Avatar of Dan Henery
Dan Henery
Flag for United States of America asked on

Active Directory Design

I am building Active Directory for a Company with multiple locations. As everyone knows by default all users got into the Users folder and all computers go into the Computers folder. I am thinking of using that logic in the layout of my OU's for Locations and Departments.

Example: I want to create an OU for Head Quarters and within that OU have Depatmental OUs, then break them down into a Users OU and a Workstations OU for each of the department OUs. Does this sound like a logical approach? or am I making things too complex?
Active Directory

Avatar of undefined
Last Comment

8/22/2022 - Mon
Mike Kline

To complex I think for now
See my answer there about OU design considerations
Chris Dent

The ability to form structures in Active Directory are an administrative convenience. The hierarchical structure is there to make your job easier (whether that is identity management, or application of policies, or any other reason). If the structure you design does that then by all means go for it. However, do remember that the more complex you make the structure the harder it is to maintain over time.

No matter how complex or simple your structure I advise you strive to keep it neat and tidy. That includes, but is not limited to:

* Using tools like DSQuery, or OldCmp, or your own scripts to get rid of users and computers that no longer work for you
* Establish procedures with HR for new starters and, equally importantly, leavers
* Monitoring usage (or lack of usage) of distribution lists (actually quite easy with Exchange 2007)
* When creating groups, if it is remotely obscure, make sure you give it a Description!
* Clean out empty groups (could use an LDAP query in AD Users and Computers to find those quickly). Just not the built-in / default groups.
* Populate the organisational attributes on accounts (either manually or automatically).
* Manage assignment of permissions throughout your domain (File System Permissions). You can use whatever fits, but sticking to only assigning permissions to groups does make life a lot easier. (See http://technet.microsoft.com/en-us/library/bb727067.aspx under Security Groups)
* Come up with some naming conventions for groups, users and computers and stick to them :)

It sounds like a lot, but it can become habit very quickly... hmmm then you find there's not much work to do ;)


View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.