Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] Active Directory Organizational Unit Design

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] Active Directory Organizational Unit Design

Chronological Thread 
  • From: Tom Zeller <>
  • To: "Ward, Mike" <>
  • Cc:
  • Subject: Re: [grouper-users] Active Directory Organizational Unit Design
  • Date: Tue, 27 Apr 2010 09:29:08 -0500
  • Domainkey-signature: a=rsa-sha1; c=nofws;; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type :content-transfer-encoding; b=mnTbiJMphJQbbnmnM8pKieFrkbyTPeIQFx/Kxy/CWDE78bIPVuH9vG7ITisOBYiG22 XYWZjpTUksGE5QhsVoUXba/SVtgzGCF7H6UARe+1x9ILDkCksew0ux1SeryyPSUIm0+H aOH0cBIc5lQG2IQXxbBRRuZePLmxQRcqRtCgU=

I'll have more detailed responses later regarding how Memphis uses
Grouper and AD/Exchange. For now, the windows-hied list is another
good resource for AD :


On Tue, Apr 27, 2010 at 3:34 AM, Ward, Mike
> Hello everyone,
> Feel free to let me know if these questions are off topic for this list.  I
> tried searching the site but could not find
> specific answer regarding these questions.
> We are in the process of designing an Enterprise Active Directory (EAD) for
> the entire university in a decentralized environment.  Grouper will be used
> for the logic that controls and connects to our central user account
> database and Microsoft Forefront Identity Manager 2010 (previously ILM)
> synchronizes the accounts (and possibly groups) into EAD.  If we can, we
> would like to keep our AD design as close as possible to the grouper
> design.  My question is around Microsoft Organizational Unit (OU) design.
> Most of the OU design is agreed upon other than the location of user
> accounts.  Currently we are debating putting all user, including students,
> into a single OU and scheduling scripts that apply permissions on user
> accounts verses putting the users into a departmental OU.  The issue is that
> users often move around the university and/or may have several roles (e.g. a
> user might be a student but also teach and work for administration, or a VP
> may also be a professor and do research, etc.).  So what do we do with user
> account in an OU that need to be managed by multiple departmental admin
> groups?
> Other questions that have come out of this discussion are:
> 1)      What are other universities doing regarding AD design using grouper?
> 2)      GPO’s – We would likely need to use group policy security filtering
> to apply the user GPO.  We would create a GPO for each department, give
> access to departmental administrators to modify the GPO for only their
> departments, then filter the GPO to only run for a specific group.
> Questions about performance where raised.  Maybe this should be done through
> a third-party utility?
> 3)      Remote administrators user accounts access - It would simplify
> administration for departmental administrator to have accounts and groups in
> a departmental OU, instead searching through all names.   A possible
> workaround of having user in one OU are creating custom LDAP searches for
> departmental administrators.  Other solutions or thoughts on managing a
> large amount of user in one container vs. departmental OU’s?
> 4)      Do we want to apply permissions on the object level or the container
> level?  What is MS best practices to control by OU vs. scripting?
> 5)      Is it a security breach for all departmental admins to see all user
> account information?  I believe that all authenticated users have read
> access anyway.
> I would really like to talk to any university that is doing a similar setup
> with grouper, particularly in regards to how active directory was setup.
> Thank you for any information you have regarding this.
> Mike

Archive powered by MHonArc 2.6.16.

Top of Page