Corp a rata

Accounting

Areourts PayaDle

Amounts Recelvabr« Figure 5.6: OU design for administrative purposes

The objects that were initially identified as needing to be hidden from users need to be placed within an OU that will not allow users to view its contents. For a user to be able to "see" the objects within an OU, at the very least they will need the List Contents permission granted to them. If they do not have this permission, the objects contained within the OU will not show up in their searches. Since this permission

Aect u "Imp Admins Fuit tondrai

AP Admins Full Control Aultimticated Users Read

AR Admins Full Central Authenticated Users Read is included in the standard Read permission, accounts with Read permission will be able to list the contents of the OU.

Because users need to view objects within the Accounts Payable OU, the permissions to that OU cannot be changed. Instead, a child OU is created to control visibility of the objects. The users within Accounts Payable department who need to work with the objects will be able to see them when they access Active Directory tools or perform searches, but no one else will. It should be noted that the AP Admins still need to be able to maintain the objects within the OU, so their permissions will either need to be re-added to the access control list, or the existing permissions will need to be copied directly to the OU with the unnecessary accounts and permissions then removed. The final OU design for Accounting will look like Figure 5.7.

Corp.onn

Cirporilt

Accfiunllng Admlni Full Control: —i— Accounting fs ft

AP Admlni full Control Aulhtnlimled Useri Rea.it

AccDiinls Payable

AP Resources

AP Admins Full Control APusifs Reji ft

AR Admins Full Conlrol A-.ilbi nli mtd User s Rca if

AKOulHi Riotabfe Figure 5.7: OU design with OU created to control visibility

As we have mentioned, the primary reason to create an OU structure is to have the ability to control administrative abilities and make administration of resources more efficient. Because there is only one way to delegate administration of resources and there are many options to control group policies, as you will be seen in Chapter 6 , the administrative design should take precedence.

Team LiB

Was this article helpful?

0 0

Post a comment