The proper way to configure a Active Directory structure

Hello - I am running Server 2003 and have configured my AD users and computers. I am trying to plan a simple but effective way to create groups and assign group policy. I have 9 locations and I have created all my OUs (DT, BO, SE, NE, NS, etc...). I have created child OUs (Accounting, General Staff, AR Specilist, etc..).

My question is, what is the best way to assign users to OUs? I understand I should have users in groups and all are defaulted into the container Users, however when I move them into assign OU structure, what is the correct way to assign users to OUs? Should I put all users into OUs by groups or by users? I understand I need to make it simple, so I'd like to understand the proper way to create a AD structures w/policies.
Jaime CamposAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.


Everybody's preferences are different, and ultimately you will need to decide what is the best structure for you. Which groups of users need to have policies applied over them? How can you do this? For example, some organizations would use a top-level OU for 'Finance', and create the appropriate location OUs below each departmental OU (so Finance Users can have policies applied to the root Finance OU), whereas other Administrators would do as you have done, with locational OUs, and then departmental OUs below this.

Personally, I would probably go with the first option. Why? The creation of locational OUs for each of your locations is purely for the purposes of aiding the Administrator's task. It isn't majorly important for assigning policies, since if you configure Active Directory Sites and Services with a Site object for each of your locations, you can assign a Group Policy Object to an Active Directory Site instead. Just for administrative purposes, but to a lesser extent, I would create a location OU beneath each departmental OU.

My structure would be something like:
 | My Company
 | | User Accounts
 | | | Finance
 | | | | NY
 | | | | NE
 | | | | etc.
 | | | | ...

For assigning permissions, you would still need to create Security Groups, and make, for example, each Finance user a member of the Finance security group. You cannot assign permissions based on OU membership, before you ask :-)

Hope this makes sense. Please post any questions you may have.

Jaime CamposAuthor Commented:
So your suggestion is to create a Location OU and departmental child OUs underneath? I think I understand, but I don't understand your structure example. I have attached a pic of my current structure, please review and use in comparision of your example. I do not have many GPOs, however I'd like to ensure this design is scalable.

What do you mean by aiding the administrator task?

I'm not to familiar with AD sites, so i'm comfused as to what you mean to assign GPO to an AD Site instead.

Is a Security Group a Global Group that is located in the users container?

What is the differance between a Global group and an OU?

Sorry, but I'm new AD and I really appreciate your help.




Hey Jamie,

>> So your suggestion is to create a Location OU and departmental child OUs underneath?

Either method would work nicely, although as I was saying above, I would probably do a departmental OU followed by a locational OU beneath it. However, thinking about it, the other way could work just as well (i.e. a Locational OU at the top, with Department OUs below).

>> What do you mean by aiding the administrator task?

Essentially if you logically organise Active Directory then the network administrator in years to come will find it very easy to use the structure to their benefit. An Administrator should not be spending time trying to figure out how something was configured or who a particular user is / what department / location etc., so logically organising Active Directory from the start by organising users makes things a lot easier.

>> I'm not to familiar with AD sites, so i'm comfused as to what you mean to assign GPO to an AD Site instead.

Each site should have its own IP subnet for a site-to-site VPN to work. You use the Start > Admin tools > Active Directory Sites and Services tool to create a separate site for every office you have, and assign the IP subnet that site has to the Active Directory site object. This makes things much easier, since it enables you to control replication between sites, and many other things. In Group Policy Management, you can display each site object you have created and link group policies there, rather than doing it at the locational level based on user account. This means that no matter where a particular user is, they will ALWAYS have THAT office's GPO settings. Ask if you need more info.

>> Is a Security Group a Global Group that is located in the users container?

A Security Group is simply a Group which you can create in ANY container, but one which you have selected 'Security' as opposed to 'Distribution' on. If 'Security' is selected, then that group is a Security group, regardless of whether it is Universal, Global or Domain Local. For a single-domain single-forest structure, you should be looking to use 'Global' groups, I would suggest.

>> What is the differance between a Global group and an OU?

An OU is like a folder for logically organising objects into one particular OU. This gives Active Directory structure and allows you to assign policies to each OU.

A security group is used for granting users access to network resources. The user must be a made a member of a security group using the 'Member Of' tab on the User Account Properties.

Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Jaime CamposAuthor Commented:
PERFECT! Very easy to understand.

Last question.

Do I assign users to OUs or groups to OUs from Users container? I understand I can assign both, but what is the best way. Most of my users are in my Users container and I'd like to move to an OU so I can assign policy. It just feels like I may be doing something wrong when i create an accounting OU and then assign the group accounting to it, and then still have all users in users container. I really would appreciate your response. Hope this makes sense. :)



You can't associate Security Groups to OU. That just doesn't work. I suspect you might have fallen into the classic trap of thinking that if you assign a security group to an OU, then you would expect that any user which is moved into that OU will inherit the security group? Sadly that's not the case.

What you do is you move the *users* into the appropriate OUs, let's say you have an Accounting user and you move her into the Accounting OU. This enables you to: a) track which users are in which departments; b) assign policies to all users in the accounting OU.

Now, let's say you want to grant the Accounting Department access to a share on the file server, where all accounting data is stored. You need to first create a Security Group, say 'Accounting Users'. Now, all the Accounting department user objects need to be made members of this group, so they inherit its permissions over the Accounting file server share. You would go to each user in the Accounting OU in turn (since no users outside the Accounting OU should need these privileges, if Active Directory is correctly organised with users in appropriate OUs). On each user in the OU, view their Properties, go to the 'Member Of' tab and add the Accounting security group there. The user is now a member of this group, and any permissions you assign (e.g. by right-clicking a folder in the file system and choosing the Security tab) will be inherited by that user.

N.B. Quick way to add multiple users to a group - highlight all the users to add in, right-click, 'Add to group', specify group name, OK.

The actual Group objects you see when you create a group can be placed anywhere in Active Directory. I usually have an OU called Groups, specifically for holding Security Group objects. You could also put the Accounting Security group into the Accounting OU, for example. However, this is just acting as a placeholder, where you place the group object in AD will NOT grant any extra permissions to anything in that OU at all. The only way you grant permissions to a group is by using the 'Security' tab on objects in the file system, printers, Active Directory console and everywhere else in Windows Server where you see a Security tab.

Also, another point to note, on 'Security' tabs, NEVER put in a user account. Always use groups (even if the group has only 1 member), since it is much easier to track later. If a new person replaces someone before, it is much easier to just add their user account to your security group and they get all the appropriate permissions, rather than having to go and track down every permission you set for the old user in 50 000 places, delete it and re-create it for the new user!

Jaime CamposAuthor Commented:
>>>> You could also put the Accounting Security group into the Accounting OU, for example. However, this is just acting as a placeholder, where you place the group object in AD will NOT grant any extra permissions to anything in that OU at all.

this will not grant any special permissions to anything in that OU, now if that OU has a GPO assign to it, will that policy apply to the Global Group (which stores all accounting users)? That's where I'm confused, caused it just seems to be redundant if I put all users into the accounting OU (to assign policies), and I could just put the accounting group into the accounting OU.

You mentioned that you created a OU and put all your groups into that OU. If I create a OU with all my Global Groups and I have Policy at the root level, wouldn't that apply to all my groups within my OU? Wouldn't it be better to leave the groups in a container  and like you suggested move all *users* into specific OUs?

MATT, I really appreciate your help and I'm sorry if I'm making it more complicated.

First of all, I have no problems helping you, and I'm glad you're asking your questions so I can further clarify!

Think of OUs and Groups as two completely separate things. You should obviously organise your Active Directory into OUs, since this makes it much more easier to manage by the Network Administrators. Policies are applied at the OU level, rather than group level, so it is necessary to assign users to departmental OUs, otherwise you cannot set a policy for an entire department, for example.

Security Groups are a completely different concept. The part I think you are confused about is where you can put them in Active Directory. The OU into which you place the security group has NOTHING whatsoever to do with policies and the way they are applied or inherited. If you assign a policy to an OU containing solely Security Groups, the security group does NOT inherit the settings of that policy. You can ONLY apply a policy to an OU where there are User or Computer objects.

What will confuse you further is two things with regards to Group Polices:

*When you use Group Policy Manager to link a policy to an OU, you will notice there is a 'Security Filtering' option where you can add a security group. This essentially means you can link a policy to an OU, but ensure it will ONLY apply to users in certain groups beneath that OU.

For example, on one of my networks, we have to set various features of Office 2007 by policy; to do this, we have an OU with computer objects in (and sub-OUs obviously for offices and locations). We then have a Security Group for computers running the Office 2007 system. We link a policy to the root of the computers OU and set the appropriate settings. Then, in the Security Filtering section, we remove 'Authenticated Users' and Add the Office 2007 Computers security group. In this case, all computers beneath our Computers OU will inherit the policy, but when they process it, they will only apply the settings if they are a member of the specified group.

*Another slightly related thing with policies is that should you link a policy to an OU containing your Computer objects, you can ONLY use the 'Computer Configuration' section of the policy. You CANNOT set a setting in the User Configuration section and expect an OU full of Computer objects to inherit it; it simply does not happen, and the same applies in reverse for OUs containing User Objects.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial

Hope you got it sorted!
Thanks for the points,
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.