Reserved Names
While it would be nice to have an OU called Computers and/or Users at the top level of your AD structure remember these are already container names and therefore cannot be used at the top level.
Redirect New User and Computer Accounts
When a new user and or computer is created in Active Directory then by default they are created in the “Users†and “Computers†container. As a result these objects are not subject to any group policy except for the Default Domain Policy or any GPO that are linked to the domain (see Part 2). Therefore you may want to consider redirecting where the default location for creating these new AD objects to a location that will allow you to easily apply GPO’s specific for new users and computers. Before you do this however you will need to create a OU that you can designate as the default creation location. Consider creating a top level OU called “New†or “Default†and then create a Sub-OU called Users and Computers.
You may have picked up that I have called the Sub-OU’s Computers and Users which is in conflict with “Be Consistent†section above. However in this case we are not creating a default location for just workstations and just people we are creating a location for all new computers (workstations or servers) and user accounts (service accounts, people accounts or resource accounts). This naming convention is also consistent with the names of the default containers in the top of the AD so there is some logic with keeping the name.
See “Apply GPO to New Users and Computers†Part 2 where I will show you how to apply the Group Policy to these new default OU ‘s.
For more information on how to redirect the default Users and Computers Containers see KB324949 Redirecting the users and computers containers in Active Directory domains
References
Designing an OU Structure that Supports Group Policy
…change the default location where new user and computer accounts are created so you can more easily scope GPOs directly to newly created user and computer objects
Deciding what OU structure to use
When designing your OU structure you need to keep in mind that companies do often change in size and often acquire or sell off divisions. Below I go thought the basic designs and then I show you how they can be combined into hybrid structures. For most organisation you will probably use hybrid of the various method that best suit your requirements.
Below I have listed some of the consideration for choosing an OU structure design (in no particular order):
- Delegation of security
- Application of Group Policy
- Likeliness of divesting or acquiring other business
- Geographical Locations – Global Region, Country, Weather Region, Closest International Airport, State, City, Suburb, Building, Floor
- Risk Mitigation – You might not want to have 1 OU with 10,000 computers in it even if they are all configured the same as this makes it very easy to break all your computers with one easy mistake. In these extreme cases you might want to setup sub-OU’s only with duplicate polices applied to them but this would only be done in extreme situations.
Organisational OU Structure
This method of organising your OU structure should be used if your have very clear and stable organisational boundaries. You are highly unlikely to use this type of structure by itself as this would have you lump all your users, groups, contacts and computer objects together in the same OU.
| Organisational |
 |
Geographical OU Structure
This method would be used where your company has many physical locations that perhaps have multiple divisions/departments in the same location. This would also be used if you did not have much variance between the configuration of computers in each physical location.
| Geographical |
![image[30]](https://www.grouppolicy.biz/wp-content/uploads/2010/07/image302.png "image[30]") |
References
Designing an OU Structure that Supports Group Policy
you might consider geographically based OUs either as children or parents of the other OUs, and then duplicate the structure for each location
Resources OU Structure
When you are placing you AD objects in you OU structure it is very good idea to not lump your object types together in the same OU an in a few cases you might also want to consider splitting you resources up as separate sub-resource types. Having your resources separate greatly simplifies the permission you delegate to your specific types of AD objects and also allows you to more easily apply group policy objects to your computers and users accounts.
In most circumstances it is likely that the Resource OU’s are and the lower end of the OU structure and are the OU that directly contain the AD objects (users,groups,contacts & computers)
Below is a list of example resource OU’s and how you can break them down.
| Colour | Type of object it contains |
| Yellow | Organisational Unit – No objects except for other OU’s are direct members |
| Red | User Objects |
| Blue | Computer Objects |
| Green | Group Objects |
| Purple | Contact Objects |
| Resource Structure Example |
 |
Reference
TechNet: Designing Your Group Policy Model
Classify the types of computers and the roles or job function of users in your organization, group them into OUs, create GPOs to configure the environment for each as needed, and then link the GPOs to those OUs.
Designing an OU Structure that Supports Group Policy
Think primarily about the objects you want to manage when you approach the design of an OU structure. You might want to create a structure that has OUs organized by workstations, servers, and users near the top level
By using a structure in which OUs contain homogeneous objects, such as either user or computer objects but not both, you can easily disable those sections of a GPO that do not apply to a particular type of object.
Blog Post: Best Practice: Active Directory Structure Guidelines – Part 1 http://bit.ly/bVkygi
Blog Post: Best Practice: Active Directory Structure Guidelines – Part 1 http://bit.ly/bVkygi
Best Practice: Active Directory Structure Guidelines –Part 1 http://bit.ly/cICPDp
RT @xenappblog: Best Practice: Active Directory Structure Guidelines –Part 1 http://bit.ly/cICPDp
RT @xenappblog: Best Practice: Active Directory Structure Guidelines –Part 1 http://bit.ly/cICPDp
OdliÄno Å¡tivo za sve koji su odgovorni za strukturu AD-a! http://fb.me/zUZU5U5w
@Froosh u mean? https://www.grouppolicy.biz/2010/07/best-practice-active-directory-structure-guidelines-part-1/
. @Mixailovich Err, doh, yes that one too 😉 http://bit.ly/cJApsO
Best Practice: Active Directory Structure Guidelines – Part 1 http://bit.ly/9oDQJq
Hi Alan, great article – nice clean overview of this difficult subject.
One question about the different graphic files you created, for example this one: https://www.grouppolicy.biz/wp-content/uploads/2010/07/image_thumb78.png
How did you create it – Visio?
And how did you get the graphic elements used..
Need it to document our network-layout at work.
-Jonas, Denmark
Its 100% Visio 2010…
@thommck There are some great ideas about Active Directory structure (OUs) in this series from @alanburchill. http://bit.ly/ebQlLS
Best Practice: Active Directory Structure Guidelines – Part 1 http://t.co/5A6ak0V via @alanburchill
Good Article
I wanted to include some informtaion about the naming of OUs where it says :”When naming your Organisational Unit make sure the name you are using are short and to the point…” There may be technical limitations that may affect long names.
During binds to the directory, simple LDAP bind operations limit the distinguished name (also known as DN) of the user to 255 total characters. If you attempt a simple LDAP bind with more than 255 characters, you might experience authentication errors
Active Directory Maximum Limits – Scalability
http://technet.microsoft.com/en-us/library/active-directory-maximum-limits-scalability(WS.10).aspx
Best Practice: Active Directory Structure Guidelines – Part 1 http://t.co/3OBagYfF via @alanburchill
Best Practice: Active Directory Structure Guidelines – Part 1 http://t.co/LDCB4xuI via @alanburchill . useful as I am restructuring our AD.
Best Practice: Active Directory Structure Guidelines
http://t.co/BNi4AcIO
Best Practices al diseñar o reorganizar AD http://t.co/MuCB4uLB
Best Practice: Active Directory Structure Guidelines – Part 1: http://t.co/wVwTezBr
Best Practice: Active Directory Structure Guidelines – Part 1: http://t.co/nTIzr8gs
Thank you this is very much appreciated. I am working on a deployment for a organization with 4 distinct locations that includes a marriage to Apple OpenDirectory as well as FreeBSD OpenLDAP. Having a well thought out explanation like this is fantastic. It has helped me explain the complexities of designing the right solution to all members of the team. I still have not drafted the final plan but it is giving some great ideas so hopefully I can achieve this shortly.
Cheers,
Mikel King
Apple Open Directory?? Don’t go there, it’s a trap! 😉 Recommend to use AD + extend schema to support OS X
I’m new to Active Directory and this is very usefull.
I have a question about the Resource Structure Example image sample above .
I know that it is only an example but :
the Groups OU contains Roles and Resources groups.
What they means?
Does Roles contains groups like Officers, Employees, etc?
Thank you very much.
Hi,
i have configured one domain. i want configure some
group policy by organzation units. i have created ou.and i move some user in that ou. but i dont know how to
link this ou with group policy i did try many times but i did not sucess any one help me…
“you probably have a delegated cretin duties to specific teams”
WTF?
Best Practice: Active Directory Structure Guidelines; Part 1: http://t.co/Lzspv4Kt
Best Practice: Active Directory Structure Guidelines – Part 1: http://t.co/dp4nSVFdUw
Very Nice tanQ grouppolicy http://chatflash.ir/
Very nicely explained. Thank you good sir.