While it would be nice to have an OU called Computers and/or Users at the top level of your AD structure remember these are already container names and therefore cannot be used at the top level.
Redirect New User and Computer Accounts
When a new user and or computer is created in Active Directory then by default they are created in the “Users” and “Computers” container. As a result these objects are not subject to any group policy except for the Default Domain Policy or any GPO that are linked to the domain (see Part 2). Therefore you may want to consider redirecting where the default location for creating these new AD objects to a location that will allow you to easily apply GPO’s specific for new users and computers. Before you do this however you will need to create a OU that you can designate as the default creation location. Consider creating a top level OU called “New” or “Default” and then create a Sub-OU called Users and Computers.
You may have picked up that I have called the Sub-OU’s Computers and Users which is in conflict with “Be Consistent” section above. However in this case we are not creating a default location for just workstations and just people we are creating a location for all new computers (workstations or servers) and user accounts (service accounts, people accounts or resource accounts). This naming convention is also consistent with the names of the default containers in the top of the AD so there is some logic with keeping the name.
See “Apply GPO to New Users and Computers” Part 2 where I will show you how to apply the Group Policy to these new default OU ‘s.
For more information on how to redirect the default Users and Computers Containers see KB324949 Redirecting the users and computers containers in Active Directory domains
…change the default location where new user and computer accounts are created so you can more easily scope GPOs directly to newly created user and computer objects
Deciding what OU structure to use
When designing your OU structure you need to keep in mind that companies do often change in size and often acquire or sell off divisions. Below I go thought the basic designs and then I show you how they can be combined into hybrid structures. For most organisation you will probably use hybrid of the various method that best suit your requirements.
Below I have listed some of the consideration for choosing an OU structure design (in no particular order):
- Delegation of security
- Application of Group Policy
- Likeliness of divesting or acquiring other business
- Geographical Locations – Global Region, Country, Weather Region, Closest International Airport, State, City, Suburb, Building, Floor
- Risk Mitigation – You might not want to have 1 OU with 10,000 computers in it even if they are all configured the same as this makes it very easy to break all your computers with one easy mistake. In these extreme cases you might want to setup sub-OU’s only with duplicate polices applied to them but this would only be done in extreme situations.
Organisational OU Structure
This method of organising your OU structure should be used if your have very clear and stable organisational boundaries. You are highly unlikely to use this type of structure by itself as this would have you lump all your users, groups, contacts and computer objects together in the same OU.
Geographical OU Structure
This method would be used where your company has many physical locations that perhaps have multiple divisions/departments in the same location. This would also be used if you did not have much variance between the configuration of computers in each physical location.
you might consider geographically based OUs either as children or parents of the other OUs, and then duplicate the structure for each location
Resources OU Structure
When you are placing you AD objects in you OU structure it is very good idea to not lump your object types together in the same OU an in a few cases you might also want to consider splitting you resources up as separate sub-resource types. Having your resources separate greatly simplifies the permission you delegate to your specific types of AD objects and also allows you to more easily apply group policy objects to your computers and users accounts.
In most circumstances it is likely that the Resource OU’s are and the lower end of the OU structure and are the OU that directly contain the AD objects (users,groups,contacts & computers)
Below is a list of example resource OU’s and how you can break them down.
|Colour||Type of object it contains|
|Yellow||Organisational Unit – No objects except for other OU’s are direct members|
|Resource Structure Example|
Classify the types of computers and the roles or job function of users in your organization, group them into OUs, create GPOs to configure the environment for each as needed, and then link the GPOs to those OUs.
Think primarily about the objects you want to manage when you approach the design of an OU structure. You might want to create a structure that has OUs organized by workstations, servers, and users near the top level
By using a structure in which OUs contain homogeneous objects, such as either user or computer objects but not both, you can easily disable those sections of a GPO that do not apply to a particular type of object.