Active Directory Data Model for University Business

[William Custer <custerwl () MUOHIO EDU>]

Miami University is seeking contact with universities that have
successfully implemented Active Directory on a large scale and modelled the
Organizational Units and Group Policy classes to successfully fit a
university business model.

In particular, Active Directory places a User Account in one and only one
Organizational Unit, but university personnel frequently hold more that one
organizational role.  Sub-groups of users can be built as exception lists,
policy be associated with multiple groups of this kind, and most
importantly, a User Account can be placed in multiple groups.  A strategy
like this seems to be required and hence makes use of more than one
organizational unit for User Accounts largely irrelevant at minimum and
beyond that unnecessarily confusing.

Has anyone devised an elegant strategy that permits the same User Account
to be associated with more than one 'group' and multiple groups to be
associated with some policy?