AD: I want to put my user in 2 Organization Units..how to?

[davidchardonnet]

Hello,

I am setting up the Active directory of my company, and I made a cool hierarchy of all departments of my company, creating one "Organisation Unit" for each department.
But some users must appear in 2 or more departments. AD does not allow that..

What can I do? What do you do in that case? What is the best thing to do here?

Thank You

David

 

[penauroth]

Create a group in the designated OU and add the user from the other OU.

Paul

 

[tsuji]

Hello all,

I think we may have problem to let a user belonging to two distinct ou?! I may be wrong, after all.

regards - tsuji

 

[penauroth]

Let's say you have to groups: Managers and Finance.

You want to push down software such as an accounting application for Finance and a reporting tool for the Managers. You don't want both applications to be published to both departments so you create an OU for Finance and one for Managers and assign applications to their respective departments. However, you have a manager that is also in the Finance dept and needs both applications. This is an instance when you would want one user in two OUs for administrative purposes.

Paul

 

[davidchardonnet]

My point is that I want to apply GPO on a OU and when I put some user in a Global group, the GPO is not applied to the user.

The GPO seems to be applied only to the users who are in the OU and not to those who are in a global group which is in the same OU.

David

 

[tsuji]

penauroth,

Should we not make a parent ou with finance and accounting each being a child ou? Those users with management/professional responsiblities in both being users under the parent whereas the rest belong to their individual child ou?

- tsuji

 

[penauroth]

Right, I stand corrected. Thanks tsuji.



Paul

 

[tsuji]

penauroth,

On this topic, I am slow, not experienced enough to face up with all ever-changing requirements & object/business models. I think your opinion must have some good elements there whereas I am not sure to tell the whole truth neither.

Thank you for this exchange.

- tsuji

 

[tommyh1]

The way I have implemented the software delivery aspect of Active Directory and group policy, is to create OUs for each department, and security groups for the software delivery.

So I have

OU=FINANCE
OU=MARKETING

and
Group=SoftwareDeliveryFinance
Group=SoftwareDeliveryMarketing

All users in the finance OU are in the finance sec group and likewise for Marketing. But there exists the possibility to have a user in both security groups.

Then I create a software delivery group policy that Delivers all the software and apply it to both OUs, or to the parent of those OUs.

Within this policy I select each software delivery item, and only give the relevent security group permission to read it.

This setup simplifies the software delivery very well. you end up with a whole load of security groups like so;

SoftwareDeliveryOffice2003Standard
SoftwareDeliveryVisio2003Standard
SoftwareDeliveryAdobeAcrobat

etc...

and you can assign software to machines by simply adding the computer account to the relvant security group.