Planning an OU structure

[MARBET]

I am currently planning my W2K AD OU Structure and was wondering if my
users and computer accounts need to be in the same OU container or
could I have a OU called "sales" and 2 sub OU containers called
"users" and "computers" in the "sales" ou?
PLease let me know what would be the best way to proceed.

Thanks .

 

[Cary Shultz [A.D. MVP]]

Marbet,

Without much more information it is very difficult to advise you as to the
'best way' to proceed. This is often very different in each organization.

OUs are used to facilitate the management of your environment ( mainly your
users and computers as well as Group Policies ). OUs can also be used in
lieu of creating child domains. But again, that all goes back to managing
your environment.

Are you going to use Group Policy for anything? If yes, for what?

I typically create an OU called 'Departments' and then create sub-OUs for
'Accounting', 'Marketing', 'Finance', etc. I then create another OU called
PCs ( at the same level as 'Departments' ) and create two sub-OUs: one
called 'WIN2K' and one called 'WINXP'. If there are any WINNT 4
workstations then I would create a 'WINNT' sub-OU. However, the reason that
I do this is due to the way I use GPOs. I like to use GPO to install Office
2000 and Office XP. Granted, this is very limited but I am using this as
the example here. There are many other things that I like to do. I also
like to make use of the .mst transforms files so that different departments
get different office apps. Marketing, for example, gets PowerPoint along
with Word, Excel and Outlook whereas Finance gets Access along with Word,
Excel and Outlook. I create a standard Office 2000 GPO including Word,
Excel and Outlook. This is linked to the 'Departments' OU. I then create
two other GPOs - one for Marketing and one for Finance and link those
specifically to the proper OU.

Naturally, this does not 'fit' each and every organization. For some it is
more based on geography! We have a client that has four locations. Thus, I
have created an OU structure based on the geographic location. So, I have
an OU called 'Offices'. Inside this I have created a 'Roanoke', a
'Blacksburg', a 'Richmond' and a 'Raleigh' sub-OU. Most of the stuff is
linked to the 'Offices' OU so that it applies to everyone. However, if
there is something specific to Roanoke then I create a GPO and link it only
to the Roanoke sub-OU. Naturally, all of the user accounts are in the
appropriate OU. So, if you are Mary Smith and you work in Roanoke then you
user account is in the Roanoke sub-OU. If you are Tom Jackson and you work
in Richmond then your user account is in the Richmond sub-OU.

Just a little aside - you may have heard about security groups and GPOs.
You do not apply GPOs to security groups. What you do is create a GPO, link
it to an OU and then use security groups to filter that GPO. An example.
Say that you have an OU called 'Executives'. Let's say that you create
some GPO that is to be applied to 'Executives'. Furthermore, there are only
some 35 user accounts in the 'Executives' OU. Here comes a stipulation:
everyone except Bob, Mary and Charlie are to be affected by this specific
GPO. Those Top 3 executives should not be bothered with this. Let's say
that you have several other GPOs already in place and rearranging your OU
structure is not an option. Simply create a security group, make those 32
user accounts a member - that would be all of the executives EXCEPT Bob,
Mary and Charlie and use this security group as the filter. Simply delete
the 'Authenticated Users' group in the Security Tab and replace it with this
security group. Add 'Read' and 'Apply Group Policy' rights and there you
go....

Does this help you?

If you provide some additional information we will be more than glad to give
you our ideas and thoughts.

Cary

 

[Jody Flett [MSFT]]

It is difficult to know what will be best for you company without more
details but when planning an OU structure it is generally recommended for
your OU's to follow an administrative structure rather than follow the
companies departmental structure. (ie. Use of GPO's, Adminsitrative
Geography, How rights are going to be delegated etc.....)

This will make for a much less complex OU design and also make
troubleshooting and finding things much easier.

You can certainly have your computers and Users in separate OU's. An Example
structure may look like this:

-Domain
- Computers
-Standard Desktop
-Finance Computers
-Sales Computers
- Users
-Standard Users
-Finance Users
-Sales Users

A structure like this is based upon the need for different polices for
different computers/users or the need for the delegation of an OU to someone
else, rather than just splitting them because they are in different
departments eg. You have a standard policy which is applied to everyone and
then the finance department may have more restrictions on their machines,
and sales may have some different applications that need to be pushed to the
machines over and above the policies that are defined in the Standard
Desktop Policy. Also it is separating the computer policies from the users
policies - so for troubleshooting you know where to look if you are having
trouble with a particular User Setting or Computer Setting.

HTH

Jody

 

[Cary Shultz [A.D. MVP]]

Jody,

Thank you for clarifying this. I have always worked in a rather small
environment ( usually in the 35-50 user size ) and have never run into a
problem doing it the way that I posted but....

While at first glance it may appear that the way that you have suggested is
very similar to the way I currently do things it is indeed very different.
You are absolutely correct that it does make for a less complex OU design
and is more driven by the needs rather than by the Organizational structure.

Cary

 

[Enkidu]

I am currently planning my W2K AD OU Structure and was wondering if my
users and computer accounts need to be in the same OU container or
could I have a OU called "sales" and 2 sub OU containers called
"users" and "computers" in the "sales" ou?
PLease let me know what would be the best way to proceed.

Jody and Carl have given you some good pointer. I'd just like to add
the obvious point that the simpler the structure the better.

If you have just a few users and a simple Domain structure, it's
probably not worth building an OU structure more than one level deep.
eg I've a small structure and only added two OUs, one for each
location.

Cheers,

Cliff