Categories
Welcome Center
Education & Development
Discussions
Certification Preparation
Recent Posts
Groups
Free Resources
Ebooks
Free Workshops
Trending Certifications Infographic
Infosec Training
IT & Security Training
Live Boot Camps
Security Awareness Training
About Infosec Institute
Home
Discussions
Off Topic
Active Directory Design Preferences
RTmarc
First, this is not a technical question. A colleague and I were having a discussion on our own preferences for AD OU/GPO design and I started wondering what other people do for design. Personally, I'm a by-the-org-chart guy.
What say ye brethren from TE?
Find more posts tagged with
Save $250 on 2025 certification boot camps from Infosec!
Book now with code EOY2025
Button
Comments
Hyper-Me
If its a spread out organization with tons of sites I prefer geographical.
Obviously if it a single site or two, i'll generally go by Department/org chart and almost always use geographical information in my naming conventions.
RobertKaucher
I mostly work with small businesses so the org chart only adds a layer of complication to the overall design. My considerations are strictly done by the need to create GPOs. My current spot has a domainname_user OU and then a few other OUs for computer/user accounts that have GPO restrictions on them, one for AD security groups, etc. With only 80 users I don't need anything else.
astorrs
I'm of the "unless you can prove you need to delegate permissions or apply a GPO to that specific OU, I'm denying your request to create it" crowd.
aka
KISS
I also take the stance that if you want to group AD objects together for some other reason, or just so you feel better - use
"a group"
.
I've worked in large environments that took those other approaches (e.g., 6,822 OUs in one domain).
blargoe
I only create OU's for security boundaries primarily. I also never use the built-in OU's unless an application requires it (but I don't move the built-in accounts that come with AD).
Regardless of the size of the AD, this is what I typically do:
1 top level OU for Employee Accounts. Inside of this OU, I might further subdivide based on org chart, location, etc. if need be. I can then apply User/Computer GPOs to all employee users/computers globally without affecting other objects.
1 top level OU for Server computer accounts
1 top level OU for service accounts
1 top level OU for exchange objects such as External contacts, distribution groups, generic shared mailboxes, and room mailboxes
1 top level OU for Groups (further subdivided into type of group usually, since some of the groups wouldn't be appropriate for helpdesk to modify)
1 top level OU to hold the security groups for these OU's (this would be locked down to Domain Admins)
Once the OU's are created, I create groups to which to delegate access to each of the top-level OU objects. I'd have a group for managing Employee accounts and put my helpdesk in there. The Servers OU and Service Accounts OU would be managed by sysadmins usually. Mail Objects by the Exchange team.... and so on. All of the security groups that are used for the ACL on the OU objects are in the locked down Admin OU.
Edit: I also, never, ever, use the builtin security groups, other than Administrators. Certainly not Account Operators. Almost everyone should have more granularity with their security that that group provides.
rsutton
All of the work I do is for companies in the 25-200 user range so I generally don't have a need for more than a users/computers/DCs & test OU.
Quick Links
All Categories
Recent Posts
Activity
Unanswered
Groups
Best Of
INFOSEC Boot Camps
$250
OFF
Use code
EOY2025
to receive $250 off your 2025 certification boot camp!
BROWSE BOOT CAMPS
