Best practices for OU design

A short list of best practices for designing organizational units in Active Directory.

Though there are some differences between Windows 2003 Server Active Directory, also known as Windows .NET Active

Directory, and Windows 2000 AD the same basic practices for organizational unit design still apply. This excerpt from a more detailed InformIT article discusses the best practices for OU design.


The organization of users, computers, and other objects within the Windows .NET Active Directory (AD) structure gives administrators great flexibility and control over their environments. Both organizational unit (OU) and group structure design can be tailored to fit virtually any business need. There is, however, a great bit of confusion among administrators in the design and use of OUs and groups. Often, OUs are indiscriminately used without reason, and group structure is ineffectual and confusing. With the proper preparation and advance knowledge of their use, however, a functional OU and group design can do wonders to simplify your Windows .NET Active Directory environment.

Without some form of logical organization of users within your network environment, chaos reigns and administration grinds to a halt. Administrators need some way to lasso groups of users together into logically identifiable groupings so that changes, security privileges, and administration can be accomplished en masse. Active Directory was specifically designed to be extremely scalable in regards to administrative functionality, and the flexibility of OU and group design is a testament to this strength. Proper design of both organizational unit and group structure will go a long way toward helping you gain control and reduce overhead in your domain environment.

Best Practices

  • Move your user and computer objects into an OU structure.
  • Keep the OU structure as simple as possible.
  • Do not nest OUs more than 10 layers deep.
  • Keep the number of OUs to a minimum.
  • Apply Group Policy to groups through Group Policy Filtering.
  • Use domain local groups to control access to resources, and use global groups to organize similar groups of users.
  • Use distribution groups to create e-mail distribution lists in environments with Exchange 2000.
  • Mail-enable security groups if separation of security and e-mail functionality is not required.
  • Don't simply delete and re-create groups on the fly because each group SID is unique.
  • Don't include users from other Mixed mode domains in a forest in universal groups.
  • Don't utilize local groups for permissions in a domain environment.

Read more about designing OUs at InformIT.


This was first published in July 2004

Dig deeper on Microsoft Active Directory Design and Administration

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close