10 ready-to-implement PowerShell scripts to make AD management easy!

Active Directory Fundamentals

The structures and benefits of organizational units

Organizational units (OUs)

When you deploy Active Directory (AD) in your company, you may decide to create multiple organizational units (OUs) within your domain. An OU is a container within your domain that holds users, groups, computers, and other objects. You use an OU to store similar objects, making them easy to access and administer them. An OU will always be contained within a single domain.

You can also place sub-OUs within an OU—in a process called nesting—to create a hierarchical structure. OUs are usually created in such a way that they mimic the company’s functional or business structure.

Creating the OU structure

Here are some OU models that you can implement in AD:

  1. Functional/divisional: Each division or function within your company will have its own OU. For example, there could be a marketing OU, sales OU, research OU, and so on. All objects that belong to a particular function are placed in its respective OU.
  2. Geographic: As the name suggests, these OUs are created to mirror your company’s business operations in different geographic locations. For example, if your company operates in three different locations (New York, London, and Mumbai), you could have a New York OU, London OU, and Mumbai OU.
  3. Object: In this type of OU model, you would have different OUs for different object types. For example, you could have a users OU, privileged users OU, computers OU, and so on.

You can also combine the above models in your OU design. Here’s an example:

Questions to answer when designing OUs

OU design is a critical task when deploying AD. Answers to the following questions will help you design the OU structure:

Benefits of using OUs

There are three main benefits of using OUs:

  1. Manage objects efficiently: You can think of an OU as a folder you create on your computer. You’d put similar files within a folder to find them easily. In a very similar way, putting similar objects together in an OU (especially in an OU that mirrors your business practices) helps you manage objects efficiently.
  2. Deploy Group Policy Object (GPO) settings: A GPO is a set of user and computer configuration settings that you can apply to (and thus impose on) users and computers within a domain, site, or OU. After creating an OU and placing relevant objects inside it, you can link specific GPOs to that OU. The GPO will be applied to all objects within the OU. Imagine all of your company’s call center employees are part of one OU. If you don’t want these employees to access the internet from their machines, you can simply deploy a GPO with this configuration and apply it to that OU.
  3. Delegate administrative control: OUs provide you with new opportunities for distributed administrative authority. Larger companies will find this particularly useful.Imagine your company has three offices, with its headquarters in New York and two more offices in London and Mumbai. Let’s assume that the primary IT team works out of the headquarters in New York, the marketing team works out of London, and the research team works out of Mumbai. If the primary IT team in New York is tasked with attending to password reset requests from all three locations, it may cause bottlenecks in IT operations and affect the IT team’s productivity. Instead, the primary IT team could enable the marketing manager in London and the research lead in Mumbai to take care of these kinds of password requests from any of their respective team members.
Related posts
Active Directory Fundamentals

How to schedule a process remotely via WMI

Active Directory Fundamentals

How to create a process via WMI remotely

Active Directory Fundamentals

How to create a task via WMI

Active Directory Fundamentals

WMI classes and categories

×

There are over 8,500 people who are getting towards perfection in Active Directory, IT Management & Cyber security through our insights from Identitude.

Wanna be a part of our bimonthly curation of IAM knowledge?

  • -Select-
  • By clicking 'Become an insider', you agree to processing of personal data according to the Privacy Policy.