Best practices for OU design

Omar Droubi, Kenton Gardinier, Rand Morimoto and Michael Noel

Though there are some differences between Windows 2003 Server Active Directory, also known as Windows .NET Active Directory, and Windows 2000 AD the same basic practices for organizational unit design still apply. This excerpt from a more detailed InformIT article

Requires Free Membership to View

discusses the best practices for OU design.

The organization of users, computers, and other objects within the Windows .NET Active Directory (AD) structure gives administrators great flexibility and control over their environments. Both organizational unit (OU) and group structure design can be tailored to fit virtually any business need. There is, however, a great bit of confusion among administrators in the design and use of OUs and groups. Often, OUs are indiscriminately used without reason, and group structure is ineffectual and confusing. With the proper preparation and advance knowledge of their use, however, a functional OU and group design can do wonders to simplify your Windows .NET Active Directory environment.

Without some form of logical organization of users within your network environment, chaos reigns and administration grinds to a halt. Administrators need some way to lasso groups of users together into logically identifiable groupings so that changes, security privileges, and administration can be accomplished en masse. Active Directory was specifically designed to be extremely scalable in regards to administrative functionality, and the flexibility of OU and group design is a testament to this strength. Proper design of both organizational unit and group structure will go a long way toward helping you gain control and reduce overhead in your domain environment.

Best Practices

  • Move your user and computer objects into an OU structure.
  • Keep the OU structure as simple as possible.
  • Do not nest OUs more than 10 layers deep.
  • Keep the number of OUs to a minimum.
  • Apply Group Policy to groups through Group Policy Filtering.
  • Use domain local groups to control access to resources, and use global groups to organize similar groups of users.
  • Use distribution groups to create e-mail distribution lists in environments with Exchange 2000.
  • Mail-enable security groups if separation of security and e-mail functionality is not required.
  • Don't simply delete and re-create groups on the fly because each group SID is unique.
  • Don't include users from other Mixed mode domains in a forest in universal groups.
  • Don't utilize local groups for permissions in a domain environment.

Read more about designing OUs at InformIT.

This was first published in July 2004

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.