Tải bản đầy đủ - 0 (trang)
Chapter 6. Designing Organizational Unit and Group Structure

Chapter 6. Designing Organizational Unit and Group Structure

Tải bản đầy đủ - 0trang

InadditiontothelessonslearnedfromOUandgroupusein

Windows2000,WindowsServer2003introducesseveral

functionaladvantagesandimprovementstoOUandgroup

structureandreplicationthatfundamentallychangetheirdesign

method.UniversalGroupMembershipcaching,incremental

groupreplication,andotherenhancementshaveincreasedthe

flexibilityofOUandgroupdesign,andhavegiven

administratorsgreatertoolstoworkwith.

Thischapterdefinesorganizationalunitsandgroupswithin

WindowsServer2003'sActiveDirectoryanddescribesmethods

ofintegratingthemintovariousActiveDirectorydesigns.

Specificstep-by-stepinstructionsand"bestpractice"design

advicearegivenaswell.Inaddition,functionalOUandgroup

designmodelsaredetailedandcompared.







DefiningOrganizationalUnitsinActiveDirectory

Anorganizationalunitisanadministrative-levelcontainer,

depictedinFigure6.1,thatisusedtologicallyorganizeobjects

inActiveDirectory.Theconceptoftheorganizationalunitis

derivedfromtheLightweightDirectoryAccessProtocol(LDAP)

standarduponwhichActiveDirectorywasbuilt,althoughthere

aresomeconceptualdifferencesbetweenpureLDAPandActive

Directory.



Figure6.1.ActiveDirectoryorganizational

structure.



ObjectswithinActiveDirectorycanbelogicallyplacedintoOUs

asdefinedbytheadministrator.Althoughalluserobjectsare

placedintheUserscontainerbydefaultandcomputerobjects

areplacedintheComputerscontainer,theycanbemovedat

anytime.



Note

ThedefaultUsersandComputersfoldersinActive

Directoryarenottechnicallyorganizationalunits.

Rather,theyaretechnicallydefinedasContainer

classobjects.Itisimportanttounderstandthispoint



becausetheseContainerclassobjectsdonotbehave

inthesamewayasorganizationalunits.Tobeable

toproperlyutilizeservicessuchasGroupPolicies,

whichdependonthefunctionalityofOUs,itis

recommendedthatyoumoveyouruserand

computerobjectsfromtheirdefaultcontainer

locationsintoanOUstructure.



EachobjectintheActiveDirectorystructurecanbereferenced

viaLDAPqueriesthatpointtoitsspecificlocationintheOU

structure.Youwilloftenseeobjectsreferencedinthisformat

whenyou'rewritingscriptstomodifyorcreateusersinActive

DirectoryorsimplyrunningLDAPqueriesagainstActive

Directory.Forexample,inFigure6.2,ausernamedAndrew

AbbateintheSanJoseUsersOUwouldberepresentedbythe

followingLDAPstring:

CN=AndrewAbbate,OU=Users,OU=SanJose,DC=companyabc,DC=com



Figure6.2.ViewingtheLDAPofauserobjectin

AD.



Note

OUstructurecanbenested,orincludesub-OUsthat

aremanylayersdeep.Keepinmind,however,that

themorecomplextheOUstructure,themore

difficultitbecomestoadministerandthemoretimeconsumingdirectoryqueriesbecome.Microsoft

recommendsnotnestingmorethan10layersdeep.

However,itwouldbewisetokeepthecomplexity

significantlyshorterthanthatnumbertomaintain

theresponsivenessofdirectoryqueries.



OUsprimarilysatisfytheneedtodelegateadministrationto

separategroupsofadministrators.Althoughthereareother



possibilitiesfortheuseofOUs,thistypeofadministration

delegationis,inreality,theprimaryfactorthatexistsforthe

creationofOUsinanADenvironment.Seethe"StartinganOU

Design"sectionofthischapterformoredetailsonthisconcept.



TheNeedforOrganizationalUnits

Whilethereisatendencytouseorganizationalunitstostructurethedesignof

ActiveDirectory,OUsshouldnotbecreatedtojustdocumenttheorganizational

chartofthecompany.ThefactthattheorganizationhasaSalesdepartment,a

Manufacturingdepartment,andaMarketingdepartmentdoesn'tsuggestthat

thereshouldbethesethreeActiveDirectoryOUs.Anadministratorshouldcreate

organizationalunitsifthedepartmentswillbeadministeredseparatelyand/or

policieswillbeapplieddifferentlytothevariousdepartments.However,ifthe

departmentswillallbeadministeredbythesameITteam,andthepoliciesbeing

appliedwillalsobethesame,havingmultipleOUsisnotnecessary.

Additionally,organizationalunitsarenotexposedtothedirectory,meaningthat

ifauserwantstosendanemailtothemembersofanOU,hewouldnotseethe

OUstructurenorthemembersintheOUgrouping.

Toseemembersofanorganizationalstructure,ActiveDirectorygroupsshould

becreated.Groupsareexposedtothedirectoryandwillbeseenwhenauser

wantstolistmembersandgroupsintheorganization.



ADGroups

TheideaofgroupshasbeenaroundintheMicrosoftworldfor

muchlongerthanOUshavebeen.AswiththeOUconcept,

groupsservetologicallyorganizeusersintoaneasily

identifiablestructure.However,therearesomemajor

differencesinthewaythatgroupsfunctionasopposedtoOUs.

Amongthesedifferencesarethefollowing:

GroupmembershipisviewablebyusersWhereasOU

visibilityisrestrictedtoadministratorsusingspecial

administrativetools,groupscanbeviewedbyallusers

engagedindomainactivities.Forexample,userswhoare

settingsecurityonalocalsharecanapplypermissionsto

securitygroupsthathavebeensetuponthedomainlevel.

MembershipinmultiplegroupsOUsaresimilartoa

filesystem'sfolderstructure.Inotherwords,afilecan

resideinonlyonefolderorOUatatime.Group

membership,however,isnotexclusive.Ausercanbecome

amemberofanyoneofanumberofgroups,andher

membershipinthatgroupcanbechangedatanytime.

GroupsassecurityprincipalsEachsecuritygroupin

ActiveDirectoryhasauniqueSecurityID(SID)associated

withituponcreation.OUsdonothaveassociatedAccess

ControlEntries(ACEs)andconsequentlycannotbeapplied

toobject-levelsecurity.Thisisoneofthemostsignificant

differencesbecausesecuritygroupsallowuserstograntor

denysecurityaccesstoresourcesbasedongroup

membership.Note,however,thattheexceptiontothisis

distributiongroups,whicharenotusedforsecurity.

Mail-enabledgroupfunctionalityThroughdistribution



groupsand(withthelatestversionofMicrosoftExchange)

mail-enabledsecuritygroups,userscansendasingleemail

toagroupandhavethatemaildistributedtoallthe

membersofthatgroup.Thegroupsthemselvesbecome

distributionlists,whileatthesametimebeingavailablefor

security-basedapplications.Thisconceptiselaborated

furtherinthe"DistributionGroupDesign"sectionlaterin

thischapter.



GroupTypes:SecurityorDistribution

GroupsinaWindowsServer2003comeintwoflavors:security

anddistribution.Inaddition,groupscanbeorganizedinto

differentscopes:machinelocal,domainlocal,global,and

universal.



SecurityGroups

Thetypeofgroupthatadministratorsaremostfamiliarwithis

thesecuritygroup.Thistypeofgroupisusedtoapply

permissionstoresourcesenmassesothatlargegroupsof

userscanbeadministeredmoreeasily.Securitygroupscanbe

establishedforeachdepartmentinanorganization.For

example,usersintheMarketingdepartmentcanbegiven

membershipinaMarketingsecuritygroup,asshowninFigure

6.3.Thisgroupisthenallowedtohavepermissionsonspecific

directoriesintheenvironment.



Figure6.3.Securitygrouppermissionsharing.



Thisconceptshouldbefamiliartoanyonewhoisusedto

administeringdown-levelWindowsnetworkssuchasNTor

Windows2000.Asyouwillsoonsee,however,some

fundamentalchangesinWindowsServer2003changetheway

thatthesegroupsfunction.

Aspreviouslymentioned,securitygroupshaveaunique

SecurityID(SID)associatedwiththem,muchinthesameway

thatindividualusersinActiveDirectoryhaveanSID.The

uniquenessoftheSIDisutilizedtoapplysecuritytoobjectsand

resourcesinthedomain.Thisconceptalsoexplainswhyyou

cannotsimplydeleteandrenameagrouptohavethesame

permissionsthattheoldgrouppreviouslymaintained.



DistributionGroups



TheconceptofdistributiongroupsinWindowsServer2003was

introducedinWindows2000alongwithitsimplementationof

ActiveDirectory.Essentially,adistributiongroupisagroup

whosemembersareabletoreceiveSimpleMailTransfer

Protocol(SMTP)mailmessagesthataresenttothegroup.Any

applicationthatcanuseActiveDirectoryforaddressbook

lookups(essentiallyLDAPlookups)canutilizethisfunctionality

inWindowsServer2003.

Distributiongroupsareoftenconfusedwithmail-enabled

groups,aconceptinenvironmentswithExchange2000/2003.

Inaddition,inmostcasesdistributiongroupsarenotutilizedin

environmentswithoutExchange2000/2003becausetheir

functionalityislimitedtoinfrastructuresthatcansupportthem.



Note

InActiveDirectory,distributiongroupscanbeused

tocreateemaildistributionliststhatcannotbeused

toapplysecurity.However,ifseparationofsecurity

andemailfunctionalityisnotrequired,youcan

makesecuritygroupsmail-enabled.



Mail-EnabledGroups

MembersofActiveDirectorygroupscanbeeasilysentemails

throughtheconceptofmail-enabledgroups.Thesegroupsare

essentiallysecuritygroupsthatarereferencedbyanemail

address,andcanbeusedtosendSMTPmessagestothe

membersofthegroup.Thistypeoffunctionalitybecomes

possibleonlywiththeinclusionofExchange2000orhigher.

Exchange2000/2003actuallyextendstheforestschemato



allowforExchange-relatedinformation,suchasSMTP

addresses,tobeassociatedwitheachgroup.

Mostorganizationswillfindthatmail-enabledsecuritygroups

satisfymostoftheirneeds,bothsecurity-wiseandemailwise.

Forexample,asinglegroupcalledMarketingthatcontainsall

usersinthatdepartmentcouldalsobemail-enabledtoallow

Exchangeuserstosendemailstoeveryoneinthedepartment.



GroupScope

TherearefourprimaryscopesofgroupsinActiveDirectory.

Eachscopeisusedfordifferentpurposes,butallsimplyserve

toeaseadministrationandprovideawaytovieworperform

functionsonlargegroupsofusersatatime.Thegroupscopes

areasfollows:

Machinelocalgroups

Domainlocalgroups

Globalgroups

Universalgroups

Groupscopecanbecomeoneofthemostconfusingaspectsof

ActiveDirectory,anditcanoftenrequireadoctoratedegreein

AppliedBioGroupologytosortitallout.However,ifcertain

designcriteriaareappliedtogroupmembershipandcreation,

theconceptbecomesmorepalatable.



MachineLocalGroups



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Chapter 6. Designing Organizational Unit and Group Structure

Tải bản đầy đủ ngay(0 tr)

×