Hide your organization units

Hiding organizational units (OUs) is not a game of hide and seek. It's not even a configuration setting that disables the display of OUs from users. Instead, hidden OUs are created through intelligent Active Directory container layout and design. The primary purpose of hidden OUs is to prevent an administrator from one OU from being able to view, access, or alter another OU. Hidden OUs are often used in environments that offer network application services to internal departments or external customers. It allows for a solid separation of duties without requiring separate domains or forests.

If you are working with Exchange 2000, for example, and are offering e-mail services to several external companies, you need to separate logically each customer's data from the others. Often, one or more users from each company are granted some level of administrative control over their company's e-mail system. You only real solutions are separate forests or hidden OUs. Because separate forests imply a significant increase in cost, primarily for hardware, hidden OUs offer a cost-effective yet secure solution.

A hidden OU is little more than an OU placed on the same logical level as other OUs that you wish to hide from. An administrator from a parent OU can always see the presence of all child OUs. However, an administrator from a peer OU cannot see the presence of other peer level OUs. For example, suppose a company has a domain named xyzcorp.main. It then

    Requires Free Membership to View

creates a headquarters OU. Within this OU, it creates site1, site2, and site3 OUs. A hidden OU can be created on the same level as the site1-site3 OUs, such as SiteH. SiteH will be effectively hidden from all members of the other site OUs. Once you have created the hidden OU, you need to specifically assign and revoke access rights to users and admins to ensure the secrecy of the hidden OU. If users don't have read permission for an OU, it will not appear to them while browsing the directory. Otherwise, users will by default be able to see the hidden OU in standard directory browsing activities.

Along with placing the hidden OU at the same level as other peers and properly assigning access rights, you should also avoid standardized naming conventions. Your hidden OU should have an irregular name. Otherwise, administrators may be able to deduce or infer the name of the hidden OUs.

James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.

This was first published in July 2003

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.