General discussion


18,000 objects in one container

By Hockeyist ·
During a NT4 to Win2000 upgrade last year, we came in to see that there were 18,000 objects in one container (every user and resource in the world wide network were in one OU. The core IT team in the U.S. said that this was temporary and would be "fixed later".
It's been over a year and nothing has changed with regards to sorting users into local OU's. We were told that we are to continue to create new users in the common OU and not to place them in our local OU's.
Does anyone know of a possible scenario where this may have been the result of a major problem?
Could our "golden haired boys" in the core IT team have screwed up somehow resulting in the need for this result?

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

If I remember correctly

by jdmercha In reply to 18,000 objects in one con ...

I believe that with NT4 your only choice was a single flat OU. With W2K you need to use Active Directory to configure multiple OUs.

My guess would be:
1. They don't have the time to move people to seperate OUs.
2. They have other higher priorites.
3. They don't know how to impliment AD.

Collapse -

Number 3 is my final answer

by BFilmFan In reply to If I remember correctly

I've heard and seen some widely insane implementations, but I agree with you. Whomever designed AD with 18,000 objects in a single OU doesn't know what they are doing.

Collapse -

That Wacky AD Implementation of Mine

by BFilmFan In reply to 18,000 objects in one con ...

I can't think of a single good reason to implement 18,000 objects into a single OU.

If you did that design, then:

Implementing GPO policies would require filtering by security groups increasing complexity of GPO application numerous times.

As the number of GPO's on a single container increased, the processing time would increase as every system would have to read the policy and decide if it were to be applied.

It would also be difficult to apply administrative templates via GPO, for the same reasons stated above.

In addition, all service accounts and security groups would be visible. This alone is a really bad idea as someone that is skilled in reading SIDHistory could have a field day if they decide to spoof a SID.

I'd need to know some more information about why the decision was made to have a single OU and violate common sense and industry best practices. Perhaps a gift book of some Microsoft classes could help these "Ad Design Gurus" you are dealing with?

Man totally best of luck dealing with that one...

Related Discussions

Related Forums