Active Directory Structure Guidelines – Part 1

Reserved Names

While it would be nice to have an OU called Computers and/or Users at the top level of your AD structure remember these are already container names and therefore cannot be used at the top level.

Redirect New User and Computer Accounts

When a new user and or computer is created in Active Directory then by default they are created in the “Users” and “Computers” container. As a result these objects are not subject to any group policy except for the Default Domain Policy or any GPO that are linked to the domain (see Part 2). Therefore you may want to consider redirecting where the default location for creating these new AD objects to a location that will allow you to easily apply GPO’s specific for new users and computers. Before you do this however you will need to create a OU that you can designate as the default creation location. Consider creating a top level OU called “New” or “Default” and then create a Sub-OU called Users and Computers.

image

You may have picked up that I have called the Sub-OU’s Computers and Users which is in conflict with “Be Consistent” section above. However in this case we are not creating a default location for just workstations and just people we are creating a location for all new computers (workstations or servers) and user accounts (service accounts, people accounts or resource accounts). This naming convention is also consistent with the names of the default containers in the top of the AD so there is some logic with keeping the name.

See “Apply GPO to New Users and Computers” Part 2 where I will show you how to apply the Group Policy to these new default OU ‘s.

For more information on how to redirect the default Users and Computers Containers see KB324949 Redirecting the users and computers containers in Active Directory domains

References

Designing an OU Structure that Supports Group Policy

…change the default location where new user and computer accounts are created so you can more easily scope GPOs directly to newly created user and computer objects

Deciding what OU structure to use

When designing your OU structure you need to keep in mind that companies do often change in size and often acquire or sell off divisions.  Below I go thought the basic designs and then I show you how they can be combined into hybrid structures. For most organisation you will probably use hybrid of the various method that best suit your requirements.

Below I have listed some of the consideration for choosing an OU structure design (in no particular order):

  • Delegation of security
  • Application of Group Policy
  • Likeliness of divesting or acquiring other business
  • Geographical Locations – Global Region, Country, Weather Region, Closest International Airport, State, City, Suburb, Building, Floor
  • Risk Mitigation – You might not want to have 1 OU with 10,000 computers in it even if they are all configured the same as this makes it very easy to break all your computers with one easy mistake. In these extreme cases you might want to setup sub-OU’s only with duplicate polices applied to them but this would only be done in extreme situations.

Organisational OU Structure

This method of organising your OU structure should be used if your have very clear and stable organisational boundaries. You are highly unlikely to use this type of structure by itself as this would have you lump all your users, groups, contacts and computer objects together in the same OU.

Organisational
image

Geographical OU Structure

This method would be used where your company has many physical locations that perhaps have multiple divisions/departments in the same location. This would also be used if you did not have much variance between the configuration of computers in each physical location.

Geographical
image[30]

References

Designing an OU Structure that Supports Group Policy

you might consider geographically based OUs either as children or parents of the other OUs, and then duplicate the structure for each location

Resources OU Structure

When you are placing you AD objects in you OU structure it is very good idea to not lump your object types together in the same OU an in a few cases you might also want to consider splitting you resources up as separate sub-resource types. Having your resources separate greatly simplifies the permission you delegate to your specific types of AD objects and also allows you to more easily apply group policy objects to your computers and users accounts.

In most circumstances it is likely that the Resource OU’s are and the lower end of the OU structure and are the OU that directly contain the AD objects (users,groups,contacts & computers)

Below is a list of example resource OU’s and how you can break them down.

Colour Type of object it contains
Yellow Organisational Unit – No objects except for other OU’s are direct members
Red User Objects
Blue Computer Objects
Green Group Objects
Purple Contact Objects
Resource Structure Example
image

 

Reference

TechNet: Designing Your Group Policy Model

Classify the types of computers and the roles or job function of users in your organization, group them into OUs, create GPOs to configure the environment for each as needed, and then link the GPOs to those OUs.

Designing an OU Structure that Supports Group Policy

Think primarily about the objects you want to manage when you approach the design of an OU structure. You might want to create a structure that has OUs organized by workstations, servers, and users near the top level

By using a structure in which OUs contain homogeneous objects, such as either user or computer objects but not both, you can easily disable those sections of a GPO that do not apply to a particular type of object.

Author: Alan Burchill

Microsoft MVP (Group Policy)

36 thoughts on “Active Directory Structure Guidelines – Part 1

  1. Good Article

    I wanted to include some informtaion about the naming of OUs where it says :”When naming your Organisational Unit make sure the name you are using are short and to the point…” There may be technical limitations that may affect long names.

    During binds to the directory, simple LDAP bind operations limit the distinguished name (also known as DN) of the user to 255 total characters. If you attempt a simple LDAP bind with more than 255 characters, you might experience authentication errors

    Active Directory Maximum Limits – Scalability
    http://technet.microsoft.com/en-us/library/active-directory-maximum-limits-scalability(WS.10).aspx

  2. Thank you this is very much appreciated. I am working on a deployment for a organization with 4 distinct locations that includes a marriage to Apple OpenDirectory as well as FreeBSD OpenLDAP. Having a well thought out explanation like this is fantastic. It has helped me explain the complexities of designing the right solution to all members of the team. I still have not drafted the final plan but it is giving some great ideas so hopefully I can achieve this shortly.

    Cheers,
    Mikel King

    1. Apple Open Directory?? Don’t go there, it’s a trap! 😉 Recommend to use AD + extend schema to support OS X

  3. I’m new to Active Directory and this is very usefull.
    I have a question about the Resource Structure Example image sample above .
    I know that it is only an example but :
    the Groups OU contains Roles and Resources groups.
    What they means?
    Does Roles contains groups like Officers, Employees, etc?

    Thank you very much.

  4. Hi,

    i have configured one domain. i want configure some

    group policy by organzation units. i have created ou.and i move some user in that ou. but i dont know how to

    link this ou with group policy i did try many times but i did not sucess any one help me…

Leave a Reply