OU Structure

[Guest]

Hello,

I got a discussion with a consultant who was hired to deploy a new corporate
domain(Win2003) structure.

We have right now a domain running on Windows 2000 (Active Directory 2000),
I created a logical OU structure in the domain controller according all the
departments we have in the network. For instance sales,customer service, IT ,
marketing, Facilities, so on. With this structure I have all the users and
objects organized by OU, then if we need to apply GPO or customized security
polices we apply it by department (OU) wihout affect others OU (Departments).

However in the other hand, the consultant told us we have not to use this
"OU structure" , because it decrease login time at client level. ???
Not sure about his comment. Because I have seen how end users loggin on
their different departments without the behaviour that he argumented.

Now, we have a Win2003 domain , without the "OU Structure" that we have in
the win2000 domain, I have not found yet the difference he mentioned. Besides
to keep all users just into one OU looks to be more complex to apply GPO and
other policies.

Thanks comments

 

[Dean Wells [MVP]]

Answered on mailing list, pasted below -

The OU structure and depth does not directly influence logon time (AD
hierarchy is in fact something of a simulation). Hierarchy can
influence login performance only when nested sufficiently deeply and
with a large number of linked GPOs at each or most of the superior OUs,
a choice made by admins., not a default.

 

[Jmnts]

Hi

You should design OUs for simplicity. However, it is likely that your
domains will require a number of OUs to meet administrative requirements.
The best practice is to begin with one OU and then add only those OUs that
you can justify. Although you can have many levels of nested OUs, keep the
number of levels to a minimum (fewer than seven) to avoid administrative and
performance problems.

You can find a wide variety of advice on how many levels down an OU
structure is acceptable. Three to seven levels are probably the most common
recommendations.

However, some suggest that ten levels is still acceptable. The way in which
you choose to configure and use the OU structure is probably of more concern
than the actual number of levels. For example, a five-level nested OU
structure with different group policies applied at each level would actually
be more cumbersome than a seven-level OU hierarchy with fewer group policies
applied.

Logon and startup times increase when the system has more group policies to
evaluate.

Further, if you set different permissions on each OU in the hierarchy,
troubleshooting could be considerably more difficult than if you had a
structure with uniform (inherited) permissions applied. The point to keep in
mind is to organize the OU structure to minimize the number of changes in
permissions and to reduce the number of GPOs processed.


--
Best Regards
Systems Administrator
MCSA + Exchange

Answered on mailing list, pasted below -

The OU structure and depth does not directly influence logon time (AD
hierarchy is in fact something of a simulation). Hierarchy can influence
login performance only when nested sufficiently deeply and with a large
number of linked GPOs at each or most of the superior OUs, a choice made
by admins., not a default.
--
Dean Wells [MVP / Directory Services]
MSEtechnology
[[ Please respond to the Newsgroup only regarding posts ]]
R e m o v e t h e m a s k t o s e n d e m a i l

Hello,

I got a discussion with a consultant who was hired to deploy a new
corporate domain(Win2003) structure.

We have right now a domain running on Windows 2000 (Active Directory
2000), I created a logical OU structure in the domain controller
according all the departments we have in the network. For instance
sales,customer service, IT , marketing, Facilities, so on. With this
structure I have all the users and objects organized by OU, then if
we need to apply GPO or customized security polices we apply it by
department (OU) wihout affect others OU (Departments).

However in the other hand, the consultant told us we have not to use
this "OU structure" , because it decrease login time at client level.
???
Not sure about his comment. Because I have seen how end users loggin
on their different departments without the behaviour that he
argumented.

Now, we have a Win2003 domain , without the "OU Structure" that we
have in the win2000 domain, I have not found yet the difference he
mentioned. Besides to keep all users just into one OU looks to be
more complex to apply GPO and other policies.

Thanks comments

 

[Herb Martin]

Hello,

I got a discussion with a consultant who was hired to deploy a new
corporate
domain(Win2003) structure.

We have right now a domain running on Windows 2000 (Active Directory
2000),
I created a logical OU structure in the domain controller according all
the
departments we have in the network. For instance sales,customer service,
IT ,
marketing, Facilities, so on. With this structure I have all the users and
objects organized by OU, then if we need to apply GPO or customized
security
polices we apply it by department (OU) wihout affect others OU
(Departments).

That (GPO assignment) is one of the two main criterias for
deciding to create OUs.

The other is "delegation". Generally, business departments are LIKELY
to be good choices for OUs since you are likely to both assign GPOs or
delegate to (department level) administrators for those areas.

However in the other hand, the consultant told us we have not to use this
"OU structure" , because it decrease login time at client level. ???

No. That is untrue. Ask your consultant for evidence.

Be aware that a DEEP OU structure might APPEAR to be
slow to a naive investigation due to a LARGE STACK of
GPOs being applied.

Excessive GPOs (or too many software installs, especially
unsuccessful one which get repeated partially at each logon,
in the GPOs can make logons or startups slower, but not
directly due to the OU.

As to PEER or SIBLING level OU you don't even pay a
GPO penalty since the GPOs are only applied in the hierarchical
case. (Parent then child etc.)

Not sure about his comment. Because I have seen how end users loggin on
their different departments without the behaviour that he argumented.

Ask for proof or references. (On the problem and perhaps the

Now, we have a Win2003 domain , without the "OU Structure" that we have in
the win2000 domain, I have not found yet the difference he mentioned.
Besides
to keep all users just into one OU looks to be more complex to apply GPO
and
other policies.

If you do develop a problem it will due to something else
anyway.

 

[Herb Martin]

However, some suggest that ten levels is still acceptable. The way in

which you choose to configure and use the OU structure is probably of more
concern than the actual number of levels. For example, a five-level nested
OU structure with different group policies applied at each level would
actually be more cumbersome than a seven-level OU hierarchy with fewer
group policies applied.

Levels are certainly more imporatant than NUMBER of OUs,
but the key is likely number of GPOs and their load performanc,
which is only indirectly related to OU depth.

(If someone puts a GPO or several at ever level you will reach
poor performance situations faster, but the real villain is
the LARGE STACK of GPOs.)

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

Hi

You should design OUs for simplicity. However, it is likely that your
domains will require a number of OUs to meet administrative requirements.
The best practice is to begin with one OU and then add only those OUs that
you can justify. Although you can have many levels of nested OUs, keep the
number of levels to a minimum (fewer than seven) to avoid administrative
and performance problems.

You can find a wide variety of advice on how many levels down an OU
structure is acceptable. Three to seven levels are probably the most
common recommendations.

Logon and startup times increase when the system has more group policies
to evaluate.

Further, if you set different permissions on each OU in the hierarchy,
troubleshooting could be considerably more difficult than if you had a
structure with uniform (inherited) permissions applied. The point to keep
in mind is to organize the OU structure to minimize the number of changes
in permissions and to reduce the number of GPOs processed.


--
Best Regards
Systems Administrator
MCSA + Exchange

Answered on mailing list, pasted below -

The OU structure and depth does not directly influence logon time (AD
hierarchy is in fact something of a simulation). Hierarchy can influence
login performance only when nested sufficiently deeply and with a large
number of linked GPOs at each or most of the superior OUs, a choice made
by admins., not a default.
--
Dean Wells [MVP / Directory Services]
MSEtechnology
[[ Please respond to the Newsgroup only regarding posts ]]
R e m o v e t h e m a s k t o s e n d e m a i l

Hello,

I got a discussion with a consultant who was hired to deploy a new
corporate domain(Win2003) structure.

We have right now a domain running on Windows 2000 (Active Directory
2000), I created a logical OU structure in the domain controller
according all the departments we have in the network. For instance
sales,customer service, IT , marketing, Facilities, so on. With this
structure I have all the users and objects organized by OU, then if
we need to apply GPO or customized security polices we apply it by
department (OU) wihout affect others OU (Departments).

However in the other hand, the consultant told us we have not to use
this "OU structure" , because it decrease login time at client level.
???
Not sure about his comment. Because I have seen how end users loggin
on their different departments without the behaviour that he
argumented.

Now, we have a Win2003 domain , without the "OU Structure" that we
have in the win2000 domain, I have not found yet the difference he
mentioned. Besides to keep all users just into one OU looks to be
more complex to apply GPO and other policies.

Thanks comments

 

[Joe Richards [MVP]]

As Dean mentioned, depth of levels does not impact performance so

to a minimum (fewer than seven) to avoid administrative and
performance problems.

should be stated more like "because I think that is better" because it certainly
isn't a perf issue. It only becomes an issue if you link GPOs at every level
that have to then be chased and handled.

I really have no problem with levels of nesting of OUs. Do what makes sense for
your management and organization whether that be two levels or 20. I think
someone would be hard pressed to find good reasons for 20 levels but I certainly
wouldn't say outright don't do it unless I heard the specific reasons and they
were stupid.


--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

 

[Dave Shaw [MVP]]

To add to Dean's response ...

Adverse performance due to OU structure is overstated in most cases. In
small to medium sized environments the effect of having a complex OU
structure is usually negligible. However, how GPOs are linked to OUs *does*
have a significant impact on logon performance - depending upon what the GPO
is attempting to process, where it is attempting to process it from, and how
many GPOs are being processed ...


-ds

Answered on mailing list, pasted below -

The OU structure and depth does not directly influence logon time (AD
hierarchy is in fact something of a simulation). Hierarchy can influence
login performance only when nested sufficiently deeply and with a large
number of linked GPOs at each or most of the superior OUs, a choice made
by admins., not a default.
--
Dean Wells [MVP / Directory Services]
MSEtechnology
[[ Please respond to the Newsgroup only regarding posts ]]
R e m o v e t h e m a s k t o s e n d e m a i l

Hello,

I got a discussion with a consultant who was hired to deploy a new
corporate domain(Win2003) structure.

We have right now a domain running on Windows 2000 (Active Directory
2000), I created a logical OU structure in the domain controller
according all the departments we have in the network. For instance
sales,customer service, IT , marketing, Facilities, so on. With this
structure I have all the users and objects organized by OU, then if
we need to apply GPO or customized security polices we apply it by
department (OU) wihout affect others OU (Departments).

However in the other hand, the consultant told us we have not to use
this "OU structure" , because it decrease login time at client level.
???
Not sure about his comment. Because I have seen how end users loggin
on their different departments without the behaviour that he
argumented.

Now, we have a Win2003 domain , without the "OU Structure" that we
have in the win2000 domain, I have not found yet the difference he
mentioned. Besides to keep all users just into one OU looks to be
more complex to apply GPO and other policies.

Thanks comments