Organizational units (OUs) are created within a domain to logically group objects for administrative purposes. More specifically, they are created for applying group policy objects (GPOs) and delegating authority. After an OU hierarchy has been established, GPOs can be applied to the various containers based on the requirements of the organization, and specific users or groups can be assigned the task of administering the objects contained within the OUs. Creating OUs enables a fine granularity for configuring the user and computer environments. It enables you to limit the scope of an administrator's privileges through delegation and provides a fine granularity of control when assigning administrative rights and permissions to other individuals and groups. The following section looks at how the group policy requirements and delegation of authority affect an OU design. Designing an OU Structure for the Purpose of Delegating AuthorityDelegation is the process of decentralizing network administration by assigning some of the administrative duties to individuals or groups within the business. Individuals or groups can be assigned specific administrative privileges to certain objects within the Active Directory structure without having control over all objects within a domain. For example, assume that OUs are created based on the geographical locations of various branch offices. The local administrator within each office could be granted authority over the appropriate OU, giving that person administrative control over the objects within the container, while at the same time limiting the scope of the administrative permission to a single OU.
A strategy for delegation determines the level in the Active Directory structure at which administrative permissions should be assigned: site, domain, or organizational unit. The level at which the permissions are applied will be determined by the scope of the administrative duties. It is most common to delegate authority at the organizational unit level because this level is much easier to manage and provides a finer granularity of control. Before you begin developing a strategy for delegation, make sure you've determined the answers to the following questions:
The OU structure that's designed should be relative to the way administration is currently dispersed throughout the business, and is dependent on how the administrative tasks are currently delegated. Here are some questions to keep in mind when you're designing an OU structure for delegation:
The OU structure should be designed around the way that administrative tasks are currently dispersed. Doing so will allow the organization to continue with its current strategy of distributing administrative authority. Design GuidelinesWhen designing an OU hierarchy for delegation, keep the following guidelines in mind:
Identifying the Group Policy Requirements for the OU StructureBefore you implement a group policy, you should perform an assessment of the organization's needs to determine where in the business the management is required and the level of management that needs to be implemented. Use the following questions as guidelines when assessing the needs of the business:
Determining the different levels of management required throughout the business is important because they will have an effect on the creation of lower-level OUs in the Active Directory hierarchy. Because group policies can be linked to different levels within the Active Directory hierarchy, using the preceding questions as guides will also help the design team determine where in the hierarchy the policies should be linked to best serve the needs of the IT organization. |