Amounts Recelvabr« Figure 5.6: OU design for administrative purposes
The objects that were initially identified as needing to be hidden from users need to be placed within an OU that will not allow users to view its contents. For a user to be able to "see" the objects within an OU, at the very least they will need the List Contents permission granted to them. If they do not have this permission, the objects contained within the OU will not show up in their searches. Since this permission
Aect u "Imp Admins Fuit tondrai
AR Admins Full Central Authenticated Users Read is included in the standard Read permission, accounts with Read permission will be able to list the contents of the OU.
Because users need to view objects within the Accounts Payable OU, the permissions to that OU cannot be changed. Instead, a child OU is created to control visibility of the objects. The users within Accounts Payable department who need to work with the objects will be able to see them when they access Active Directory tools or perform searches, but no one else will. It should be noted that the AP Admins still need to be able to maintain the objects within the OU, so their permissions will either need to be re-added to the access control list, or the existing permissions will need to be copied directly to the OU with the unnecessary accounts and permissions then removed. The final OU design for Accounting will look like Figure 5.7.
Accfiunllng Admlni Full Control: —i— Accounting fs ft
AP Admlni full Control Aulhtnlimled Useri Rea.it
AP Admins Full Control APusifs Reji ft
AR Admins Full Conlrol A-.ilbi nli mtd User s Rca if
AKOulHi Riotabfe Figure 5.7: OU design with OU created to control visibility
As we have mentioned, the primary reason to create an OU structure is to have the ability to control administrative abilities and make administration of resources more efficient. Because there is only one way to delegate administration of resources and there are many options to control group policies, as you will be seen in Chapter 6 , the administrative design should take precedence.
Was this article helpful?