AD problem

[Mellow]

Background: A company has 2 sites, both have unique logon scripts but users from each site travel between sites. So will need access to local drives etc only.

Problem: Users are being assigned the wrong script when they're in the other site as all users only have the script assigned at user account level.

Solution: I'm thinking two GPO's that assigning the correct local script at machine level which is then linked to the relevant Site will enable users to go back and forth freely. Is this how it works or have I missed something obvious?

 

[Xavier]

You can't just create OUs per site?

 

[Mellow]

Well no, because OU's are static, and users will be moving from one site to another. And as they can only exist in one OU, it seems it's my way or the highway.

 

[Xavier]

I can't see why it can't be achieved with GPOs on OUs for the users/systems... Unless there's something you're not explaining within the above fully.

Site specific stuff can exist on OUs holding machines, by department if necessary and the rules which you'd tie to users regardless of the site they're working from (desktop policy, access to local drives) would sit within OUs holding the accounts.

Do you users completely hotdesk? How many tiers of permissions to network resources do you have?

 

[Mellow]

I require users to only be able to access network resources in the site they are currently logged in at. But all users need to be able to hotdesk to either site.

 

[Xavier]

Ok, so how about having GPOs tied to the machine accounts in the domain rather than the users?

That way you can simply decide what machines at each site can see, irrespective of who is sat at it. Just create OUs based on the department and site, move the correct machines in and set them that way.

 

[Mellow]

So I just move the relevant computer objects into the correct OU and it will remember where I put them? Don't I need to create the computer objects manually or something first?

 

[Xavier]

The computers should have domain accounts just like the users. OUs can be used to set GPO against either, or both.

Just create two OUs - one for each site, and if you're creating policies per department then inside each OUs for the departments. Then set policies and populate each departmental OU with the corresponding machine domain accounts from the ADs computer accounts folder, where they end up upon creation.

 

[Xavier]

P.S. is your PDC for each site Win2k or Win2k3, and do each run solo or are the FSMO roles distributed across multiple servers?

 

[Mellow]

2 Sites, 1 Win2k box at each. (no I didn't design the site layout)