Hiding organizational units (OUs) is not a game of hide and seek. It's not even a configuration setting that disables the display of OUs from users. Instead, hidden OUs are created through intelligent Active Directory container layout and design. The primary purpose of hidden OUs is to prevent an administrator from one OU from being able to view, access, or alter another OU. Hidden OUs are often used in environments that offer network application services to internal departments or external customers. It allows for a solid separation of duties without requiring separate domains or forests.
If you are working with Exchange 2000, for example, and are offering e-mail services to several external companies, you need to separate logically each customer's data from the others. Often, one or more users from each company are granted some level of administrative control over their company's e-mail system. You only real solutions are separate forests or hidden OUs. Because separate forests imply a significant increase in cost, primarily for hardware, hidden OUs offer a cost-effective yet secure solution.
A hidden OU is little more than an OU placed on the same logical level as other OUs that you wish to hide from. An administrator from a parent OU can always see the presence of all child OUs. However, an administrator from a peer OU cannot see the presence of other peer level OUs. For example, suppose a company has a domain named xyzcorp.main. It then
Along with placing the hidden OU at the same level as other peers and properly assigning access rights, you should also avoid standardized naming conventions. Your hidden OU should have an irregular name. Otherwise, administrators may be able to deduce or infer the name of the hidden OUs.
James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.
This was first published in July 2003