If it's made too complex it will end up being neglected and just turns in to a complete waste of time.Ours goes office location - department - users and computers.Distribution groups and Security groups have their own OU.We used to have a flat structure, but I rearranged it in a way that made since for how I needed to deploy gpos for mapped drives and printers.Best practice would really depend on the needs of your org.. The AD was not huge, but it was more than just a little 1 forest, 1 tree, 1 domain Active Directory.

Not all is lost though. The important thing is that they cascade from broad to narrow.At my company, we're prepping to migrate to a new domain. It could be as simple as 1 computer's OU and 1 user's OU. Active Directory & GPO. Some use geography, some user department and so on. by Harry2807. In the end, the short summary is a single forest, with a … Make a basic chart of what GPOs and delegations you're going to use and the logic of the OU structure often becomes apparent.New comments cannot be posted and votes cannot be castA reddit dedicated to the profession of Computer System Administration.Press J to jump to the feed. In this guide, I will share my tips on securing domain admins, local administrators, audit policies, monitoring AD for compromise, password policies and much more. What about the guys that travel between offices or belong to more than one department?Separate the types of object into a tree, then use security groups to define the roles, functions, locations etc as these are usually one to many relationships.There are policies that apply to all devices, but there are also policies that more narrowly apply just to workstations and not servers (and vice versa) but then also more narrowly again for only mobile devices. I've been working a few months ago on a AD design for a customer of the company I work for. How to prevent Active Directory accounts from logging in to domain (for RADIUS)? Innovative IT Solutions is an IT service provider.

That is up to you and your company. Press question mark to learn the rest of the keyboard shortcuts Does anyone here have any advice on AD OU design in regards to using a flat OU vs a structure for computers?Not a fan of flat structures. Lay it out in whatever layout that makes sense for your company. I modeled it after what the military has there's designed....the Army anyways...In the root of the domain, several default OU's get created when you create a domain. Listen to what your environment needs and create the structure accordingly.The issue with using OU's based on roles, location, department etc is that an AD Object to OU relationship is one to one. To continue this discussion, please Collapsing 2 domains in the process.I consider myself extremely lucky that I was able to have complete creative control over our OU design in the new domain. Just make it so that you can easily apply group policies to the groups of computers and users that need them. In this guide, we will tie these thoughts together and explore a few innovative ways to organize Active Directory. Users, Computers, and Groups.Any OU's you need to create now, or in the future, can fall under one of these 2 sub-OU's. This is the most comprehensive list of Active Directory Security Tips and best practices you will find. There's always going to be special exceptions that have to be handled. Archived. Just don't leave your objects in the default containers. ... Best practice would really depend on the needs of your org.. Enterprise and Properties.Under Enterprise several sub-ou's exist. Assuming at least a basic level of good design, it's more important that you understand that design and how that's going to effect GPOs and other things rather than the OU structure being "perfect".I lean towards less is more. Home. The first rule you must set for yourself when working to design your Active Directory is “Use best practices everywhere!” Don’t try to change the way Active Directory is designed to work no matter what you might think at first.