Skip to Content.
Sympa Menu

grouper-users - Active Directory Organizational Unit Design

Subject: Grouper Users - Open Discussion List

List archive

Active Directory Organizational Unit Design

Chronological Thread 
  • From: "Ward, Mike" <>
  • To: <>
  • Subject: Active Directory Organizational Unit Design
  • Date: Tue, 27 Apr 2010 01:34:44 -0700

Hello everyone,


Feel free to let me know if these questions are off topic for this list.  I tried searching the site but could not find specific answer regarding these questions.


We are in the process of designing an Enterprise Active Directory (EAD) for the entire university in a decentralized environment.  Grouper will be used for the logic that controls and connects to our central user account database and Microsoft Forefront Identity Manager 2010 (previously ILM) synchronizes the accounts (and possibly groups) into EAD.  If we can, we would like to keep our AD design as close as possible to the grouper design.  My question is around Microsoft Organizational Unit (OU) design.


Most of the OU design is agreed upon other than the location of user accounts.  Currently we are debating putting all user, including students, into a single OU and scheduling scripts that apply permissions on user accounts verses putting the users into a departmental OU.  The issue is that users often move around the university and/or may have several roles (e.g. a user might be a student but also teach and work for administration, or a VP may also be a professor and do research, etc.).  So what do we do with user account in an OU that need to be managed by multiple departmental admin groups?


Other questions that have come out of this discussion are:

1)      What are other universities doing regarding AD design using grouper?

2)      GPO’s – We would likely need to use group policy security filtering to apply the user GPO.  We would create a GPO for each department, give access to departmental administrators to modify the GPO for only their departments, then filter the GPO to only run for a specific group.  Questions about performance where raised.  Maybe this should be done through a third-party utility?

3)      Remote administrators user accounts access - It would simplify administration for departmental administrator to have accounts and groups in a departmental OU, instead searching through all names.   A possible workaround of having user in one OU are creating custom LDAP searches for departmental administrators.  Other solutions or thoughts on managing a large amount of user in one container vs. departmental OU’s?

4)      Do we want to apply permissions on the object level or the container level?  What is MS best practices to control by OU vs. scripting?

5)      Is it a security breach for all departmental admins to see all user account information?  I believe that all authenticated users have read access anyway.

I would really like to talk to any university that is doing a similar setup with grouper, particularly in regards to how active directory was setup.


Thank you for any information you have regarding this.



Archive powered by MHonArc 2.6.16.

Top of Page