Active Directory Design Preferences

RTmarc

First, this is not a technical question. A colleague and I were having a discussion on our own preferences for AD OU/GPO design and I started wondering what other people do for design. Personally, I'm a by-the-org-chart guy.

What say ye brethren from TE?

Hyper-Me

If its a spread out organization with tons of sites I prefer geographical.

Obviously if it a single site or two, i'll generally go by Department/org chart and almost always use geographical information in my naming conventions.

RobertKaucher

I mostly work with small businesses so the org chart only adds a layer of complication to the overall design. My considerations are strictly done by the need to create GPOs. My current spot has a domainname_user OU and then a few other OUs for computer/user accounts that have GPO restrictions on them, one for AD security groups, etc. With only 80 users I don't need anything else.

astorrs

I'm of the "unless you can prove you need to delegate permissions or apply a GPO to that specific OU, I'm denying your request to create it" crowd.

aka KISS

I also take the stance that if you want to group AD objects together for some other reason, or just so you feel better - use "a group".

I've worked in large environments that took those other approaches (e.g., 6,822 OUs in one domain).

blargoe

I only create OU's for security boundaries primarily. I also never use the built-in OU's unless an application requires it (but I don't move the built-in accounts that come with AD).

Regardless of the size of the AD, this is what I typically do:

1 top level OU for Employee Accounts. Inside of this OU, I might further subdivide based on org chart, location, etc. if need be. I can then apply User/Computer GPOs to all employee users/computers globally without affecting other objects.
1 top level OU for Server computer accounts
1 top level OU for service accounts
1 top level OU for exchange objects such as External contacts, distribution groups, generic shared mailboxes, and room mailboxes
1 top level OU for Groups (further subdivided into type of group usually, since some of the groups wouldn't be appropriate for helpdesk to modify)
1 top level OU to hold the security groups for these OU's (this would be locked down to Domain Admins)

Once the OU's are created, I create groups to which to delegate access to each of the top-level OU objects. I'd have a group for managing Employee accounts and put my helpdesk in there. The Servers OU and Service Accounts OU would be managed by sysadmins usually. Mail Objects by the Exchange team.... and so on. All of the security groups that are used for the ACL on the OU objects are in the locked down Admin OU.

Edit: I also, never, ever, use the builtin security groups, other than Administrators. Certainly not Account Operators. Almost everyone should have more granularity with their security that that group provides.

rsutton

All of the work I do is for companies in the 25-200 user range so I generally don't have a need for more than a users/computers/DCs & test OU.