Best practice for keeping AD organized

Posted on 2012-08-16
Last Modified: 2015-08-15
So this is what I am looking for some advice on.  The client I am working with is in an Exchange 2010 and Server 2008 R2 SP1 environment.  I am currently setting up some new distribution lists for them.

They have multiple remote offices that each have their own OU within the main forest that contains all of the users for that office.  But the main office doesn't.  It's OU is just called 'users' and is getting pretty messy.  I was thinking of taking the time and creating a new OU called HQ and cleaning everything up.  I was also thinking of creating a sub-group for HQ that would contain just email accounts (i.e distribution lists, etc..) so that anything that doesn't require an actual login username would be placed here.

Any thoughts on this or how your AD forest might differ?
Question by:msweisberg
    LVL 52

    Expert Comment

    You have though goos to Organize and manage ..... AD depends on your Org or Administration requirements.

    Let me know if you have any specific query in mind :)

    - Rancy

    Author Comment

    The client leaves it to us to administer the system and keep it running.  In that respect we have setup each remote office with its own OU and all employees within each office have their information placed within the correct OU.  But it really looks like the main office has gotten overlooked and it's OU is quite messy.

    So, the idea that I laid out above....does it look good or should I change something?
    LVL 52

    Assisted Solution

    I agree as to all Offices having this kind of configuration .... anyday any issues you know where exactly to find what you want in AD ..... not sure if there is any GPO linked to that OU that you would need to take care of as well :)

    Look as you say if all others have the same configuration not sure why this should be ammended .... anyways what i can suggest is
    Create some test users and DL and whatever objects you have in there and plan to move around .... just move those test users and DL and check if their functionality isnt affect in anyways or at most you can choose some Pilot users\DLs to check with no issues as moving without testing into such thing can sometime backfire and create a lot more work :)

    - Rancy
    LVL 38

    Assisted Solution

    by:Hypercat (Deb)
    I don't think there are any "best practices" for this kind of thing, except these:

    1.  Logic - organize your user and computer OUs into logical groups. It looks like you've thought yours through pretty clearly.
    2.  Make sure you consider all the possibilities that might arise in the future that would affect those OUs -site management, email management and/or distribution group management, group policies, etc.  One major one that is often overlooked IMO is group policies.  Although GPs can be applied to subgroups within an OU by creating security groups, by far the easiest way to organize GPs is by organizational unit. So, when you create your units you should take into account any group policies that might affect your users and/or computers.
    LVL 95

    Accepted Solution

    I agree with Hypercat - there is no real best-practice that fits everyone.  

    You must remember that your objects (users, groups, computers, etc) cannot belong to more than one OU.  As a result, you need more planning that you would otherwise need when assigning group membership.

    Another point - if you're users are in the default Users container, this is NOT an OU - it is a CONTAINER.  The difference being that a container cannot have group policies or sub "containers" or OUs.  So if that's where the are, if you want the ability to apply group policy you MUST move them.

    HOW you set them up depends on your organizations needs/clients needs and you are, without question, in the best position of any of to determine those.

    Author Comment

    Thanks all....those are great answers and advice.  @leew...that is exactly what I am looking for.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Find Ransomware Secrets With All-Source Analysis

    Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

    This is a little timesaver I have been using for setting up Microsoft Small Business Server (SBS) in the simplest possible way. It may not be appropriate for every customer. However, when you get a situation where the person who owns the server is i…
    The password reset disk is often mentioned as the best solution to deal with the lost Windows password problem. In Windows 2008, 7, Vista and XP, a password reset disk can be easily created. But besides Windows 7/Vista/XP, Windows Server 2008 and ot…
    This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
    With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now