Complete Active Directory redesign and GPO application
after much testing and hundreds of tries and hours invested I decided to consult you experts here.
Overview:
I want to apply some GPO to our users which will add some specific site to the Trusted Sites in Internet Explorer settings for all users. However, the more I try the more confusing the results become. The GPO is either applied to one group of users, or to another one. Finally, I came to the conclusion that this weird behavior is cause rather by the poor organization in Users and Groups in Active Directory. As such I want to kick the problem from the root: Redesign the Active Directory Users and Groups.
Scenario:
There is one Domain Controller, and we use Terminal Services (so there is a Terminal Server as well). Users usually log on to the Terminal Server using Remote Desktop to perform their daily tasks. I would classify the users in the following way:
- IT: Admins, Software Development
- Business: Administration, Management
The current structure of the Active Directory Users and Groups is a result of the previous IT management. The company has used Small Business Server which has created multiple default user groups and containers.
Unfortunately, the guys working before me have do no documentation at all. Now, as I inherit this structure I am in the no mans land. No idea which direction to head first.
As you can see, the Active Directory User and Groups have become a bit confusing. There is no SBS anymore, but when migrating from SBS to the current Windows Server 2008 R2 environment the guys before me have simply copied the same structure.
The real question:
Where should I start cleaning from, ensuring that I won't break totally the current infrastructure? What is a nice organization for the scenario that I have explained above?
Possible useful info about the current structure:
-
Computers
folder containsTerminal Services Computers
user group- Members:
TerminalServer
computer located atServer
->
Terminalserver
OU - Member of: NONE
- Members:
Foreign Security Principals
: EMPTYManaged Service Accounts
: EMPTYMicrosoft Exchange Security Groups
: not sure if needed, our emails are administered by external service providerDistribution Groups
: not sure if neededSecurity Groups
: there are couple of groups which are neededSBS users
: contains all the usersTerminalserver
: contains only the TerminalServer machine
Solution 1:
I've dealt with similar problems in the past.
That being said your organization doesn't look too far from ordinary. A lot of small business are built just like you outline.
If you really want to restructure the best solution I have found is setting up an OU with block group policy inheritance at the root of your domain. Build your new structure under this OU and apply your group policies there as well. You can then move your computer and user objects in a controlled fashion.
As far as design - use whatever works. Don't try to emulate the physical arrangement of the business too closely. Group your systems to make them easy to administer.
Edits for clarification:
'Block Inheritance' is an option that allows you to set up an OU that won't accept any policies which are defined above it. This allows for a totally blank slate. Any objects which are later moved here will have none of the existing policies applied, even if they otherwise would be. Any objects left in their original homes will still have their current policies applied.
Although a bit dated the logical modeling here provides some excellent guidance on overall AD structure.
One additional point, which is extremely important - document everything you are doing. Include why it is done this way as well as how it is configured. The exact method you chose for this doesn't matter, but I personally really prefer one of the various Wikis out there. Building detailed history for your environment is a godsend.
Additional edit in response to Joe Qwerty
I don't necessary advocate a restructure. Doing so can be time intensive and serious pain in the ***. I am just advising how to do so if that is the route the OP chooses. Personally that'd be a last resort. I've contracted places that everyone was a domain admin and the accounts / group policies were total mess and a restructure is the most viable option.
Given the choice I would opt to work within the existing AD structure. If the naming conventions, etc bother you they can always be changed. The OUs, group names, etc all have GUIDs that won't be broken by a rename. The SBS entries were likely not copied from the old SBS server. SBS includes Active Directory. A common migration path as organizations expand is is adding a 2008 R2 / 2012 server, promoting it to domain controller, moving the FSMO roles and then demoting the original SBS server. If the old admin had spent a lot of time in the original SBS AD console I could see why you wouldn't want to change the naming convention.
Solution 2:
I'm going to differ with Tim's answer and say that you ought to look at solving your problem by figuring out why your intended GPO settings aren't working, not by "restructuring" your current setup. Restructuring your current setup isn't going to solve your problem if you're configuring the wrong GPO to begin with. With the exception of a few additional OU's, the "structure" looks typical for SBS. Just because you don't have SBS anymore doesn't mean you need to throw out the baby with the bath water. Asking whether or not you can delete the Microsoft Exchange Security Groups
OU leads me to believe that you lack the appropriate knowledge and experience to take on a redesign.
I suspect your real problem is that you're trying to configure some settings for your users when they log onto the Terminal Server but that you're configuring the settings in the GPO linked to the users OU instead of configuring the settings in the GPO linked to the Terminal Server OU and using Loopback Policy Processing, which would be the way to do that if that's your scenario.
So, are you trying to configure settings for the users for when they log onto the Terminal Server? If so, in which GPO are you configuring those settings?