Direct Inward Dialing: +1 408 916 9892
Since OUs play a vital role in deploying organization-wide policies and settings, they require careful planning and design for flexibleadministration. Here are five AD OU best practices that you should follow to simplify and secure your AD administration.
A poorly planned OU structure can lead to confusion over where to place newly created objects in your directory tree. Microsoft suggests that you ensure simplicity and adaptability while planning your OU design. So, prepare a layout of your Active Directory OU structure keeping Group Policy Object (GPO) linkage and delegation in mind to avoid creating OUs at will in the long run.
Administration of AD objects becomes easier when the OUs mirror your organization's structure. Different OU models serve their own purposes. For example:
Choose an OU model that best fits your administrative needs.
In AD, when user and computer objects are created, they are added to their respective containers by default. However, GPOs cannot be linked to containers; instead, create separate OUs for users and computers that require GPO application. This practice can be followed irrespective of the OU model you choose for your organization.
With OU nesting, you can make use of inheritance and delegate administrative rights flexibly. For example, if you want to delegate multiple permissions to a high-level user but you don't want those permissions to affect some of the users in that OU, you can create a nested OU that contains those users and apply the deny permission. This will prevent the creation of parallel OUs in your directory. Nesting also helps separate different AD objects like users, computers, and groups inside a parent OU.
Your OU structure is always dynamic, as new objects are created regularly. So, document your OU structure and design by recording details such as the OU name, description, who created the OU, and when it was created. This information will be extremely valuable in the future to prevent accidental deletion of important OUs by administrators.