Saturday, March 22, 2008

Active Directory Organizational Unit (OU) Design

This post provides information on a concept design for Organizational Unit structure within an Active Directory environment - using a top-level OU, security filtered-GPOs and sub-container objects for grouping. The example providing a flexible solution to manage servers in the domain.

First, I’ll provide a summary of OU benefits as I see them and the resultant OU design that takes advantage of these benefits. Note that an OU design cannot be considered in isolation, and must at least take into account the forest/domain design, site design, DC placement and delegation of administration.

OU Benefits

There are several uses for OUs, often not fully considered when creating or changing an OU structure. An OU structure can be modified with unexpected results if the resultant set of policy and delegation of administration is not taken into consideration.

Delegation of Administration

Administration of objects can be logically set at the container level. The DACL for any objects in the container, and typically sub-containers/sub-objects, will also be modified to provide an inherited security model.

Grouping of objects

Grouping objects by container – such as for different types of servers – can help from a visibility perspective when administering those objects. However, logical grouping of objects requires more management to ensure that objects are grouped correctly on an ongoing basis.

The major disadvantages of this method are that the grouping types used become blurred over time and often one server fits into multiple groups.

Targets for Group Policy Objects

The OU containers provide a logical target for GPOs, generally indicating that a particular GPO should apply to the objects in that container, as well as sub-containers and their objects.

Again, the major disadvantage of this method is that a computer object can exist only in one OU, limiting the flexibility in GPO application.

OU Design

The design is a combination of OU and container objects, useful for taking advantage of the three major uses for OUs described above. As a summary, this OU solution includes:
1. A top-level OU, used for targeting security-filtered GPOs
2. Sub-containers, used for logical grouping of objects and delegation of administration. Note these are container objects, not OU objects

In my opinion, using a combination of OUs and container objects provides the most flexibility with the least risk and lowest ongoing management costs. There is no possibility of assigning policies to sub-OUs and then having to resort to policy blocking, GPOs are applied at one level and simple security group membership controls application.

This design provides the most flexibility when:

  • Applying multiple GPOs to a single object without relying on blocking inheritance or complicated tree structures
  • Delegating administration to groups of objects. Containers can be created to delegate administration for groups of objects, without changing the GPO application.
  • Grouping objects for administration. Containers can be created for visibility of like objects, without changing GPO application.

There are several caveats when using this solution, but correct communication and following due process will negate any issues:

  1. Container objects cannot be created through dsa.msc, adsiedit.msc or something equivalent must be used.
  2. Standard utilities such as dsquery provide functions targeting OUs, but not containers. Dsquery * can still be used to manage any object in the AD.

OU/Container structure example

To provide logical grouping of objects and delegated access to those objects with flexible group policy application, the following structure could be used to manage domain member servers:

OU=SERVERSOUSecurity filtered GPO Target, Delegation of Administration
CN=Citrix,OU=SERVERSContainerComputer grouping, Delegation of Administration
CN=Exchange,OU=SERVERSContainerComputer grouping, Delegation of Administration
CN=%APPLICATION%,OU=SERVERSContainerComputer grouping, Delegation of Administration
OU=%COMPANY%,OU=SERVERSOUSecurity filtered GPO Target, Delegation of Administration based on companies within one domain

OU/Container Security example


Note that the ACLs would typically propagate to child objects and containers as appropriate.


Designing an OU Structure that Supports Group Policy

Designing Organizational Units for Delegation of Administration

Creating an Organizational Unit Design

Group Policy Settings Reference

Wayne's World of IT (WWoIT), Copyright 2008 Wayne Martin.

No comments:

All Posts

printQueue AD objects for 2003 ClusterVirtualCenter Physical to VirtualVirtual 2003 MSCS Cluster in ESX VI3
Finding duplicate DNS recordsCommand-line automation – Echo and macrosCommand-line automation – set
Command-line automation - errorlevels and ifCommand-line automation - find and findstrBuilding blocks of command-line automation - FOR
Useful PowerShell command-line operationsMSCS 2003 Cluster Virtual Server ComponentsServer-side process for simple file access
OpsMgr 2007 performance script - VMware datastores...Enumerating URLs in Internet ExplorerNTLM Trusts between 2003 and NT4
2003 Servers with Hibernation enabledReading Shortcuts with PowerShell and VBSModifying DLL Resources
Automatically mapping printersSimple string encryption with PowerShellUseful NTFS and security command-line operations
Useful Windows Printer command-line operationsUseful Windows MSCS Cluster command-line operation...Useful VMware ESX and VC command-line operations
Useful general command-line operationsUseful DNS, DHCP and WINS command-line operationsUseful Active Directory command-line operations
Useful command-linesCreating secedit templates with PowerShellFixing Permissions with NTFS intra-volume moves
Converting filetime with vbs and PowerShellDifference between bat and cmdReplica Domain for Authentication
Troubleshooting Windows PrintingRenaming a user account in ADOpsMgr 2007 Reports - Sorting, Filtering, Charting...
WMIC XSL CSV output formattingEnumerating File Server ResourcesWMIC Custom Alias and Format
AD site discoveryPassing Parameters between OpsMgr and SSRSAnalyzing Windows Kernel Dumps
Process list with command-line argumentsOpsMgr 2007 Customized Reporting - SQL QueriesPreventing accidental NTFS data moves
FSRM and NTFS Quotas in 2003 R2PowerShell Deleting NTFS Alternate Data StreamsNTFS links - reparse, symbolic, hard, junction
IE Warnings when files are executedPowerShell Low-level keyboard hookCross-forest authentication and GP processing
Deleting Invalid SMS 2003 Distribution PointsCross-forest authentication and site synchronizati...Determining AD attribute replication
AD Security vs Distribution GroupsTroubleshooting cross-forest trust secure channels...RIS cross-domain access
Large SMS Web Reports return Error 500Troubleshooting SMS 2003 MP and SLPRemotely determine physical memory
VMware SDK with PowershellSpinning Excel Pie ChartPoke-Info PowerShell script
Reading web content with PowerShellAutomated Cluster File Security and PurgingManaging printers at the command-line
File System Filters and minifiltersOpsMgr 2007 SSRS Reports using SQL 2005 XMLAccess Based Enumeration in 2003 and MSCS
Find VM snapshots in ESX/VCComparing MSCS/VMware/DFS File & PrintModifying Exchange mailbox permissions
Nested 'for /f' catch-allPowerShell FindFirstFileW bypassing MAX_PATHRunning PowerSell Scripts from ASP.Net
Binary <-> Hex String files with PowershellOpsMgr 2007 Current Performance InstancesImpersonating a user without passwords
Running a process in the secure winlogon desktopShadow an XP Terminal Services sessionFind where a user is logged on from
Active Directory _msdcs DNS zonesUnlocking XP/2003 without passwords2003 Cluster-enabled scheduled tasks
Purging aged files from the filesystemFinding customised ADM templates in ADDomain local security groups for cross-forest secu...
Account Management eventlog auditingVMware cluster/Virtual Center StatisticsRunning scheduled tasks as a non-administrator
Audit Windows 2003 print server usageActive Directory DiagnosticsViewing NTFS information with nfi and diskedit
Performance Tuning for 2003 File ServersChecking ESX/VC VMs for snapshotsShowing non-persistent devices in device manager
Implementing an MSCS 2003 server clusterFinding users on a subnetWMI filter for subnet filtered Group Policy
Testing DNS records for scavengingRefreshing Computer Account AD Group MembershipTesting Network Ports from Windows
Using Recovery Console with RISPAE Boot.ini Switch for DEP or 4GB+ memoryUsing 32-bit COM objects on x64 platforms
Active Directory Organizational Unit (OU) DesignTroubleshooting computer accounts in an Active Dir...260+ character MAX_PATH limitations in filenames
Create or modify a security template for NTFS perm...Find where a user is connecting from through WMISDDL syntax in secedit security templates

About Me

I’ve worked in IT for over 20 years, and I know just about enough to realise that I don’t know very much.