Differences between Domain and OU in A/D

[PaulMThomas]

We are part of a large multinational company.

Currently we have 2 seperate NT4 domains in the UK due to different network infrastructures and geographies. We have trust relationships between these 2 domains and the Head Office Domain in Austria.

Slowly the head office are migrating to A/D.
They have proposed that we have seperate OU's for each site/country. We are particularly concerned about the loss of control with A/D as the Head Office IT is outsourced, we don't want to suddenly start inheriting all sorts of strange policies.

Are there any real differences between us having a OU or a Domain within the new A/D design ?

Is there any way we can restrict the forest tree route domain admins from making changes in our OU/Domain ?

Are we right to be concerned about having 3rd parties in charge of the A/D ?

 

[mrdenny]

There is no way to keep someone with Domain Admin rights from making changes within your OU. There has to be a layer of trust between the admins not to be making changes that effect other sites without consulting those sites. If thier are conflicting GPO settings between the ones that the Corporate Admin puts in place and your OUs GPO your OUs GPU will win unless the parent GPO has been marked to override the lower level GPOs.

The big difference between having your own child domain vs having an OU in one big domain is that if you have a child domain the parent domain's domain admin group doesn't have admin rights to your child domain unless you give them rights to your domain.

Denny
MCSA (2003) / MCDBA (SQL 2000)

--Anything is possible. All it takes is a little research. (Me)

http://www.mrdenny.com

(Not quite so old any more.)

 

[AndrewTait]

By making your OU GPO's compulsory GPO's, as long as those from on high are not also compulsory, then your GPO's will not be overwritten.

He's not the messiah, he's a very naughty boy (Monty Python's The Life of Brian)

 

[PaulMThomas]

mrdenny - Do other admin groups such as Enterprise admins still have rights in your Domain in a child-domain structure ?

 

[NickFerrar]

A domain is not a security boundary in AD, whilst a domain admin in one domain won't automatically have admin rights in another it's a trivial elevation of privilege attack to gain these rights if you have access to any DC in the forest (which a domain admin will do), basically because the local system user on a DC has enterprise admin rghts as it needs to be able to talk with every other DC in the forest. If you gain local system rights on a DC you gain enterprise admins, enterprise admins have rights to add themselves to domain admins in all domains in the forest.

Separate domains will allow you to have separate password policies and you won't run the risk of inheriting other GPOs. Of course the downside is you'll need additional sevrers as DCs to support it.

If you really can't trust the head office IT then you need a separate forest, otherwise personally I'd prefer a separate domain (at least then you can easily monitor for changes to domain admins etc.). It can be difficult to justfy though given you'd need at least 2 DCs to support it.