after much testing and hundreds of tries and hours invested I decided to consult you experts here.
Overview:
I want to apply some GPO to our users which will add some specific site to the Trusted Sites in Internet Explorer settings for all users. However, the more I try the more confusing the results become. The GPO is either applied to one group of users, or to another one. Finally, I came to the conclusion that this weird behavior is cause rather by the poor organization in Users and Groups in Active Directory. As such I want to kick the problem from the root: Redesign the Active Directory Users and Groups.
Scenario:
There is one Domain Controller, and we use Terminal Services (so there is a Terminal Server as well). Users usually log on to the Terminal Server using Remote Desktop to perform their daily tasks. I would classify the users in the following way:
- IT: Admins, Software Development
- Business: Administration, Management
The current structure of the Active Directory Users and Groups is a result of the previous IT management. The company has used Small Business Server which has created multiple default user groups and containers.
Unfortunately, the guys working before me have do no documentation at all. Now, as I inherit this structure I am in the no mans land. No idea which direction to head first.
As you can see, the Active Directory User and Groups have become a bit confusing. There is no SBS anymore, but when migrating from SBS to the current Windows Server 2008 R2 environment the guys before me have simply copied the same structure.
The real question:
Where should I start cleaning from, ensuring that I won't break totally the current infrastructure? What is a nice organization for the scenario that I have explained above?
Possible useful info about the current structure:
-
Computersfolder containsTerminal Services Computersuser group- Members:
TerminalServercomputer located atServer->TerminalserverOU - Member of: NONE
- Members:
-
Foreign Security Principals: EMPTY -
Managed Service Accounts: EMPTY -
Microsoft Exchange Security Groups: not sure if needed, our emails are administered by external service provider -
Distribution Groups: not sure if needed -
Security Groups: there are couple of groups which are needed -
SBS users: contains all the users -
Terminalserver: contains only the TerminalServer machine
Best Answer
I've dealt with similar problems in the past.
That being said your organization doesn't look too far from ordinary. A lot of small business are built just like you outline.
If you really want to restructure the best solution I have found is setting up an OU with block group policy inheritance at the root of your domain. Build your new structure under this OU and apply your group policies there as well. You can then move your computer and user objects in a controlled fashion.
As far as design - use whatever works. Don't try to emulate the physical arrangement of the business too closely. Group your systems to make them easy to administer.
Edits for clarification:
'Block Inheritance' is an option that allows you to set up an OU that won't accept any policies which are defined above it. This allows for a totally blank slate. Any objects which are later moved here will have none of the existing policies applied, even if they otherwise would be. Any objects left in their original homes will still have their current policies applied.
Although a bit dated the logical modeling here provides some excellent guidance on overall AD structure.
One additional point, which is extremely important - document everything you are doing. Include why it is done this way as well as how it is configured. The exact method you chose for this doesn't matter, but I personally really prefer one of the various Wikis out there. Building detailed history for your environment is a godsend.
Additional edit in response to Joe Qwerty
I don't necessary advocate a restructure. Doing so can be time intensive and serious pain in the ***. I am just advising how to do so if that is the route the OP chooses. Personally that'd be a last resort. I've contracted places that everyone was a domain admin and the accounts / group policies were total mess and a restructure is the most viable option.
Given the choice I would opt to work within the existing AD structure. If the naming conventions, etc bother you they can always be changed. The OUs, group names, etc all have GUIDs that won't be broken by a rename. The SBS entries were likely not copied from the old SBS server. SBS includes Active Directory. A common migration path as organizations expand is is adding a 2008 R2 / 2012 server, promoting it to domain controller, moving the FSMO roles and then demoting the original SBS server. If the old admin had spent a lot of time in the original SBS AD console I could see why you wouldn't want to change the naming convention.