- Evolution of Directory Services
- Active Directory Development
- Active Directory Structure
- Active Directory Components
- Domain Trusts
- Organizational Units
- Groups in an Active Directory Environment
- Active Directory Replication
- DNS in Active Directory
- Active Directory Security
- Active Directory Changes in Windows .NET Server 2003
- Best Practices
As defined in the RFP for the LDAP standard, organizational units (OUs) are containers that logically store directory information and provide a method of addressing Active Directory through LDAP. In Active Directory, OUs are the primary method for organizing user, computer, and other object information into a more easily understandable layout. As shown in Figure 4.8, the organization has a root organizational unit where three nested organizational units (marketing, IT, and research) have been placed. This nesting enables the organization to distribute users across multiple containers for easier viewing and administration of network resources.
As you can see, OUs can be further subdivided into resource OUs for easy organization and delegation of administration. Far-flung offices could have their own OUs for local administration as well. It is important to understand, however, that an OU should be created only if the organization has a specific need to delegate administration to another set of administrators. If the same person or group of people administer the entire domain, there is no need to increase the complexity of the environment by adding OUs. In fact, too many OUs can impact group policies, logons, and other factors. Chapter 6, "Designing Organizational Unit and Group Structure," gives a detailed rundown of the design considerations encountered with organizational units.
Figure 4.8 Organizational unit structure that provides a graphical view of network resource distribution.
Domain Versus OU
As previously mentioned, some administrators tend to start applying the Active Directory domain structure to political boundaries within the organization. The dry-erase markers come out and very soon well-meaning managers get involved, organizing the Active Directory structure based on political boundaries. Subdomains start to become multiple layers deep, with each department taking its own subdomain. The problem with this strategy is that the Active Directory structure allows for this type of administrative granularity without division into multiple domains. In fact, the rule of thumb when designing domains is to start with a single domain and add additional domains only when necessary. In a nutshell, the type of administrative control required by many organizations can be realized by division of groups into separate organizational units rather than into separate domains.
OUs can therefore be structured to allow for separate departments to have various levels of administrative control over their own users. For example, a secretary in the Engineering department can be delegated control of resetting passwords for users within his own OU. Another advantage of OU use in these situations is that users can be easily dragged and dropped from one OU to another. For example, if users are moved from one department to another, moving them into their new department's OU is extremely simple.
It is important to keep in mind that OU structure can be modified on the fly any time an administrator feels fit to make structural changes. This gives Active Directory the added advantage of being forgiving for OU design flaws because changes can be made at any time.