Windows 2003 AD Organizational Units - Why or Why Not?

Posted on 2005-04-27
Medium Priority
Last Modified: 2010-04-18

I'm a bit new to Active Directory.  I know it's a database, I know it treats everything in a domain (users, computers, printers, etc) as an object in its Database.  That's about all I know.

My question is this...

I'm starting a new Domain and I'm looking for advise as far as OUs go.  My company only has about 30 employees and roughly 40 PCs (Win2k/XP)

- Should I create user accounts in the pre-existing USERS OU, or create a new one and logically divide stuff like:

      |____ Users (OU)
                  |___Finance (OU)
                  |           |___Bob
                  |___Engineering (OU)
                  |           |___Joe
                  |___Sales (OU)

- Does it really matter?  What are the benefits of dividing accounts and computers into OUs?

Thanks you so much!
Question by:techleet
LVL 18

Accepted Solution

luv2smile earned 1000 total points
ID: 13879655
Active Directory OU Design is very important and should be considered in detail when setting up your AD structure (even though AD has the freedom to allow you to freely move objects between OUs).

OUs are critical when you are using group policy and you should think about how you may want to apply group policy in your organization and this will help with your OU design. Also, OUs are nice because they give you a logical layout of your active directory (this is helpful even in a small network).  Think of them as file folders.....a nicely organized filing cabinet is much easier to navigate through then one when all the files are stuck in the same file folder.

The built in users container is not an OU (same for built in computer container)....it is simply a container. The big difference is that you can't apply group policy directly to this container (although any users in it would receieve the default domain policy).

So Yes.....it definately does matter and you should move your users and computers out of those default locations and into a logical design that fits your organization.

A very general OU design would create OUs for each department as you have. But under each department OU, a general design would create seperate OUs for computers and users.

So it would look like this:

Finance OU
    - Computer OU
    - User OU
Engineering OU
    - Computer OU
    - User O
LVL 51

Expert Comment

ID: 13881436
To add to the above - it's simply a matter of preference whether you separate your computers and users into different OUs.  Technically, there is no benefit.

GPOs apply to users and/or computers.  The client-side extensions know what to apply to each object based on the elements that are defined in it - either in Computer Configuration or User Configuration.


Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Organizations create, modify, and maintain huge amounts of data to help their businesses earn money and generally function.  Typically every network user within an organization has a bit of disk space to store in process items and personal files.   …
Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Loops Section Overview

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question