Designing an OU Structure

Organizational units (OUs) are created within a domain to logically group objects for administrative purposes. More specifically, they are created for applying group policy objects (GPOs) and delegating authority. After an OU hierarchy has been established, GPOs can be applied to the various containers based on the requirements of the organization, and specific users or groups can be assigned the task of administering the objects contained within the OUs.

Creating OUs enables a fine granularity for configuring the user and computer environments. It enables you to limit the scope of an administrator's privileges through delegation and provides a fine granularity of control when assigning administrative rights and permissions to other individuals and groups. The following section looks at how the group policy requirements and delegation of authority affect an OU design.

Designing an OU Structure for the Purpose of Delegating Authority

Delegation is the process of decentralizing network administration by assigning some of the administrative duties to individuals or groups within the business. Individuals or groups can be assigned specific administrative privileges to certain objects within the Active Directory structure without having control over all objects within a domain. For example, assume that OUs are created based on the geographical locations of various branch offices. The local administrator within each office could be granted authority over the appropriate OU, giving that person administrative control over the objects within the container, while at the same time limiting the scope of the administrative permission to a single OU.

graphics/note_icon.gif

Delegation of authority was introduced in Windows 2000 and was a welcome change from Windows NT 4.0, where a user who was given privileges to administer user accounts could administer all user accounts within the domain. In other words, there was no way to limit which user accounts could be administered or what attributes could be changed on a per-user basis.


A strategy for delegation determines the level in the Active Directory structure at which administrative permissions should be assigned: site, domain, or organizational unit. The level at which the permissions are applied will be determined by the scope of the administrative duties. It is most common to delegate authority at the organizational unit level because this level is much easier to manage and provides a finer granularity of control.

Before you begin developing a strategy for delegation, make sure you've determined the answers to the following questions:

  • Who will be assigned administrative privileges?

  • What will they be administering?

  • What will be the scope of their administrative duties?

The OU structure that's designed should be relative to the way administration is currently dispersed throughout the business, and is dependent on how the administrative tasks are currently delegated. Here are some questions to keep in mind when you're designing an OU structure for delegation:

  • Is the delegation of administration based on location? Are there individuals in each geographical location who are responsible for performing administrative tasks?

  • Are the administrative tasks divided into different roles, such as user account administration and printer administration?

  • Is the delegation of administrative tasks based on department? Are there individuals or groups within each department who are responsible for performing administrative tasks?

The OU structure should be designed around the way that administrative tasks are currently dispersed. Doing so will allow the organization to continue with its current strategy of distributing administrative authority.

Design Guidelines

When designing an OU hierarchy for delegation, keep the following guidelines in mind:

  • Perform a thorough assessment of the business and its internal IT organization so that their needs are identified.

  • Make sure the model you create allows for flexibility and growth within the business. Growth or reorganization within a business should not have a major effect on the Active Directory structure.

  • The OU hierarchy should reflect the structure of the organization.

  • When at all possible, delegate authority at the OU level and use inheritance. Doing so makes it much simpler to tracking permissions.

  • If an individual needs authority over an OU, assign the appropriate administrative permissions. Avoid putting the individual into the Domain Admins group because doing so gives that person privileges throughout the domain. Assign the most restrictive permissions that allow the user (or group) to perform the required tasks. In other words, follow the principle of least privileges.

graphics/alert_icon.gif

Each OU is assigned an owner that is responsible for that object and all objects contained within it. The OU owner is responsible for delegating administrative tasks over the object.


Identifying the Group Policy Requirements for the OU Structure

Before you implement a group policy, you should perform an assessment of the organization's needs to determine where in the business the management is required and the level of management that needs to be implemented. Use the following questions as guidelines when assessing the needs of the business:

  • What areas of the client's computing environment need to be controlled?

  • What areas within the business require administration?

  • Do all areas within the business require the same level of management? Are there some areas that require a high level of management and other areas that require minimal management?

Determining the different levels of management required throughout the business is important because they will have an effect on the creation of lower-level OUs in the Active Directory hierarchy. Because group policies can be linked to different levels within the Active Directory hierarchy, using the preceding questions as guides will also help the design team determine where in the hierarchy the policies should be linked to best serve the needs of the IT organization.



MCSE Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure Exam Cram 2
MCSE Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure Exam Cram 2 (Exam Cram 70-297)
ISBN: 0789730154
EAN: 2147483647
Year: 2003
Pages: 152

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net