Update on OU and Security Group Structure in AD: Important

As you know, we have always added Active Directory users into Security Groups, in order to give access to resources. Unfortunately, for all these years, we have never taken that same advantage with Computers. 

Since we are moving in the direction of employing more and more Group Policies (GPOs). I have started to add all computers in the district to security groups.

I did not include a summary in this post, because it is important that you all read these details, as they affect the way you do things on a day to day basis. 

Currently, the way we scope GPOs is by placing them at the top of the OU to which we want them to target.  At this point, any computers in that OU will inherit that GPO. In the same manner, if we need to apply a Global GPO at the top of the OU tree (i.e: dc=chino,dc=k12,dc=ca,dc=us or dc=student,dc=chino,dc=k12,dc=ca,dc=us) , we cannot scope specific computers therein, and therefore, the only way to exclude is to literally individually add computers, one by one to that GPO scope. That is necessary, as scoping a GPO does not allow for exclusions. 

For this reason, we now have Computer Security groups, which will help to more accurately scope a GPO. 

As an example, let's say we have this tree:

CHINO.K12.CA.US

 [GPO: LockDown] 

   Schools

      Computers

         Cortez Elementary

             Workstations

                 Classrooms

         Liberty Elementary

             Workstations

                 Classrooms

When [GPO: Lock Down] is applied at that level:

The Old Way: it would be scoping authenticated users, and all computers. Which means, if we need to exclude Liberty Classrooms from that lockdown, we would have to do one of the following:

• Remove [GPO: LockDown] from the top of that tree, and apply it at the level of each OU, on all the sites, except for the Liberty Classrooms OU (this takes a long time to do) OR
• Block Inheritance on the Classrooms OU in Liberty, and reapply, one by one all the GPOs that were not inherited due to the Block Inheritance. This may not take a lot of time, however, it makes troubleshooting GPOs a nightmare. 

The New Way: The computers for each school will be contained within a computer security group, and scoped within [GPO: LockDown], so that GPO, instead of having "Authenticated Users" as its scope, it would also have:

CMP_308-Classrooms and CMP_321-Classrooms in its scope. 

to exclude the Liberty OU for the classrooms, you simply remove the "CMP_321-Classrooms" from the scope, and leave everything else as is. 

Your Part: 

The new way is a universal Microsoft best practice. The change for you will be that you will need to make sure that whenever computers are joined to the domain, they are actually part of a security group membership that corresponds to that computer. Every single computer in STUDENT and STUDENT2 domain, I've already added to security groups, and cleaned up everything. Computers that were not in any security group, you will see them in an OU called Miscellaneous and in a security group called: CMP_-Miscellaneous, and they will not have a computer description. If you would like to add them to their own OU, you can. However, a new security group for that OU will need to be created, and added to the scope of the GPO that is applied to that OU. (If you don't know how to do this, please talk to me and I will be happy to assist you with that)

Hint: It is very easy to find the security group OUs for computers, they have a similar format. So, to find the security group that corresponds to Woodcrest Lab B145, you can just type: CMP_205 and click "Check Names", and you will get all the available security groups for that lab.

My Part:

For now, add the GPO memberships manually from Active Directory Users and Computers. as soon as I'm done organizing the OUs, I will be adding an option to the Prestaging tool to allow you to add the computer to the appropriate OU as you're pre-staging it. 

By early next week, I expect all the OUs in the CVUSD domain to follow the same format as the STUDENT and STUDENT2 domains, and will then start changing the GPOs to apply based on the security groups. 

If this is clear to you, then you can feel free to look at the model I created, and create similar OUs and Security Groups for new labs/classrooms, etc... 

If you don't quite understand how it works, please make sure to talk to me, so that I can explain.

The most important part is, and similarly to computers needing to be in their corresponding OUs to get their GPOs, they will also need to be in their corresponding security groups. 

I realized that this is an extra step to do, and I'm working on trying to make this easier for all of you by creating tools to consolidate these steps, and these will be available shortly.