OU Structures

ElwoodBluesElwoodBlues Member Posts: 117
I've got most of the concepts down except for the OU structures. I understand that you create OUs based on administrative separation. However, I still do not think that I have a good feel on the proper design from the exams questions. I recall not making heads or tails from the graphs/structures I was presented.

Can anyone give me some pointers as to what I should be focusing on to determine the proper placement?

Thanks

Comments

  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    The proper placement/design really depends upon the organization and business requirements. OUs can be created for any, or a combination of, the following criteria: geography, politics, security, departments, resource type, special needs, administration, etc.

    This probably goes without saying, but you should always go with the simplest design that meets your requirements. If all else is equal, I'd use look at something like IT administration as the deciding factor (or anything else that jumps out at you from the requirements).

    For example, what's the difference between top-level OUs of NA, EU, and Asia that each have child OUs of Business, Sales, and Marketing and top-level OUs of Business, Sales, and Marketing that have child OUs of NA, EU, and Asia?

    Not much at first glace, that's why you'd need to look at other requirements and determine what would be the best fit. If each geographic area has IT staff that administers their own resources, the first design makes sense. If administration is divided based on department, then the later would probably be the best choice.

    There's not necessarily always going to be a right or wrong answer as multiple designs could still be functional. Your task is going to be to pick the most appropriate based on the organization's needs.
  • astorrsastorrs Member Posts: 3,139 ■■■■■■□□□□
    dynamik wrote: »
    This probably goes without saying...
    You'd think that right? But no it needs to be said again and again. :)

    I always tell people to ask themselves "do I need to delegate permissions or link a GPO to this OU?" and if the answer is no - get rid of it.

    Windows Server 2008 with Group Policy Preferences makes it even easier since you can shrink the number of GPOs in the environment and use security groups or O/S filters, etc to control which items in the GPP are actually applied to a user/computer. Most of the time for me with 2008 unless I'm delegating permissions the number of OUs is very minimal.
  • ElwoodBluesElwoodBlues Member Posts: 117
    astorrs wrote: »
    You'd think that right? But no it needs to be said again and again. :)

    I always tell people to ask themselves "do I need to delegate permissions or link a GPO to this OU?" and if the answer is no - get rid of it.

    I do know to choose the simplest design. Additionally, the permissions/GPO link is a good "rule of thumb" as well. However, it still puzzles me on what they are looking for in certain "graphs". Or perhaps I read the questions incorrectly.
  • Agent6376Agent6376 Member Posts: 201
    One tip I can give is to try your best to completely rule out No Override settings/Block Policy Inheritance in the structure of your OUs. There are many questions that I've gotten wrong because I thought "Well if I just select 'No Override' then this will all fit in place."

    If you've done the Transcenders you'll see in the notes that they try to dissuade you from enabling these options because it makes administration more complex.

    Try to find a structure that will allow delegation down the hierarchy with ease and remember that if a certain group of users are responsible for all computer or user accounts in a domain, you don't need to create an OU for them.

    Example:
    You have 3 departments: Sales/Marketing/IT
    Each department has their own local IT in charge of account management.
    You have a group of admins at corporate who can manage all account in the entire domain.

    Instead of having:

    Domain
    All Domain Users
    Sales Marketing IT

    You can have:

    Domain
    Sales Marketing IT

    Since you can delegate account management to the whole domain.

    I hope this helps!
  • genXrcistgenXrcist Member Posts: 531
    What a great thread! Thanks for posting this Elwood and thanks to everyone for the great answers. This clarified what I thought I already had understood. :)
    1) CCNP Goal: by August 2012
Sign In or Register to comment.