Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] Active Directory Organizational Unit Design

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] Active Directory Organizational Unit Design

Chronological Thread 
  • From: Tom Barton <>
  • To: "Ward, Mike" <>
  • Cc:
  • Subject: Re: [grouper-users] Active Directory Organizational Unit Design
  • Date: Thu, 29 Apr 2010 05:43:06 -0500


Earlier this week Rob Carter & Shilen Patel from Duke gave a presentation at the Internet2 meeting about how Duke is using grouper to manage the permissions that people have over person objects and ou containers, which covers some of what you're asking about.


Tom Zeller wrote:
I'll have more detailed responses later regarding how Memphis uses
Grouper and AD/Exchange. For now, the windows-hied list is another
good resource for AD :


On Tue, Apr 27, 2010 at 3:34 AM, Ward, Mike
Hello everyone,

Feel free to let me know if these questions are off topic for this list. I
tried searching the site but could not find
specific answer regarding these questions.

We are in the process of designing an Enterprise Active Directory (EAD) for
the entire university in a decentralized environment. Grouper will be used
for the logic that controls and connects to our central user account
database and Microsoft Forefront Identity Manager 2010 (previously ILM)
synchronizes the accounts (and possibly groups) into EAD. If we can, we
would like to keep our AD design as close as possible to the grouper
design. My question is around Microsoft Organizational Unit (OU) design.

Most of the OU design is agreed upon other than the location of user
accounts. Currently we are debating putting all user, including students,
into a single OU and scheduling scripts that apply permissions on user
accounts verses putting the users into a departmental OU. The issue is that
users often move around the university and/or may have several roles (e.g. a
user might be a student but also teach and work for administration, or a VP
may also be a professor and do research, etc.). So what do we do with user
account in an OU that need to be managed by multiple departmental admin

Other questions that have come out of this discussion are:

1) What are other universities doing regarding AD design using grouper?

2) GPO’s – We would likely need to use group policy security filtering
to apply the user GPO. We would create a GPO for each department, give
access to departmental administrators to modify the GPO for only their
departments, then filter the GPO to only run for a specific group.
Questions about performance where raised. Maybe this should be done through
a third-party utility?

3) Remote administrators user accounts access - It would simplify
administration for departmental administrator to have accounts and groups in
a departmental OU, instead searching through all names. A possible
workaround of having user in one OU are creating custom LDAP searches for
departmental administrators. Other solutions or thoughts on managing a
large amount of user in one container vs. departmental OU’s?

4) Do we want to apply permissions on the object level or the container
level? What is MS best practices to control by OU vs. scripting?

5) Is it a security breach for all departmental admins to see all user
account information? I believe that all authenticated users have read
access anyway.

I would really like to talk to any university that is doing a similar setup
with grouper, particularly in regards to how active directory was setup.

Thank you for any information you have regarding this.


Archive powered by MHonArc 2.6.16.

Top of Page