Summary

Although the design basis for OUs should be the administrative structure of the organization, Group Policy will also play a part in the final design. Additional OUs may need to be created so that the appropriate settings and restrictions can be enforced automatically within the Active Directory structure, while alleviating some of the administrative requirements imposed upon the staff who maintain user and computer accounts.

Understanding what settings need to be applied based on an organization s objectives is key to a well-designed OU structure for a Group Policy application. You should identify the security requirements, software installation needs, and user restrictions that are to go into effect. The design should take on the simplest approach possible. Make sure to condense settings into as few GPOs as possible while following the corporate standards and identifying the requirements of each job function and the responsibilities of those functions.

Using the natural inheritance will make the GPO structure easy to maintain. Those users who are allowed to maintain GPOs should be trained on how to effectively manage GPOs using this inheritance. They should also be trained on how the company maintains the GPOs and what is required before a change can be made to the GPO structure.

In the next chapter, we are going to delve into the naming requirements for accounts in Active Directory as well as how to control the resources to which those accounts have access. We will use the information we have learned up to this point to design an account strategy. This strategy will make sense for all who need to provide administrative control over objects within Active Directory and the network resources that the objects represent.