Planning Organizational Unit Design

The OU structure that is designed should reflect the administrative needs of the business ”the structure is irrelevant to the regular users in the business. The OU structure is created for the purpose of administration, and the design should allow administrators to easily delegate control over groups of objects to the appropriate user or group. The OU hierarchy should also allow for the linking of Group Policies. The following topics are covered in this section:

• Starting with administrative requirements

• Tailoring for group policy application

Starting with Administrative Requirements

When you are creating an OU structure, be sure it meets the needs of administration (this cannot be emphasized enough). The structure you design should be based on the administrative model the business implements. In Chapter 5, you learned that the administrative model defines who is responsible for administration of the users and network resources in a business. Therefore, the structure designed should allow the business to continue to delegate authority and distribute administrative tasks in a way that meets its needs.

When designing the OU structure, keep in mind that the upper layers of the hierarchy will be based on the model for administration. If the design team determines that a model for administration based on geographical location is necessary, the upper layers of the OU hierarchy will reflect this model.

Chapter 5 discussed some of the models for administration that can be implemented. Be sure to base the structure of the upper layers of the OU hierarchy on something that will remain static (geographic location as opposed to department or business unit). This helps to avoid a reorganization of the Active Directory hierarchy in the future.

If the design team were to determine that a model for administration based on location is best suited for the XYZ Corporation, the OU structure might be similar to the diagram shown in Figure 7.4. One domain could be created for the entire business, and upper-level OUs could be created based on location. When planning domains, it is always best to use the single-domain model. Chapter 8, "Designing a Domain Tree," discusses implementing a multiple-domain model.

This type of OU structure would be ideal for the XYZ Corporation if users or groups in each location were assigned administrative authority over objects in their respective locations.

The lower levels in the OU hierarchy should be created with specific administrative tasks in mind; in other words, determine which types of objects users and groups will be responsible for administering. You must also decide how these objects can be grouped to allow for this administration. For example, if a group is to be responsible for printer administration in its location, an OU could be created for printer objects and delegation of authority assigned to the group. By nesting OUs in one another, you can create an OU structure that meets the specific administrative requirements of the business.

Although nesting of OUs is a good practice, it can become difficult to administer and troubleshoot if the hierarchy is too deep.

After you've determined that the administrative requirements have been met by the OU structure, you need to determine how it will be affected by the application of Group Policies.

Tailoring for Group Policy

Group Policy is used to administer the computing environment of users and computers in a business, as was discussed in Chapter 6, "Designing Active Directory for Group Policy." Group Policy objects can be linked to different levels in the Active Directory hierarchy, and the level at which an object is linked determines the scope of the policy. Group Policies are most commonly linked to the OU level because this provides administrators with the most control over the computing environment and enables delegation of authority to users and groups, thus eliminating the need to give them administrative privileges at the domain level.

The lower levels of the OU hierarchy should allow administrators to apply specific Group Policies to the necessary objects. For example, if a Group Policy needs to be applied to a group of specific users, a lower-level OU could be created for this group and linked to the appropriate Group Policy.

Using the XYZ Corporation as an example, if a Group Policy needs to be applied to its users in the Paris location without affecting its clients , an OU structure similar to the one shown in Figure 7.5 could be created.

GPOs are applied from the top level down, and if the OU structure is too deep with GPOs at different levels, poor network performance can result. However, it is the number of GPOs, not the OU depth, that affects logon times.