Thinking about AD OU Design…

I don’t consider myself to be an OCD person.  I really don’t.  That being said, I can be pretty OCD when it comes to OU design in Active Directory.  How you layout your OUs can cause some pretty big headaches later if you don’t think about the future.  Throughout this article, I will be sharing my suggestions to help you design your OU structure.

When I first started out, I had no idea what I was doing.  I didn’t understand group policy, how it was applied, and why you would ever want to create OUs to put your stuff in.  There is already a users folder.  There is already a computers folder.  Those are fine right?  Well, probably not.  Do you want to apply a group policy to only some users or computers and not others where the settings are not preferences?  If you do, then it’s time to start creating some OUs.  Do you want all of your users in one folder?  Do you want all of your computers in one folder?  If you answered no to the last two questions, then guess what?  Time to create some OUs.

One great way to look at this is to think about the policies you want to apply and design your OU structure around that.  But wait, don’t just think about your policies.  Think about your security groups and distribution groups as well.  If you are like me, you want the naming to be consistent for everything and make sense.  Here is a real world example that will hopefully help explain this concept.  Before presenting that, please understand one thing.  I am all about functional GPOs and not monolithic GPOs.

My current network has offices in 3 locations and some remote workers.  The departments are not in a single location.  We have folks in the operations department in 2 of our offices.  We have folks in our sales department in all three locations and remote.  We have network shares dedicated for each department as well as network shares that all departments have access to.  See where I’m going with this?  I need a policy for shared drive mappings.  That’s an OU.  I need a policy for the departmental drive mappings.  More OUs.  Without really going into too much detail, I also have different printers in each office and each printer is only used by certain departments.   Well there’s a few more policies.

Let’s just back up a bit and draw a picture how we would probably want to lay this out.  We have some policies that will be applied to all departments, but some policies that are department specific so we would want a parent OU for the departments with child OUs of that underneath for each department.

Basic OU Layout
So from there, let’s look at all those policies we talked about.  Drive mappings for all departments, drive mappings for each department, corporate wide desktop background, and some printer shares.  It could look something like this.

Basic GPO Layout

So you can see why good OU design is important and some things to think about when setting it up for you domain.  As far as the naming, as I said previously, I prefer naming to be consistent across the board.  I’ll give you two guesses as to what the distribution group and security group names are for each department.  Be very mindful of what you name things in AD.  You want it to make sense to you and be as descriptive as possible without a really long name.   The AD objects have a description field.  Use it to your advantage.  Make your AD self documenting.  You will thank yourself in two years when you run across that random distribution group created for that one thing you don’t remember and the description field is filled in telling your future self why it was created.

Hopefully this article has been helpful to you and given you a good place to start when thinking about how you want to layout the OUs in your AD.

As always, any tips, comments, feedback, or questions are welcome.  Thanks for dropping by and I’ll see you soon.

Thinking about AD OU Design…

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s