To effectively plan an OU structure, you must examine the company's organizational structure and its administrative model. You might recall that this sounds very similar to the elements you considered with domain design. It is. The difference lies with the rules you followed with domain design—mainly, if you didn't have a reason to create a domain, you likely have a reason to create an OU. Remember also that OUs are created within each domain, so even if you did have a reason to create a domain, you may still have a reason to create additional partitions within its structure.

The following list highlights some of the reasons you'll likely create OUs:

All of these are valid reasons for creating OUs; however, the four highlighted in the following sections represent the best reasons.

You should understand a couple of things before you begin the OU structure. First, because objects within an OU structure are configured by default to inherit Access Control Entries (ACEs, the specific security entries that make up an ACL) from their parent object, moving an object from one OU to another may cause changes to the ACL of the object and result in certain accessibility issues. Second, since GPOs are assigned at the OU level and apply by default to every object within that OU, moving an object from one to another may change the group policies applied to it and therefore cause security problems and other unexpected changes.

It is recommended that you examine both the inherited ACEs and GPOs associated with each OU before you attempt to move objects between them.

As mentioned previously, your OU structure can be as deeply nested as you see fit—there are no physical limitations on this. However, realistically the structure should not exceed 15 levels, and LDAP queries begin to degrade at a depth of five levels. If you find your OU structure is consistently exceeding these soft boundaries, you need to reconsider your domain structure and take another look at the administrative structure of the organization.

You should name OUs with descriptive names that reflect the structure that they represent. For example, if in the domain eastus.wayfront.com the WayFront organization has Sales, Services, and Administration departments, they might form their OU structure according to those departments, and name them Sales, Services, and Administration. These names are relatively static, which is the key to naming OUs. OUs that represent structures within the organization that are likely to change—such as OUs for special projects—become an issue when a particular project comes to an end and you are faced with deleting the OU and restructuring its objects.

To make a long story short, model OUs after something that is not likely to change. The following two sections illustrate how and where to discover these areas of business.

The way the company is organized represents its organizational structure. If you've seen an organizational chart for the company, you've gained insight as to how the company is organized and how it operates within its geographic scope. Remember the previous chapters on this stuff?

It is best to begin with the organizational chart because it typically defines the functional divisions of the company and says something about how its employees work. Figure 12.1 illustrates a hypothetical organizational chart for a WayFront domain.

Figure 12.1. The eastern remote office high-level organizational chart.

Depending on the administrative requirements within each of these functional areas, they may be represented by one or more OUs each.

There are three types of administrative models within an IT organization: centralized, decentralized, and hybrid. We discussed each of these models at length previously in this book. This is where you need them. Within each division (or region or branch or other unit)of a company, IT resources must be managed in some way, shape, or form. In the case of WayFront, the remote satellite offices are managed by their corresponding regional office. Close scrutiny of the administration model for this office will help you understand how the OUs need to be structured. Keep in mind that you not only must consider how resources are managed, but also need to consider Group Policy.

In this case, the east region headquarters IT staff manages all of the remote satellite office resources from the east region headquarters. They do, however, grant delegation of control to specific users and allow them to do password resets for all users in the site. Based on this model, they could use the OU structure illustrated in Figure 12.2.

Figure 12.2. The east satellite office OU structure within the eastus.wayfront.com domain.

Figure 12.2 points out the most significant influences to its design, which are the following:

The following sections expand upon the flexibility of Windows 2000 OUs.

Any company—large and geographically dispersed, or small and centralized—can choose to implement a single Windows 2000 domain. Large companies that may have a presence across the United States can partition that domain using OUs based on geographic location. A company that fits this model is Components Galore, Inc. (CGI), a national company with offices in several cities in several states. Figure 12.3 illustrates just one way CGI could implement OUs.

Figure 12.3. Components Galore designed its first- and second-level OU structure according to geographic location.

Using this model, CGI can simply add a second-level OU when a new office is opened up in a specific region. The first-level OUs can be used to assign regional group policies or even delegate control over an entire region. They may also be used for nothing but a placeholder in the hierarchy.

Keep in mind that this model can be used for multinational models as well. However, there often is a difference in preferred languages to contend with from one country to the next. When this situation arises, you must create additional domains because (as discussed in Chapter 11, "Designing the Active Directory Structure" ) character sets, currency, and so on, are focused at the domain level.

Some companies are organized more by business function or department. In cases like this, the OU structure should be focused on these areas more than on geographic boundaries. Such a company typically categorizes its business as functional practices or divisions, and each of these practices or divisions likely has one or more subcomponents, typically in the form of departments. eMagic operates in this fashion, and organizes its single-domain OU structure as in Figure 12.4.

Figure 12.4. The eMagic company organizes itself by functional practice. Each functional practice has one or more subpractices.

eMagic can expand its business by adding more functional practice areas and by adding departments or subpractices within each of these practice areas.

Many companies will use the first two levels of the OU structure to reflect the IT administration model itself. For example, a company that uses decentralized IT administration throughout the country might structure its OU model to reflect the IT hierarchy, as in Figure 12.5.

You may have noticed in Figure 12.5 that SpeedThought uses an IT model that is focused on specific departments—in this case, Sales and Services. Under the second-level OUs then could be further divisions within each department that break out of the IT administration model. For example, the IT Sales OU could be further divided into Outside Sales and Inside Sales, and the IT Services OU could be further divided into Professional Services and Technical Services.

Figure 12.5. The SpeedThought organization uses the first- and second-level OUs to reflect its IT administrative hierarchy throughout the company.

Some of the larger corporations organize by cost centers, which typically represent separate business units. The OU structure is flexible enough to accommodate this model as well. The giant MG Motor Corporation (MGMC) is just such a company. They have literally hundreds of business units to accommodate several different lines of business in the auto market. Their OU structure (scaled down for this illustration) might resemble Figure 12.6.

Business Unit-Based OU Structure Advantages

This model would work well in a conglomerate where each business unit is treated separately from the rest of the organization.

Figure 12.6. The MG Motor Company operates under several business units—each with its own "bottom line."

Similar to the cost center model represented as a business unit model, organizations whose business revolves around project-based work, such as a building contractor or a consulting company, may choose to structure their OUs accordingly. Figure 12.7 represents the NewStrategy Consulting Company, which uses this OU approach.

Project-Based OU Structure Disadvantages

Using project-based OU structures breaks a major recommendation in OU design—that OUs should remain relatively static. The definition of a project states that it has a definite start and end time. What happens to the resources when a project ends? They must be reassigned to other OUs. What happens if a consultant is part of many projects at the same time? Just about all the other disadvantages related to OU structures apply here as well, such as administrators having no idea where geographically or departmentally a resource exists. To make a long story short, don't use project-based OUs at the top level. They can be used as a lower-level structure if the company is organized in such a way, but keep in mind that they will require a lot of administration.

Figure 12.7. NewStrategy is a consulting firm whose business revolves around project-based work.

REVIEW BREAK

Review of Popular OU Design Options
Design Option	Advantages	Disadvantages
Organize by geography	Your first-level OUs remain static, which is a best practice in OU design. Also, administrators have a good idea where an OU's objects are physically located.	If the geography of a company doesn't match the way an organization is managed, it may be difficult to comprehend. This may cause confusion about to which business unit or function a user or object actually belongs.
Organize by function or department	Well-established business functions typically do not change, so the first-level OU structure should remain static.	Administrators may have difficulty identifying where an object within an OU is physically located. For businesses that change frequently to stay atop their market, this structure may do more harm than good.
Organize by administration	Tailored to the way administrators run the network. OU administrators can easily identify where resources are administered from. Provides for easy delegation of administrative control.	Administrative delegation outside the IT department becomes a bit more challenging in this model. Users may not be adequately organized for Group Policy assignments.
Organize by business unit	This model would work well in a conglomerate where each business unit is treated separately from the rest of the organization.	Administrators may have difficulty determining where resources physically reside. Users from different departments or different functional units may be grouped into one OU but require different software or have different desktop restrictions that make Group Policy assignment complex. The names of business units often change.
Organize by project	The only advantage to organizing by project is the logical grouping of resources per project.	Project-based OUs are not relatively static. Project resources are typically a part of many projects at once, which would be structurally impossible to reproduce with OUs. Just about all the other disadvantages related to OU structures apply here as well.

The best approach you can take at planning the OU structure is to determine exactly how the company runs its business through the administrative eyes of IT. You will most likely create a hybrid of two or more of these models according to the company. Look at the organizational chart. Is there a separate chart for each location? If so you may consider using geographic locations for the top level or two. The most important thing to remember, though, is that the OU structure should be developed according to how the company administers and delegates control of IT resources within the operational and organizational structures. Don't just start creating OUs. You must sit down with the IT administrative staff and plan it out. What is the administrative model? How many locations are there? What are the core business units? Do they exist at each location? Is there IT staff at each location? In each region? These questions and more like them are the ones you need to answer during the planning process.

Don't forget about the Group Policy thing either. If you plan to use Group Policy to distribute software or lock down user workstations, you must consider how you plan to do that through the OU structure.

The OU structuring options we discussed in this section are popular options for beginning the overall OU design, but are not exhaustive by a long shot. Again, the flexibility is tremendous, which gives you the ability to mold the OU structure as tightly as you want around the business and IT administration model of the company.

By the time you sit down to actually design the OU structure, you should have a high-level plan in your head. You should have the company IT administrative organizational chart in hand, along with other organizational charts for each division or segment of the company. For each OU you create, you must be able to answer the following three questions:

The following sections explain why these questions are important.

Let's start from the very top. In an international company, the first-level OUs will likely end up as continent names. If you follow best practices, however, these divisions of the namespace should be handled by domains. Domains, as you should recall, should be used when multinational character sets or languages need to be implemented. Also, domains are a security and replication boundary, and networks between countries are usually not fast enough to sustain intra-domain replication.

Whether your first-level partitioning is a domain or an OU, the same primary rule still applies—that is, the name should be static and stable. This means it should not change and should be able to withstand a company reorganization.

It is also important that you keep in mind that first-level OUs do not have to represent the physical geography of the company. For example, if a company has two locations, one in Indiana and one in Washington, but the administration for both is done from Indiana, there is no need to create separate OUs. This will be a very difficult concept to grasp because your first instinct is to separate by physical geography. Remember, the OU structure is there for you to model the administrative structure of the organization. If you want to use geographic-based OUs, you can certainly do so; just keep in mind the purpose of OUs.

In a large company, the second-level OUs often end up being countries if that company operates internationally, or cities if that company operates in one country only.

Of course, each of the second-layer OUs must be a child of a first-layer parent, as you saw in some of the previous figures. One additional thing about second-layer OUs when using the country as a name: It is recommended that you use the ISO 3166 standard two-character country code to name the OU. This is just a recommendation, not a requirement.

If you choose to integrate individual U.S. states at this level (because most states are as large as some foreign countries), you should follow the U.S. Postal Code two-character format because individual states are not represented in ISO 3166. If you do this, be keenly aware of potential ISO 3166 / U.S. Postal Code conflicts, such as Canada and California (CA), Columbia and Colorado (CO), Albania and Alabama (AL), and so on.

It is likely that you won't place any or many resources in the first two levels of OUs because you'll want to drill down a few more layers to integrate the business model. The remaining levels of OUs should be defined according to the company model within the second-level OU. For example, an international company whose first-level OU is based on continent and second-level OU is based on country may look like Figure 12.8. TrainingKit Incorporated is a multinational company with decentralized IT administration. Within each region, TrainingKit operates in a centralized administration model and uses Group Policies to publish software for each department. They have a need to allow departmental administrators the ability to reset passwords for that department's users only. The subsequent OUs may look something like Figure 12.9.

Figure 12.8. TrainingKit Incorporated is an international company with a hybrid administration model. The corporate office is in Paris, France.

Figure 12.9. TrainingKit needs the ability to publish department-specific applications to its users and to allow departmental based representatives the ability to reset passwords.

Again (I can't say this enough), OUs are flexible! You can implement them in any of a thousand different ways to reflect your organization.

It is important after looking at Figure 12.9 to reiterate that OUs carry very little overhead in terms of performance. In fact, there is no theoretical limit as to the number of nested OUs you can create. Microsoft does recommend that you keep the number of nested OUs to 15 or fewer, and there is no reason you shouldn't be able to do so. The best OU design involves fewer levels and more OUs per level (breadth rather than depth). Group Policy objects that are associated with OUs do cause some administrative overhead, however, so you should take that into consideration during the design process. Also, LDAP searches for objects within a domain (or forest for that matter) begin to degrade at about five levels deep. According to Microsoft, this degradation increases exponentially the deeper you go.

We've been discussing delegation of administrative authority throughout this chapter, but what does it really mean? Active Directory provides a method for secure access down to the object attribute level. This means you can expose this granular level of security through OU delegation. We used the example about allowing a specific user or user group the ability to reset passwords only within a specific OU. That is a perfect example of object attribute level security. Those users are only able to modify the password attribute for the user accounts within the OU. Before we get into the delegation of authority, we'll review the security aspects necessary to make it happen.

Active Directory is composed of three main security components: Security principals, security identifiers, and security descriptors. Each of these components plays a key and very specific role in Active Directory security. Table 12.1 explains each of these security components.

Security Descriptors

The security descriptor structure for each object contains the parts illustrated in Figure 12.10, which are explained in the following list:

• Owner SID. . The SID of the owner of the object. The owner is responsible for granting access permissions and rights for the object. By default, the SID owner is the creator of the object.

• Group SID. . Used to integrate Windows 2000 with non-Microsoft operating systems.

• Discretionary ACL (DACL). . The DACL contains the access control permissions for an object and its attributes. It also contains the SIDs that determine who can access the object. These permissions and rights are represented as ACEs, which are explained in the following section.

• System ACL (SACL). . The SACL contains a list of events that can be audited for an object.

A client will be able to view objects only in the directory that he has the ability to view. For example, if an administrator wishes to hide the objects in an OU from all users, he can remove the Authenticated Users and Everyone groups from the ACL on the OU. Because the ACL of an object is published with the object in the Global Catalog, only users with permission to view the object can do so.

Figure 12.10. The security descriptor structure is attached to each object within Active Directory.

Inheritance

One of the more important processes to consider during the OU structuring process is inheritance. Objects that are created in OUs inherit the permissions that are granted (via ACEs) to the parent object. Because OUs can be nested inside other OUs, child OUs inherit permissions from parent OUs. By carefully considering this process during design, you can eliminate the need to grant permissions to individual objects within the directory.

When a permission is assigned to an OU (or any other container in Active Directory), it can be applied to the container object only, to the object and all of its children, to its children only, or only to specific children.

Figure 12.11. Right-click an OU and click on the Security tab to view the ACL, ACEs, and Inheritance options. Inherited permissions appear with a grayed check box, as in this figure.

Permissions are determined at the time of creation and are composed of a combination of the schema definition for that object type and that object's parent's permissions. You can choose to block inheritable permissions on a specific object or OU by deselecting a check box on that object. Once you do this, changes to the parent permissions that normally would be inherited by the object would be blocked.

Figure 12.11 illustrates the DACL, ACEs, and inheritance-blocking elements for an Active Directory object.

To form an effective delegation plan, you need to understand what it is you can delegate. Table 12.2 describes the options for delegating administrative tasks.

Keep in mind that since you can delegate down to object attribute-level permissions, there are literally thousands of delegation options in Active Directory. The ones listed in Table 12.2 are general and common and should serve as enough of an example for you to grasp the concept.

A critical part of defining the OU structure is defining the delegation plan. This section falls after the section on designing the OU structure in this book only because it made sense to break out delegation so we could focus on it. In the real world, you will put this section to use as you design the OU structure, not afterward.

Crucial to the success of your OU design is defining the type of access and actions that can be performed on objects in every OU. This process will not be easy if your OU structure does not cascade nicely, which is why it is so important to plan and scrutinize it. The goal of your design is to have the ability to delegate control at the OU level.

The following list builds on a previous listing of questions an administrator should be able to answer regarding an OU design. This list takes those questions and converts them to requirements. To define the type of access administrators will have on OUs, you must do the following:

Ideally, domain administrators should be responsible only for the following:

If you follow these recommendations, you can keep the Domain Admins membership to a minimum. Additional OU creation can be handled by "down-level" administrators or even specified end-users. Of course, you never want to stick an end-user who doesn't understand what he is doing in a position of power, controlled or not.

Top-level OUs should be created by delegating full control. Bottom-level OUs should be created for delegating per object-class control. If you have divisions of your company that require their own OU structure, you can perform Step by Step 12.1 to allow delegated creation of the OUs below the top level.

If your organization doesn't have divisions or business units that require full control of additional OUs, the domain administrators can complete the OU structure and retain full control—and administrative responsibility—for the entire organization.

There are three tools you can use to delegate control on objects in Active Directory:

The following sections describe these utilities in more detail.

To view information in the GPC, use the Active Directory Services Interface Editor (ADSIedit) and expand the Policies object (see Figure 12.12). Each of the GUID's listed under this object represent GPC's for the GPOs defined throughout the environment. If you have not defined any GPOs in your environment, there will still be two entries listed here, one for the default domain policy, and one for the default domain controller policy.

Figure 12.12. A view of Active Directory-based GPO and GPC data using ADSIedit.

To view the GPT information, navigate to the drive hosting the SYSVOL data on a domain controller in a domain. Change to the <sysvolroot>sysvolsysvol<domain name> folder. When you create GPOs, the 128-bit GUID generated to that GPO is used to create a directory under the preceding path to represent that GPO's GPT. Navigate through this directory structure and you will find policy information for administrative templates, scripts, user-specific settings, machine-specific settings, and more. See Figure 12.13.

Figure 12.13. A view of the GPT information stored on the SYSVOL of domain controllers.

Like Group Policy, inheritance is conceptually very simple to understand. If a parent has something, then all of its children, its children's children, and so on, implicitly have that something as well. It's much like heredity where human traits are passed on from generation to generation. In Group Policy, only configured settings are inherited by child objects; all other settings are ignored. There are three standard scenarios:

In the first scenario, a child that does not have configured values for a setting will inherit its parent's values. There are exceptions to this rule that will be discussed shortly.

In the second scenario, a child that has nonconflicting values for a setting will inherit its parent's values and apply its own. Consider user logon scripts a good example here. Administrators may associate logon scripts with top-level OUs to map standard drive letters, and with child OUs to map departmental drive letters. In this case, the same setting is configured in each GPO and applies sequentially (in hierarchical order) on the client.

Finally, a child that has conflicting settings will not inherit its parent's settings. In this case, the child OU settings prevail and are applied to all of its children. A good example here would be disabling the Run menu item. If the Run menu item is set to "on" on the parent, but an administrator with delegated authority wishes to disable it, the two settings will conflict, and by virtue of being the closest to the user or computer object, the child OU setting wins.

So what happens if in your OU structure you have entire child OUs that don't need a policy assigned to its parent, grandparent, or other higher-level structure? Administrators can block policy inheritance by selecting a check box on the Group Policy properties page of an SDOU object. Policy inheritance stops at the point of blockage. In Figure 12.14, you see the logical flow of inheritance through the SDOU structure. If you were to block inheritance at the middle OU level, then your inheritance path would resemble that shown in Figure 12.15.

Figure 12.14. Group Policy inheritance begins at the site level and flows down through a single domain and that domain's OU structure.

Figure 12.15. When inheritance is blocked, GPOs linked to SDOUs above the blockage point are not inherited. GPOs linked at the blockage SDOU and below are inherited.

There is one thing to remember here: If you choose to block policy inheritance, you block inheritance of all GPOs linked to objects above the one with blocking enabled.

The problem, of course, with allowing administrators to block policy inheritance at a child level is that you run the chance of corporate standard high-level policies being disregarded. Because you can delegate the ability to manage and manipulate GPOs to OU administrators, you give them the authority to "overrule" you when it comes to applying policy. Suppose, for example, you create a GPO to remove the Run menu option and link it to the mytoys.com domain. By doing this, you effectively remove the Run menu from every computer in that domain. Because you have a lot of users with differing requirements, you need to have a well-established OU structure based on varying levels of IT administration and geographic location. An OU administrator for the Sales OU four layers deep can block policy inheritance, create a GPO that allows the Run menu, and just like that—your security is compromised.

Do you honestly think Microsoft would allow such a thing to happen? Of course not. Administrators can check the No Override option on a GPO to force its application regardless of blockage or conflicting policies, as illustrated in Figure 12.16.

Figure 12.16. GPOs configured with the No Override option will be inherited by child SDOUs regardless of whether the child has block policy inheritance or has a conflicting policy setting.

The problem with what we have discussed so far is that a given GPO applies to all users and/or computers within the SDOU to which the GPO is linked. To combat this problem, we get to the real reason these policies are called "Group" Policies.

Because all objects in Active Directory have an ACL associated with them, there must be a way to allow or deny access to a GPO, which is itself an object. In fact, there is.

In the rare cases where you have members of a SDOU that require different policy settings, you can use Windows 2000 security groups to control the application of GPOs. Figure 12.17 displays the ACL with ACEs for a particular GPO. By default, the security group Authenticated Users is allowed the Apply Group Policy permission. This permission permits the group and its members to receive GPO settings. If you have a subset of users that should not get the settings of a policy, you can simply create a security group for them, and add the security group as an ACE with Deny Apply Group Policy to the GPOs ACL. This group's membership will not be permitted to receive that particular GPOs settings.

Figure 12.17. The Access Control Entries for a GPO.

You can conceivably take this approach right down to the user and/or computer level, although adding individual user accounts to ACLs is not recommended.

One thing you may assume is that group policies only apply at logon time. In fact there are several different occasions when GPOs apply themselves to the objects they are linked to. For starters, remember that there are two types of GPOs: those that are linked to computers, and those that are linked to users. These two types can be included in a single GPO, which can make things quite confusing. We will discuss how to make them less confusing in a bit. Regardless of where they are defined, Group Policies are applied at the following times:

There is an additional configurable Refresh setting that GPO administrators can choose to enable. There are several issues that need to be considered before this option is implemented, but it will actually refresh policies while a user is logged on and going about his business.

By default, both user and computer policies are refreshed every 90 minutes. You must take this into consideration now when making radical changes to GPOs that are in use on the network. Such changes may cause client computers to function differently and cause confusion and help desk calls, which is contrary to the Group Policy goal.

Figure 12.18. The Group Policy object configuration area for the computer section of a policy.

Figure 12.18 illustrates the Group Policy computer configuration area of the default Group Policy administrative template. Notice all the other settings you can make per GPO on this screen, some of which are explained in the following list:

You can set the refresh interval to a value between 0 and 64,800 minutes (45 days). Be aware that if you choose the 0 setting, the GPO will attempt to update every 7 seconds. This is not ideal in a production situation because of the amount of traffic it would cause, not to mention the fact that a user's screen might flicker every 7 seconds as the policy refreshes! Because of this, Microsoft recommends not refreshing GPOs more frequently than the default value of 90 minutes.

It is highly recommended that you devise some sort of method of notifying the users when a significant policy update is occurring. You could, for example, create a script that opens a window on the client to explain the update.

GPOs are not limited to Active Directory. Local computers have a scaled-down version of a GPO that is applied before any other GPO—it is called the Local Group Policy Object (LGPO). LGPOs can contain only security settings, scripts, and software policies. You cannot deploy applications using LGPOs. LGPOs consist only of the GPT section since they are not contained within Active Directory. They are not stored on the SYSVOL either, but rather in %systemroot%system32grouppolicy. LGPOs are processed even if the block policy inheritance on the parent SDOU is checked, and, if there is a conflict between an Active Directory GPO and an LGPO, the Active Directory GPO will prevail.

You might see the terminology LSDOU; it refers to the order in which policy objects are applied and includes the LGPO, which is always first. In the next section, we introduce the 4LSDOU terminology, which includes Windows NT 4.0 system policies, which are applied even before LGPOs.

You can't really mix GPOs with Windows NT system policies—they are two different animals. You can, however, place Windows NT system policies on the SYSVOL to allow your down-level policies to be applied to down-level clients. This is especially useful during an upgrade.

Remember these two things when dealing with Windows NT system policies:

We've been hinting at it all along, but haven't really laid it out for you. The following describes how policies—old and new—are applied according to a couple of scenarios.

If you have a standalone Windows 2000 client or member server, policies are applied as follows:

If you have a Windows 2000 client or member server operating in a mixed-mode environment, policies are applied as follows:

Finally, if you are operating in a pristine Windows 2000 native-mode environment, policies are applied as follows:

To reiterate, the following are the things you must understand at the very least as you begin to plan the structure and management of Group Policies:

To configure a Group Policy, you need the following:

So what do we mean when we say administration type? What does it represent? It represents a hierarchy of administration in most cases. You might have a central corporate IT staff with smaller IT staffs around the country responsible over those locations, one large IT staff responsible for all facets of administration, or a unique derivation of both. Whatever the case may be, the OU structure is focused at providing a hierarchical structure for IT administration and delegation and it always fits into one of the three types of administration.

Group policies are used for a number of reasons. They are used to define client desktop and user specific settings, to roll out and manage software applications, to configure logon/logoff and startup/ shutdown scripts, and more. The one thing all these features have in common is they are all IT administrative functions. It would make sense then that they would be created and applied according to how the IT administrative staff operates.

There are two common ways to structure your GPO design: monolithic or layered. Each has pros and cons and each maps to a type of administration.

Monolithic Design

In a monolithic design, the goal is to place all the policy settings for a group of users or computers in an SDOU object into a single GPO for that object. The problem with this approach is twofold: first, you don't have much flexibility in your administrative delegations, and second, the nature of these GPOs makes them general—and there would no doubt end up being an onslaught of GPOs at deeper OU levels to either block or change policies for special cases. The advantage of this design, though, is very quick logon processing time. During the logon process, all GPOs to be applied are applied in order of precedence, one at a time. For example, if a user logs on and must apply seven GPOs, she would have to wait while Active Directory opened a GPO, read its contents, applied its settings, and closed it, seven synchronous times. The advantage, then, with the monolithic design is that there is (conceivably) only one GPO to open and process. Figure 12.19 illustrates the monolithic design.

This approach would be best for a centrally controlled IT infrastructure.

Figure 12.19. The monolithic approach focuses on speed more than it does administration or flexibility.

Each of the preceding models is definitely something you can implement. The monolithic model, however, does not play well in a distributed environment because of its inherent lack of flexibility in terms of administrative delegation. It's pretty safe to assume that most companies will implement their OUs and GPOs in a layered approach. This approach allows centrally controlled organizations to force policy down from the top level using the No Override option, but it also allows them to loosen their grip and entrust confidants down the OU structure to perform anything from a single, simple task such as resetting user passwords for a specific OU to creating an elaborate substructure of OUs and GPOs to suit their needs.

Figure 12.20. The layered approach focuses on flexibility and delegation of administration more than it does on speed.

The amount of control the central "governing" IT body decides to relinquish to the subordinate administration staff is dependent upon its comfort level with the administration staff—not limitations with technology. This is an important concept to remember.

It may be necessary to enforce critical GPOs created and managed at the top of the Active Directory hierarchy upon all subordinate SDOUs throughout the environment. To do this, you check the No Override Group Policy option. Microsoft recommends that you limit the use of this function and its counterpart—Block Policy Inheritance—because overuse of these options could have an adverse affect on the overall Group Policy process.

Your OU design could be 400 levels deep and your logon performance wouldn't be affected as much as it would if you had to process 10 GPOs. There is no scientific proof of these numbers, but it is true that GPOs are responsible for causing the most lag in logon time. As discussed earlier, each GPO must be processed synchronously, which means they stack up. If a user account resides in an OU 10 levels deep and eight of those SDOU structures have associated GPOs, that client must wait while eight GPO files are opened, processed, applied, and closed—one at a time. The moral of this story is that you should keep a watchful eye on user logon performance as your GPO depth grows.

In some cases, you can use security groups to filter the effect of GPOs. Remember that GPOs are objects and hence have an associated ACL. By adding users who don't need specific policies to a security group, and then disallowing the application of that GPO to that security group, you can eliminate some overhead.

GPOs are rooted at the domain level. This means they are stored on domain controllers in a specific domain. GPO links are replicated to global catalog servers and thus can be applied to any computer or user in the forest. That said, you should be aware of the performance hit you'll take in retrieving the GPO from another domain—especially if that domain is separated by a slow WAN link.

Another strategy you can use to increase performance is to disable the unused portion of all GPOs. Each GPO consists of two distinct sections: the user configuration section and the computer configuration section. One of the best design practices is to create GPOs according to function—that is, to create separate GPOs for user and computer settings. You can break down this even further, as we'll discuss in the next section. To disable a section of a GPO, access its properties page and select the appropriate check box. Figure 12.21 displays the properties box for sitegpo.

Figure 12.21. The properties window for a GPO named sitegpo. You can choose to disable either the unused portions of the computer or user configuration settings on this page.

The result of disabling the appropriate section is that it takes approximately half the time to process only half the GPO—in other words, the disabled part is totally ignored.

The final area we need to discuss regarding the scope of Group Policy management is in the structure of the policy types within a GPO. GPOs can contain a single or multiple policy types, such as software installation policies, logon scripts, user settings policies, computer settings policies, and so on.

In a single policy-type structure, many GPOs may be generated to provide the same functionality as a single GPO using a multiple policy type structure. Figure 12.22, for example, illustrates how multiple policy-focused GPOs can be associated with a single GPO. One of the benefits of this model is the organization of GPOs. With a good standard naming convention, similar policies can appear together in the GPO listing. That doesn't sound like too big a benefit until you have 30 or 40 of them to manage. The downfall of the single policy structure is the performance hit your users are likely to take.

The policies in Figure 12.22 are not necessarily linked directly to the Accounting OU object, but apply nonetheless.

In a multiple policy structure, you attempt to place all policies in a single GPO and apply it to an appropriate SDOU object. Figure 12.23 illustrates the Accounting OU with this scenario in mind. Although it looks simpler to manage, consider who is managing it. This is a good configuration for a small, centrally managed company, but not for a distributed company because all administrators would need to access and potentially modify the same GPO.

Figure 12.22. The Accounting OU contains several single policy-focused GPOs.

Figure 12.23. The Accounting OU now contains only one directly linked OU that contains all settings for its users and computers.

One thing to keep in mind here is the recommendation that you split policy settings by user and computer. This would increase the number of required accounting GPOs to two: one for the computer settings and one for the user settings.

SMC is in the process of implementing Windows 2000 across its corporate network. The site, DNS, and domain designs have been completed and it wishes to continue the design process with OUs and Group Policy.

SMC currently runs on Windows NT in a single-domain environment and maintains high-speed WAN links between the three racetracks it manages. The Windows 2000 domain design consists of a single-domain structure with three sites. DNS servers exist in each site and manage a single Active Directory integrated zone.

Throughout the implementation of Windows NT at SMC, administration was controlled centrally by the corporate IT staff. Although this process was effective, SMC employees began to become frustrated because the IT staff could not provide services in the required amount of time.

The current system is a Windows NT network with a single domain. All administration is controlled centrally by the SMC IT administration staff. External offices do not have the capability to manage any of their local resources.

The envisioned system is one that will allow for centralized administration with delegated control for certain business areas. It will also allow us to incorporate our standard hardware, software, and security settings and enforce those among the network.

Centralized management with delegation is key. All objects in the directory must be easy to understand and manage.

User logon performance is a problem currently, so that is high on the priority list to fix. Network bandwidth between locations is adequate for most operations; however, use of the expensive links should be kept to a minimum unless necessary.