I’ve got a question for you SMB folks that run AD. I’m not sure how
best to define SMB, so let’s say for the purposes of what I’m trying to
find out that’s maybe 500 or fewer users.
When working with users and groups, do you typically just use the
default groups like Domain Users and Domain Admins? If you create your
own groups, do you just stick them in the default Users container? Or
do you go so far as to create your own OUs and create groups there?
Depends totally on your needs. If you need more granular file-rights on
Windows shares you mostly use own groups like you would do that in eDir.
To group the groups and users in own containers is more a matter of
convenience or easier readability in bigger environments but is not
necessary in a single tree setup.
W. Prindl
Joseph Marton wrote:
[color=blue]
I’ve got a question for you SMB folks that run AD. I’m not sure how
best to define SMB, so let’s say for the purposes of what I’m trying
to find out that’s maybe 500 or fewer users.
When working with users and groups, do you typically just use the
default groups like Domain Users and Domain Admins? If you create
your own groups, do you just stick them in the default Users
container? Or do you go so far as to create your own OUs and create
groups there?[/color]
On 1/7/2013 5:24 PM, Joseph Marton wrote:[color=blue]
W_ Prindl wrote:
[color=green]
Depends totally on your needs.[/color]
I just want to find out what folks are doing today. I guess you could
consider this a bit of an informal poll.
[/color]
Typically most businesses need some sort of granularity of say HR,
financial, owner/partner, normal production stuff etc so I think it
would not unusual not to find granular security.
I have never seen an AD Tree that did not break users into OUs.[/color]
I have… But those were small shops. Also, OUs cannot be security
principals, right?[/color]
Me too. In system with just 50 users or so, I don’t think the admins see
it as that big an “issue” or they just don’t see the reasons why to create
additional OU’s.
And to Answer Anders Question, AFAIK OUs still cannot be security
principals.
To get around that, I have used IDM in the past to create groups to
mirror OUs with auto-membership for folks in that OU.
Again, that is because of the history of eDir.
Color me silly, but being able to do stuff based upon somoneone’s OU
just seems natural.
Most AD folks just don’t know what they don’t have until they see more
advanced systems in place.
On 1/9/2013 6:10 PM, Niels Poulsen wrote:[color=blue]
Anders Gustafsson wrote:
[color=green]
Craig wilson,[color=darkred]
I have never seen an AD Tree that did not break users into OUs.[/color]
I have… But those were small shops. Also, OUs cannot be security
principals, right?[/color]
Me too. In system with just 50 users or so, I don’t think the admins see
it as that big an “issue” or they just don’t see the reasons why to create
additional OU’s.
[/color]
–
Craig Wilson - MCNE, MCSE, CCNA
Novell Knowledge Partner
Novell does not officially monitor these forums.
Suggestions/Opinions/Statements made by me are solely my own.
These thoughts may not be shared by either Novell or any rational human.