OU and Group Design
Understanding the concepts used with Windows .NET Server 2003 design is only part of the battle. The application of those concepts into a best-practice design is the tricky part. You can take heart in the fact that of all the design elements in Active Directory, OU and group structure is the most flexible and forgiving. You could theoretically completely revamp your entire OU structure in the middle of the day without impacting users of the network because OU structure is administrative in function and does not directly affect user operations. Group membership is also readily changeable, although thought should be given to the deletion of security groups that are already in use.
Because each group SID is unique, you must take care not to simply delete and re-create groups as you go. As with user accounts, even if you give a new group the same name as a deleted group and add the same users into it, permissions set on the old group will not be applied to the new group.
While keeping these factors in mind and after successfully completing your forest and domain design (see Chapters 4, "Active Directory Primer," and 5, "Designing a Windows .NET Server 2003 Active Directory"), it's now time to start designing your OU and group structure.