Presentation is loading. Please wait.

Presentation is loading. Please wait.

Active Directory: OU Administration December 17th, 2008 1-4pm Daniels 407.

Published byMonica Black Modified over 8 years ago

Similar presentations

Presentation on theme: "Active Directory: OU Administration December 17th, 2008 1-4pm Daniels 407."— Presentation transcript:

1 Active Directory: OU Administration December 17th, 2008 1-4pm Daniels 407

2 Workflow 1.Get your house in order: o DNS needs to be accurate o asset tracking needs to be accurate 2.Create or Join a domain? o How are you going to handle Account creation? Do you need student accounts? o Do you need to access campus resources? Wolfcopy? ACS Q: drive? 3.Design OU Layout o Types of Users o Types of computers o Logical Units 4.Implement Management Policies o Who can login where? o What level of permissions should they have on each type of machine? o Do you need to deploy Mapped Drives, Scripts, or Printers? 5.Setup Software Deployment Strategy o Who can install their own software on what machines? o What software packages need to be automated? 6.Migrate Current Machines o Reinstall or Join? o Pre-Staging Computer Objects o Do you include Mac/Linux machines? 7.New Machine/Reinstallation strategy o WDS 8.What other services will you need to provide?

3 Tools Remote Server Administration Tools (RSAT) o Vista SP1 / 2008 version of AdminPak o Only way to access Group Policy Preferences o Includes all added functionality from 2003 R2 ShellRunas - Run as different Domain User for Vista o Do not do administration with normal unity account GPMC - Included in Vista o VBScripts in XP version for doing GPO Scripting SpecOps GPUpdate - Extension for ADUC Scripting: VBScript/PowerShell

4 OU Layout Single User o Faculty - Individual login, local admin o Staff - Individual or group login, no local admin o Grad Students - Group login, no student admin, Faculty admin Labs o Teaching Labs - college or class login, user rights o Public Labs - any account login (or college), user rights o Research Labs - Group login, user rights Stand Alone o Kiosks - no login, extremely locked down o Conference Rooms - any account login o Loaner machines Servers Macs? Linux boxes?

5 OU Layout (continued) Favor an overly-hierarchical layout rather than a flat layout Allows for easier targeting of GPO's Follows a more logical structure for support Its harder to move from Flat->Hierarchical than vise-versa College \Department \Machine Type \Group1 \Group2 Examples!

6 Grouping Creating lots of groups up front will ease administration when change requests are needed. It is better to have a group and not use it, than need a group and not have one. Always use groups for delegating permissions. Groups by User Directory Info: Faculty/Staff/Student Group by Machine Use: Public Lab/Teaching Lab/Kiosk/Server Group by Machine type: Laptop/Desktop Group by administrative access: Server Admins/Lab Admins Groups for Application Deployment Groups for printer deployment

7 Group Policy Creating: How to copy a GPO GPO Permissions Starter GPO's Filtering: Linking Groups WMI Deny permission? Enforced vs. Blocking Inheritance Loopback - Replace vs. Merge GPO's are applied to an object starting at the root of the domain and overlaid as you get closer to the object. GPMC: Group Policy Results/Group Policy Modelling

8 Group Policy (continued) Some "best practices": Naming Conventions are a must Be descriptive GPO's that provide access to a resource should be linked at the highest level that is administratively feasible. "Deny" permissions on GPO's should be used with care WMI filtering on specific versions of software usually doesn't get updated. Use WMI filters for OS, and Item-Level targeting in GPP for everything else you can. If you find yourself creating alot of GPO's to solve a single problem, you are doing something wrong. Always do a "gpupdate" rather than relying on reboots when doing testing of new GPO settings.

9 Policies/Preferences Policies: Software Deployment Scripts Security Settings o Restricted Groups o User Rights assignment o Machine Permissions (Filesystem, Registry, Services) o Software restriction Administrative Templates o Firewall - no spaces in comma separated lists! o Windows Update, IE, desktop environment, etc. Preferences: Mapped Drives Power Settings Distributing individual files, registry keys, shortcuts Item-Level Targeting

10 Print Setup with GPOs Using group policies, you can deploy, change, and remove printers from computers grouped together into an OU You will need administrative rights over the OU, and a workstation with the GPMC and print management plugins installed. workstation with the GPMC and print management plugins installed

11 Deploying the printers DO NOT use the Group Policy Management Console to deploy printers. Printers can be successfully delivered when set up from GPMC, but they will not be successfully removed from workstations when they are disassociated from the policy. Instead, you should FIRST create and link an empty policy to the OU where you wish the printer deployed, then associate it with the "Printer Management Console"

12 Installing printers with scripts Traditionally (prior to R2) printers are installed with scripts. Tons of VB and Powershell (and Perl) examples on the web. The "rundll32.exe" allows you to call functions in a DLL from the command line. All GUI print tasks can be performed with rundll32. For on-line reference, rundll32 printui.dll,PrintUIEntry /?

13 Scenarios What are some problems that you need to solve?

14 Q & A

Download ppt "Active Directory: OU Administration December 17th, 2008 1-4pm Daniels 407."

Similar presentations

Auditing Microsoft Active Directory

Auditing Microsoft Active Directory
Establishing an OU Hierarchy for Managing and Securing Clients Base design on business and IT needs Split hierarchy Separate user and computer OUs Simplifies.

Establishing an OU Hierarchy for Managing and Securing Clients Base design on business and IT needs Split hierarchy Separate user and computer OUs Simplifies.
Clyde G. Johnson.  Preference?  Overview  Targeting  Settings  Things to know  GPP Scenarios.

Clyde G. Johnson.  Preference?  Overview  Targeting  Settings  Things to know  GPP Scenarios.
Microsoft Server 2008 R2 Group Policies & AD. Group Policies-Refresher  Policies are “all or nothing”  You cannot selectively choose within a policy.

Microsoft Server 2008 R2 Group Policies & AD. Group Policies-Refresher  Policies are “all or nothing”  You cannot selectively choose within a policy.
Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States Department of Energy’s National Nuclear.

Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States Department of Energy’s National Nuclear.
NREL is a national laboratory of the U.S. Department of Energy Office of Energy Efficiency and Renewable Energy operated by the Alliance for Sustainable.

NREL is a national laboratory of the U.S. Department of Energy Office of Energy Efficiency and Renewable Energy operated by the Alliance for Sustainable.
Module 5: Creating and Configuring Group Policy

Module 5: Creating and Configuring Group Policy
Managing User Settings with Group Policy

Managing User Settings with Group Policy
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 9: Implementing and Using Group Policy.
Group Policies (the day after) Group Policy Preferences Powershell.

Group Policies (the day after) Group Policy Preferences Powershell.
9.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

9.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
MIS 431 - Chapter 91 Ch. 9 – Implement and Use Group Policy MIS 431 – created Spring 2006.

MIS Chapter 91 Ch. 9 – Implement and Use Group Policy MIS 431 – created Spring 2006.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.
Clyde G. Johnson.  Test Environment  Tools of the trade  Demo  Central Store  Show  Group Policy Spreadsheets  Demo  Planning and Deployment.

Clyde G. Johnson.  Test Environment  Tools of the trade  Demo  Central Store  Show  Group Policy Spreadsheets  Demo  Planning and Deployment.
Lesson 16: Creating Group Policy Objects

Lesson 16: Creating Group Policy Objects
Guide to MCSE 70-290, Enhanced 1 Activity 9-1: Creating a Group Policy Object Using the MMC Objective: To create a GPO using the Group Policy Object Editor.

Guide to MCSE , Enhanced 1 Activity 9-1: Creating a Group Policy Object Using the MMC Objective: To create a GPO using the Group Policy Object Editor.
OIT's Unity Labs Active Directory Windows Environment.

OIT's Unity Labs Active Directory Windows Environment.
Module 8: Implementing Administrative Templates and Audit Policy.

Module 8: Implementing Administrative Templates and Audit Policy.
Group Policy in Microsoft Windows Active Directory.

Group Policy in Microsoft Windows Active Directory.
Understanding Group Policy on Windows Server 2003 John Howard, IT Pro Evangelist, Microsoft UK

Understanding Group Policy on Windows Server 2003 John Howard, IT Pro Evangelist, Microsoft UK

Similar presentations

Ads by Google