Active Directory - Creating OU's based on Users Department
12 September 2005, 11:21 AM
#1
Scooby Regular
Thread Starter
Active Directory - Creating OU's based on Users Department
I have 5000 Users which i need to put into individual departmental Organizational Units based on their department field.
I basically want to set up a structure where i have an OU called Finance, and then under that 2 OUs called "Computers" and "Users"
Can anyone suggest a simple way of moving all the users into the correct OU based on their Department... otherwise i have a massive task on this week
Organising the Computers based on department is a task i don't even want to think about. Over the years the computer naming convention has developed into a mix of usernames, service tags and all sorts
Any help greatly appreciated.
Thanks
Andy
I basically want to set up a structure where i have an OU called Finance, and then under that 2 OUs called "Computers" and "Users"
Can anyone suggest a simple way of moving all the users into the correct OU based on their Department... otherwise i have a massive task on this week
Organising the Computers based on department is a task i don't even want to think about. Over the years the computer naming convention has developed into a mix of usernames, service tags and all sorts
Any help greatly appreciated.
Thanks
Andy
12 September 2005, 11:50 AM
#2
Scooby Regular
dsmove would achieve this, but you'd need to do some script processing for a batch of users.
It's simple enough to read the Department field from Active Directory using Windows Scripting, so some basic if statements would move user objects depending on which department is read.
I haven't used this myself, so perhaps someone has a better method using 3rd party utilities or an even better script language (e.g. Kixstart)
Stefan
It's simple enough to read the Department field from Active Directory using Windows Scripting, so some basic if statements would move user objects depending on which department is read.
I haven't used this myself, so perhaps someone has a better method using 3rd party utilities or an even better script language (e.g. Kixstart)
Stefan
Last edited by ozzy; 12 September 2005 at 02:12 PM.
12 September 2005, 02:08 PM
#3
Scooby Regular
Join Date: Nov 2001
Location: Leeds - It was 562.4bhp@28psi on Optimax, How much closer to 600 with race fuel and a bigger turbo?
Posts: 15,239
Likes: 0
Received 1 Like
on
1 Post
I did a script for just this.. are the users in a dpt group??
Let me know the formatting involved and Ill ammend my script and post it up if you want.
We have DPT groups for the users and my script scanned all users, created the OU and then moved users into it.
David
Let me know the formatting involved and Ill ammend my script and post it up if you want.
We have DPT groups for the users and my script scanned all users, created the OU and then moved users into it.
David
12 September 2005, 02:36 PM
#4
Scooby Regular
Thread Starter
David
All the users are in a container at the roor of our domain, as we have just migrated from nt4.. i'll drop you an email.. I've very little experience with AD.. just picking bits up.
Let me know if you can help.
Thanks
Andy
All the users are in a container at the roor of our domain, as we have just migrated from nt4.. i'll drop you an email.. I've very little experience with AD.. just picking bits up.
Let me know if you can help.
Thanks
Andy
Trending Topics
12 September 2005, 08:19 PM
#9
Scooby Regular
Join Date: Jul 2005
Location: Sheffield
Posts: 77
Likes: 0
Received 0 Likes
on
0 Posts
Originally Posted by KiwiGTI
What's the rationale for setting up OUs based on the business structure? It's often not the best way to do things.
12 September 2005, 08:53 PM
#10
It really depends on each organisation and often politics may come into it but normally you should plan for the least administrative effort while taking into account performance aspects (lots of nested OUs with GPOs at each level is bad for performance etc). Aim for the lowest amount of OUs and GPO links you can get away with.
Having dozens of OUs with users spread amongst them is messy and doesn't achieve anything. If you need to find someone fast by department use "Find" or an LDAP search.
We have 25,000 users, all with the same desktop build (apps controlled by membership in security groups) sitting under a single "UserAccounts" OU that gives them their baseline settings, further OUs could be created under this for specific users but remarkably we don't have any.
Servers are under "Servers" OU which sets a baseline policy and then there are sub-OUs based on server function (IIS, SMS,etc)
So basically we have 25,000 users and desktops in 2 OUs with several GPOs applied to each which means admin is a very simple.
At worst in your case I'd suggest you create an OU called UserAccounts in the root and then have Finance, Marketing etc under that.
Having dozens of OUs with users spread amongst them is messy and doesn't achieve anything. If you need to find someone fast by department use "Find" or an LDAP search.
We have 25,000 users, all with the same desktop build (apps controlled by membership in security groups) sitting under a single "UserAccounts" OU that gives them their baseline settings, further OUs could be created under this for specific users but remarkably we don't have any.
Servers are under "Servers" OU which sets a baseline policy and then there are sub-OUs based on server function (IIS, SMS,etc)
So basically we have 25,000 users and desktops in 2 OUs with several GPOs applied to each which means admin is a very simple.
At worst in your case I'd suggest you create an OU called UserAccounts in the root and then have Finance, Marketing etc under that.
12 September 2005, 09:00 PM
#11
Operational Unit Design
The next hierarchical level is the operational unit (OU)—useful for group policy and rights delegation. Because the business model may change frequently, or be complex enough so that an OU model based on it would require several OUs with interlocking rights, most recommendations are not to have OU design follow business structure. You certainly don’t want to have to change directory structure for every business redesign. In all OU models, the idea is to minimize administration headaches, so that all objects inside an OU are managed by the same group or administrator. Then that group can be granted the necessary rights for everyone in that OU.
Three models of OU design are geographical, functional and object type. The geographical and functional models are as the designation implies: based on physical business location or function. The object type structure splits the OUs so that similar objects are placed closely. All DCs, all servers, all printers, all users, etc., are in their own OUs. Hybrid models of any or all of these three types are also possible, depending on how network user administration is easiest.
Other considerations for designing OU structure include structuring them so that the same security policy-requiring objects are grouped together. An extension of this thought is the recommendation to group admins away from the hoi polloi so that admin objects, such as restricted servers, may only be seen by those OU members—the admins. Be aware that objects within an OU are accessible by forest and domain admins, though should be assigned an owner, who is responsible for child objects, GP assignments and rights delegation. This non-exclusive access is an example of autonomy, versus isolation, which would be exclusive access.
The next hierarchical level is the operational unit (OU)—useful for group policy and rights delegation. Because the business model may change frequently, or be complex enough so that an OU model based on it would require several OUs with interlocking rights, most recommendations are not to have OU design follow business structure. You certainly don’t want to have to change directory structure for every business redesign. In all OU models, the idea is to minimize administration headaches, so that all objects inside an OU are managed by the same group or administrator. Then that group can be granted the necessary rights for everyone in that OU.
Three models of OU design are geographical, functional and object type. The geographical and functional models are as the designation implies: based on physical business location or function. The object type structure splits the OUs so that similar objects are placed closely. All DCs, all servers, all printers, all users, etc., are in their own OUs. Hybrid models of any or all of these three types are also possible, depending on how network user administration is easiest.
Other considerations for designing OU structure include structuring them so that the same security policy-requiring objects are grouped together. An extension of this thought is the recommendation to group admins away from the hoi polloi so that admin objects, such as restricted servers, may only be seen by those OU members—the admins. Be aware that objects within an OU are accessible by forest and domain admins, though should be assigned an owner, who is responsible for child objects, GP assignments and rights delegation. This non-exclusive access is an example of autonomy, versus isolation, which would be exclusive access.
13 September 2005, 09:47 AM
#12
Scooby Regular
Join Date: Jul 2005
Location: Sheffield
Posts: 77
Likes: 0
Received 0 Likes
on
0 Posts
Originally Posted by KiwiGTI
Hybrid models of any or all of these three types are also possible, depending on how network user administration is easiest.
Keep the plan you have mate, dont go complicating it.
Thread
Thread Starter
Forum
Replies
Last Post
shorty87
Full Cars Breaking For Spares
19
22 December 2015 11:59 AM
Pro-Line Motorsport
Car Parts For Sale
2
29 September 2015 07:36 PM
