Assignment: Structuring and Monitoring of Organizational Units
Active Directory was created for your company, DCH Corporation, when the organization was very small. One organizational unit (OU) was created for users and one for computers. Now, the organization spans four geographic sites around the world, with over 2,000 employees. At each site, one or two members of desktop support personnel provide help to users with desktop applications and are responsible for installing systems and joining them to the domain. In addition, a small team at headquarters occasionally installs systems, joins them to the domain, and ships them to the site. If a user has forgotten their password, a centralized help desk telephone number is directed to one of the support personnel members on call, regardless of which site the user is located.
Answer the following questions for your manager, who is concerned about manageability and least privilege (or principle of minimal privilege), and explain how delegation would be managed:
1. Should computer objects remain in a single OU, or should the objects be divided by site? If divided, should the site OUs be under a single parent OU? Why?
2. Should the ability to manage computer objects in sites be delegated directly to the user accounts of the desktop support personnel, or should groups be created, even though those groups might have only one or two members? How would this be accomplished?
3. Should users be divided by site or remain within a single OU? Detail why you are making this recommendation.
4. What other recommendations could be implemented for these OUs?
5. What security aspects must be considered when implementing this OU strategy?