all really, but if you're new domain is along side another and you want to migrate things across then i'd suggest going with universal, you can change it later if you really want, but there's not really any need.
The Computers OU is defined by building then by room, and users are a little more complex, servers are basically just all servers in one ou, bar a sub ou for terminal servers. Makes policies quite easy and means i can be very granular with how i choose to apply them.
Last edited by mrbios; 9th May 2014 at 12:30 AM.
Our IT support said don't bother with domain local just use global but I just wanted to see what other folks thought as when I did my exams in 2000\2003 domain local was all the rage. Cheers for the info on OU's too as this is something I am tackling in conjunction with the groups.
There are currently 1 users browsing this thread. (0 members and 1 guests)