Hi all,
I am moving, renaming and generally reorganizing an AD domain that has really not been touched in a couple decades. I've got a bunch of questions so I don't mess it up:
1) can I move user or computer or groups "live" during the day? That is, if someone is logged in when I move their user object, when the object is "refreshed" (I know that group policy is refreshed during the day), will this cause
a problem for the user? Likewise for a server or a computer (I would like to move the servers out of the general "computers" container into their own container so that some group policy items are not applied to them). And then the same
for groups - can they be moved live without affecting the security on the network.
2) the previous admin put all user security groups within the OU that holds the users. But I don't see any reason to do that and would rather have the groups out where they are more visible (at the root of the domain in their own OU). I figure
that security groups do not need policy applied to them because they are not a user or computer object. Is this a correct assumption?
3) the domain has the default "users" container off the root. Can I a) rename this or b) can I move groups that I use a lot (e.g. "Domain Users", "Domain Admins", "Domain Computers" and the user object "Administrator") out of this container and will AD find these objects e.g. I assume when a computer is added to the domain the process finds "Domain Computers" and adds the computer as a member of that group. I want to just make it easier for admins to find the groups we need so I am going to have a "User Groups" container at the root (and also an "Admin Groups" and "System Groups" off the root).
The last question is more just - any comments on the above strategy? I am trying to divide up the objects in a better way so that as group policy is applied, I can just apply it to different OU's. Same goes for applying delegation to different OU's. Right now most of the group policy is applied to the "default domain policy" policy object and sometimes it has to be blocked further down.
Thanks for any comments!
Albert