OU Management in AD & Azure tips related to Azure Series & Network Connectivity with ExpressRoute

John Savill

September 14, 2017

3 Min Read
Office building

Three times a week (Monday/Wednesday/Friday), John Savill tackles your most pressing IT questions.

Read through the FAQ archives, or send him your questions via email.

Q. I have a number of OUs and want to delegate full control to a specific group for each OU via script. How can I do this?
Q. Why would I not always use the xS series for an Azure VM?
Q. Can I connect a virtual network to multiple ExpressRoute circuits that are peered in the same location?

Q. I have a number of OUs and want to delegate full control to a specific group for each OU via script. How can I do this?
Dept - Active Directory

A. If you child OUs and want to delegate control for each OU to a specific group this can be done easily with a little piece of PowerShell. This code will find all OUs under a certain path and delegate to a group named " Admins" (which you need to have created).

$BasePath = (Get-ADOrganizationalUnit -LDAPFilter "(Name=VLANGENUsers)").DistinguishedName

$OUs = Get-ADOrganizationalUnit -filter * -searchbase $BasePath -SearchScope OneLevel

foreach($OU in $OUs)
{
Write-Output "Fixing $OU.Name"
$TargetOU = $OU.DistinguishedName

#Grant the local admins full delegation
$AdminGroupName = "$($OU.Name) Admins"
$AdminGroup = Get-ADGroup $AdminGroupName

$GrpSID = New-Object System.Security.Principal.SecurityIdentifier $AdminGroup.SID
$OUacl = Get-ACL -Path AD:$($TargetOU)
$identity = [System.Security.Principal.IdentityReference] $GrpSID
$adRights = [System.DirectoryServices.ActiveDirectoryRights] "GenericAll"
$type = [System.Security.AccessControl.AccessControlType] "Allow"
$inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "All"
$NewACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $identity,$adRights,$type,$inheritanceType

$OUacl.AddAccessRule($NewACE)

Set-ACL -ACLObject $OUacl -Path AD:$($TargetOU)

}

Q. Why would I not always use the xS series for an Azure VM?
Dept - Azure

A. Azure has a wide range of VM series that have their own focus areas such as high compute ratios, nVidia CUDA cards, high memory ratios, large storage and high IOPS, RDMA network connectivity, large amounts of resource and so on. In addition many have an S version which supports the use of Azure Premium Storage. For example there is the D series and a DS series. So why would you not always use the S variant of the VM size? For the most part you should always use the S variant which gives the flexibility of using premium storage in the future however the only negative impact is the S variant has a smaller temporary disk, i.e. the D drive. This is because a portion of the temporary disk is used for caching purposes with the S variant. If you do not need the full size of the temporary disk then use the S variant. For an example of the different temporary storage sizes view the details at https://docs.microsoft.com/en-us/azure/virtual-machines/windows/sizes-general.

Q. Can I connect a virtual network to multiple ExpressRoute circuits that are peered in the same location?
Dept - Azure

A. No. While a virtual network can be connected to multiple ExpressRoute circuits, each must be at a different peering location. For example I could connect a virtual network to an ExpressRoute circuit peered in Dallas and one in Chicago but I could NOT connect to two circuits both peered in Dallas. Using different carriers does not change this.

 

 

About the Author

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like