Understanding the concepts used with Windows Server 2003 design is only part of the battle. The application of those concepts into a best-practice design is the tricky part. You can take heart in the fact that of all the design elements in Active Directory, OU and group structure is the most flexible and forgiving. You could theoretically completely revamp your entire OU structure in the middle of the day without affecting users of the network as OU structure is administrative in function and does not directly affect user operations. That said, care should be taken to ensure that group policies that might be in place on OUs are moved in before user or computer accounts move. Not taking this into account can lead to the application of unwanted group policies to various computer or user objects, often with adverse effects. Group membership is also readily changeable, although thought should be given to the deletion of security groups that are already in use. Note Because each group SID is unique, you must take care not to simply delete and re-create groups as you go. As with user accounts, even if you give a new group the same name as a deleted group and add the same users into it, permissions set on the old group will not be applied to the new group. While keeping these factors in mind and after successfully completing your forest and domain design (see Chapters 4, "Active Directory Primer," and 5, "Designing a Windows Server 2003 Active Directory"), it's now time to start designing an OU and group structure. |