General discussion

Locked

OUs or default containers?

By casta ·
Hi all,

I just started to play around with the ADMT tool. I am going to consolidate two NT domains into one 2000 domain. As far as I know, OUs are great for two things:
- Delegate control
- GPOs

I have a mixed network environment of 98,2000,NT and XP desktops. 90% of them desktops are running 98 or NT.

You can only apply GPOs to W2K and XP desktops, right?. If so, then I don't have much use for GPOs or delegation of control at this point and time, am I correct?

Should I then place the users accounts from the source domains into the builtin Users container on the Windows 2000 domain? or
Should I go ahead and create OUs before the migration and place these users in the OUs instead?

For example, create an OU called Accounting and place the users from the accounting source domain in this OU?

About computer accounts, should I use the builtin container or create OUs that represent the structure of my company. For example create an OU called Accounting and another OU for the corporate computers accounts?

I think I heard or saw somewhere that you should not use the default containers.

I am also running the ADMT tool version from the Windows 2003 media in a Windows 2000 server (Native Mode). is this version compatible with 2000?

Any other suggestions are welcome.

Thanks for your time.
JC

This conversation is currently closed to new comments.

6 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

OUs or default containers?

by timwalsh In reply to OUs or default containers ...

It looks like you have a pretty good understanding of OUs.

To confirm:
Yes, GPOs can only be applied against OSes that understand Active Directory (Win2K and later).

As to whether or not to create OUs now or later, in my mind, it greatly depends on your plans for migrating clients to Win2K/XP.

If such plans don't exist, or you do plan this migration, but not for some time, there may not be any overwhelming reason for creating OUs at this point.

On the other hand, placing a pre-Win2K user or computer into an OU (instead of using default containers) will have no impact on those users or computers. If you do plan a migration in the future, you can set up your organization now and be done with it.

I have not seen anything inwriting giving any rationale for not using default containers.

Note: You can place both user and computer accounts in an OU.

The beauty of AD is that you can move users/computers among containers at will (as long as the container is a type that accepts a given type of account).

A couple of things to take into consideration if you choose to use OUs:
The sequence by which GPOs are applied - Local Computer, Site, Domain, OU; GPOs applied at higher levels will overwrite GPOs applied at lower levels.
Account Policies (affecting passwords and account lockout), although they can be set and apparently applied at any level, in truth are only applied at the local computer and the Domain level with the Domain policy taking precedence.

I haven't seen anything to suggest that the WinServer 2003 version of ADMT isn't compatible with Win2K.

Collapse -

OUs or default containers?

by casta In reply to OUs or default containers ...

Tim,
Your answer was just what I need it!
Thanks

Collapse -

OUs or default containers?

by casta In reply to OUs or default containers ...

One more question!
IF I start migrating user accounts from the resource domain, using the ADMT what is the right order?
Global groups first, then users?
If most of this users are already in global groups, do I really need to go back and then migrate the individual user accounts?
There is an option in the Group Options dialog box in ADMT that reads "Copy group members" should I used that instead and get it done with?

Thanks again.
JC

Collapse -

OUs or default containers?

by casta In reply to OUs or default containers ...

Tim,

IF I start migrating user accounts from the resource domain, using the ADMT what is the right order?
Global groups first, then users?
If most of this users are already in global groups, do I really need to go back and then migrate the individual user accounts?
There is an option in the Group Options dialog box in ADMT that reads "Copy group members" should I check that box instead and get it done with?

Thanks again.
JC

Collapse -

OUs or default containers?

by casta In reply to OUs or default containers ...

OOppps..once too many!

Collapse -

OUs or default containers?

by casta In reply to OUs or default containers ...

This question was closed by the author

Back to Windows Forum
6 total posts (Page 1 of 1)  

Related Discussions

Related Forums