Lesson 1: Active Directory and Group Policy
An Active Directory is a hierarchy of domains, which represents major business divisions of thousands of users and computers, and of organizational units (OUs), which model the internal structure of a business unit or medium to small organization. Active Directory also contains a parallel structure of sites, which is used to model the physical locations of an organization and the data connections between them, so that Windows can automatically optimize communication between sites.
Group Policy is a package of settings files, scripts, and installation files that together create a specific computer configuration for a class of users or computers. Using Group Policy, administrators can create, manage, and deploy many different computer configurations to create a consistent work environment for various classes of workers across any number of client computers in an organization.
Group Policy is used to manage administrative and security settings for groups of users and computers based on their memberships in organizational units such as departments, corporate divisions, or security domains, or their locations at specific sites, campuses, or facilities. Additionally, Group Policy is used to configure special requirements for specific computers such as those used as public kiosks.
Group Policy settings are stored in Group Policy Objects (GPOs). These GPOs must be linked to Active Directory containers (domains, organizational units, and sites) to take effect, so it's important to understand the components of Active Directory that relate to Group Policy. This lesson discusses the link between Active Directory and Group Policy, and it walks you through the steps necessary to create a sample Active Directory structure that you can use for the remainder of the exercises in this chapter.
Create an Active Directory structure that mirrors your organization's structure
Efficiently map an organization's structure to an Active Directory hierarchy
Understanding Active Directory Structures
A business's organizational structure creates a natural environment for the deployment of software and the configuration of computers. For example, users within an Accounting OU are likely to require access to the same accounting and financial software applications, while members of an Engineering OU might require access to an entirely different set of applications, such as Computer Aided Design (CAD) and Computer Aided Modeling (CAM) applications. Each group is also highly likely to require access to different network storage areas. You can use Group Policy to configure and deploy software and control access to network storage for these various users when you have an Active Directory hierarchy that mimics your organizational structure.
Active Directory structures are normally created to mirror an organization's business structure. Departments, divisions, teams, and workgroups are usually modeled as organizational units (OUs), but very large companies might model divisions as domains rather than OUs. Windows 2000 domains can efficiently contain hundreds of thousands of objects, so a single domain can be appropriate for businesses with fewer than 100,000 users. However, domains can also be used to enforce security boundaries between departments in organizations where security is of paramount concern, so the number of domains in organizations can vary widely.
Figure 1.1 shows an example Active Directory structure that models a fictitious business.
Figure 1-1. An Active Directory structure that models the organization of the business
Active Directory containers are a special type of Active Directory object that can contain other Active Directory objects such as users, computers, and other subordinate Active Directory containers. Domains, OUs, and sites are all Active Directory containers.
Whether divisions are modeled as domains or OUs, the application of Group Policy remains the same. By linking a GPO to an Active Directory container, you can apply its Group Policy settings to all the Active Directory objects within the container. For example, by linking a GPO to a domain, you can apply the configuration and settings enacted by that GPO to all the users and computers within that domain.
For more detailed information about creating an Active Directory infrastructure for your organization, see the Microsoft Windows 2000 Server Deployment Planning Guide (Microsoft Press, 2002).
Practice: Designing an Active Directory Hierarchy
In this practice, you model the organizational structure for Fabrikam, Inc., a medium-sized manufacturing business, by creating an Active Directory hierarchy. This business has multiple departments and different types of users within each department.
Before performing this practice, you should install Windows 2000 Server on a computer and then install Active Directory for a domain called "domain.fabrikam.com." This installation will be used throughout this book to perform exercises.
After you complete this practice, you will have a basic understanding of how an organization's structure can be efficiently mapped to an Active Directory hierarchy, which sets the stage for the deployment of Group Policy.
To create an OU
Click Start, point to Programs, point to Administrative Tools, and click Active Directory Users And Computers.
In the Active Directory Users And Computers tree in the Active Directory Users And Computers management console, expand domain.fabrikam.com.
The OUs that are subordinate to the domain appear in a list. Initially, these include only default, generic OUs.
Right-click domain.fabrikam.com, point to New, and click Organizational Unit.
In the Name box, type Departments and press Enter.
An OU named Departments appears in the Active Directory tree under the domain.fabrikam.com domain. At this point, your console should look like Figure 1.2.
Figure 1-2. The Departments domain created under domain.fabrikam.com
To create a subordinate OU
Right-click the Departments OU, point to New, and choose New, Organizational Unit.
In the Name box, type Design, and press Enter.
A subordinate OU is added under the Departments OU.
To create an Active Directory hierarchy
Using the steps you followed to create a subordinate OU, create five OUs under the Departments OU. Name them Engineering, Finance, Human Resources, Marketing, and Information Technology.
For the Engineering OU, create the following subordinate OUs: Engineering Team Leaders, Engineers, Interns, and Consultants.
For the Finance OU, create a subordinate OU named Accounting.
For the Accounting OU, create another layer of subordinate OUs. Create two subordinate OUs: Accounts Payable and Accounts Receivable.
For the Marketing OU, create the following OU: Sales. Under Sales, create the following subordinate OUs: Sales Managers, Outside Sales, and Inside Sales.
For the Information Technology OU, create the following subordinate OUs: Network Administration, Support Technicians, Help Desk, and Consultants.
Create OUs under the Design OU named Design Leaders, Designers, Interns, and Consultants.
You now have a domain structure that looks like Figure 1.1. The domain.fabrikam.com domain now contains OUs that model the organization of the business.
Lesson Review
The following questions are intended to reinforce key information in this lesson. If you are unable to answer a question, review the lesson and try the question again. Answers to the questions can be found in the appendix.
To what must you link GPOs for them to take effect?
What are the types of Active Directory containers?
What does an Active Directory hierarchy usually model?
What are the two reasons for a business to use more than one domain?
Lesson Summary
Active Directory containers normally model the organizational structure of a business.
GPOs must be linked to Active Directory containers to take effect.
You can use Group Policy to configure and deploy software and control access to network storage for various users.