none
Creating a AD structure for Education Institution

    Question

  • Currently our security groups and our AD structure is outta whack.  We are in the process of revamping it but wpuld like feedback on how other educational institutions are approaching it.  I'm not sure if I'm posting this in the right spot. 
    Tuesday, February 21, 2012 7:34 PM

Answers

  • Hello,

    build a top level OU that contains subOUs for users and computers, that way you can link GPOs based on the user or machine setting. Also you can create this structure more deeper depending on your needs or the structure you like to built.

    On the top level OU link GPOs for all and as deeper you go you can define your sets of policies. This is only one example as this belongs to your own needs and structure you like to built. There is no "default" you can take, as each company, school, university etc. use there own structure.

    Leave the DCs in the DCs OU and NEVER move them out there.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Tuesday, February 21, 2012 8:16 PM
  • When creating groups for students, I find it useful to base the group names on graduating year, rather than grade. This way there are minimal changes needed each summer when students advance to the next grade. Makes sure students and teachers/staff are in different parent OU's, so you can apply different GPO's.


    Richard Mueller - MVP Directory Services

    Wednesday, February 22, 2012 2:03 AM
  • How you design your OU depend a lot of how you are structured. IE, remote site might need local DC/DFS/etc..  but again it depend of your WAN link.

    In my experience, school used to get structured that way; OU per location, subOU per site, then subOU for departement. (like city A\site B\adult education ou, admin ou, teacher ou,  computer ou, lab-computer ou, etc...)

    (That way your AD structure usually fit your network topology too.)


    MCP MCTS 70-236: Exchange Server 2007, Configuring


    Thursday, February 23, 2012 1:57 AM
    Moderator

All replies

  • Hello,

    building your AD structure in AD UC is just a management overview how you handle your users, computers and security groups. You can define your own structure based on the needs for the machines with GPOs and the same for the users.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Tuesday, February 21, 2012 7:37 PM
  • I understand but I'm looking for some guidence on how to build that structure.  Do you put all your susers in one OU? Several OU's?
    Tuesday, February 21, 2012 7:41 PM
  • Hello,

    build a top level OU that contains subOUs for users and computers, that way you can link GPOs based on the user or machine setting. Also you can create this structure more deeper depending on your needs or the structure you like to built.

    On the top level OU link GPOs for all and as deeper you go you can define your sets of policies. This is only one example as this belongs to your own needs and structure you like to built. There is no "default" you can take, as each company, school, university etc. use there own structure.

    Leave the DCs in the DCs OU and NEVER move them out there.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Tuesday, February 21, 2012 8:16 PM
  • When creating groups for students, I find it useful to base the group names on graduating year, rather than grade. This way there are minimal changes needed each summer when students advance to the next grade. Makes sure students and teachers/staff are in different parent OU's, so you can apply different GPO's.


    Richard Mueller - MVP Directory Services

    Wednesday, February 22, 2012 2:03 AM
  • Hello,


    Usually we configure AD according to the actual organizational structure of a school/college/institute.


    For your reference, some guides on AD design:


    Best Practice Active Directory Design
    http://technet.microsoft.com/en-us/library/bb727085.aspx

    Active Directory Design
    http://technet.microsoft.com/en-us/library/bb742592.aspx


    Thanks
    ZHANG

    Wednesday, February 22, 2012 4:16 AM
    Moderator
  •  ZHANG

    Thank you for those links.  They help.  I guess what i was looking for was best practices that MS has for colleges and maybe the link that you gave me is it.  Sorry this is a stupid question but does MS have a design guide for colleges as far as designing their AD structure?  I'm looking for a Win2k8 design.

    Thursday, February 23, 2012 12:57 AM
  • How you design your OU depend a lot of how you are structured. IE, remote site might need local DC/DFS/etc..  but again it depend of your WAN link.

    In my experience, school used to get structured that way; OU per location, subOU per site, then subOU for departement. (like city A\site B\adult education ou, admin ou, teacher ou,  computer ou, lab-computer ou, etc...)

    (That way your AD structure usually fit your network topology too.)


    MCP MCTS 70-236: Exchange Server 2007, Configuring


    Thursday, February 23, 2012 1:57 AM
    Moderator