Active Directory Organizational Units – Best Practices for OUs!
Organizational Units (OU) play an essential role in managing users and computers in Active Directory. But what do admins have to know about OUs to use them effectively? Read our guide to learn the most important best practices for organizational units, as well as what sets them apart from default containers and Active Directory groups.
What Are Active Directory Organizational Units?
Active Directory, Microsoft’s directory service for Windows environments, is based around a hierarchical network structure. Computers and users are part of a domain governed by domain controllers. Domains themselves can be part of trees, multiple domains with trust relationships in a parent child structure. Trees can be part of larger Active Directory forests. While trees and forests exist above domain level, organizational units exist below the level of individual domains.
An organizational unit or OU is the smallest unit within Active Directory for which admins can define specific group policy settings and delegated admin rights. Organizational units can contain users, computers, groups and other OUs. Effectively, organizational units represent a subsection of an Active Directory domain that can be used to group objects together and assign unique rules to them. They serve two main purposes:
Delegated administration: Organizational units allow administrators to assign admin rights to users that are only valid within a specific OU. This helps restrict the control of individual admins in accordance with the principle of least privilege. Delegation can also be used to allow users outside the IT team to handle certain helpdesk tasks like password resets.
Managing Group Policy: Group policy objects (GPOs) let admins manage a variety of settings for users and devices in Windows networks. Organizational units make it possible to apply group policy to specific parts of Active Directory.
How Do I Create an Organizational Unit?
There are multiple ways to create a new organizational unit in Active Directory:
Through the Active Directory Administrative Center
Through the Windows Server Manager or the Remote Server Administration Tools (RSAT), more specifically through the snap-in Active Directory Users & Computers (ADUC)
Using the PowerShell cmdlet New-ADOrganizationalUnit
In general, creating and managing OUs through a visual interface makes it a lot easier to ensure that you follow the correct structure. While it is possible to manage OUs using PowerShell, it is not recommended.
The Difference Between Organizational Units and AD Groups
At first glance, organizational units and groups have a lot in common: Both are used to add structure to your Active Directory by grouping together similar objects such as user accounts or device accounts.
In practice, organizational units and AD groups serve two very different purposes: organizational units are used to delegate admin rights and apply group policy settings, while groups are used to manage permissions – for example NTFS permissions and share permissions on the file server or mailbox permissions in Exchange. Even access to third-party applications and resources can be tied to Active Directory group membership.
Differences between Active Directory groups and organizational units:
Organizational units can contain group policy objects (GPOs), AD groups can’t
Organizational units can be used to delegate admin rights, AD groups can’t
AD groups can be used to manage permissions, organizational units can’t
AD groups have their own security identifier, organizational units don’t
The Difference Between Organizational Units and Containers
When you deploy Active Directory, Windows automatically creates default containers to store users, computers and other objects. Containers fulfil a similar role to organizational units (in fact, OUs are a type of container), but with one important difference: group policy objects cannot be applied to containers, only organizational units.
For this reason, it is generally recommended to replace default containers in AD with your own organizational units for user/computer accounts. You can use these OUs to manage global policies intended to apply to all accounts or devices in your network. To make sure that new accounts are created in organizational units instead of default containers, you can redirect account creation using redirusr and redircmp. More on redirecting containers in Active Directory.
Organizational Units In Azure AD?
Instead of organizational units, Azure Active Directory uses administrative units (AU). Similar to OUs, administrative units can contain users, devices and groups, but not other administrative units (no nesting). AUs can be used to assign admin roles to users that only apply to the objects within an administrative unit.
Unlike organizational units, administrative units do not support group policy objects since there are no GPOs in Azure AD.
Best Practices for Access Management In Microsoft® Environments
Our in-depth guide explains how to manage access securely and efficiently from a technical and organizational standpoint, including tips for implentation, reporting and auditing.
Organizational Unit Best Practices
Create a Logical Structure
Organizational units allow admins to structure a domain by grouping users and computers together. Which and how many OUs you need depends on the specific setup and requirements of your IT landscape. There are many ways to build and nest organizational units, what’s important is that you find a structure that works for you and then stick to it consistently.
Similar to role-based access control, many businesses design their OUs based on their company structure by creating separate organizational units for different offices and departments. However, you don’t have to follow this model. The key question to ask yourself when planning your organizational units is which parts of Active Directory actually need delegated administration or unique group policies. For example, it may be helpful to split computer accounts based on device type (i.e. desktop vs. laptop) to apply different settings to each.
Split Users and Computers
Since most organizations apply different group policy settings to user accounts vs. computer accounts, it makes sense to put these objects into separate organizational units for easier administration. You can use these OUs to establish global settings for all user/computer accounts, while using nested organizational units to set specific rules based on your planned OU structure.
Follow a Clear Naming Convention
For the sake of long-term maintenance and administration, it’s essential to give organizational units clear names (and optional descriptions) that make it obvious what the purpose and scope of an OU is. More importantly, all administrators need to follow the same approach when it comes to naming: If one admin names OUs based on department (Design) and another names them based on job titles (Illustrator), things will quickly get confusing. The easiest way to implement a consistent naming convention is to put your policy into writing.
Use Inheritance to Assign Group Policy
While organizational units allow admins to create different rules for different parts of Active Directory, most organizations have some universal settings they want to apply to all users and devices. The easiest way to ensure that global configurations apply to all accounts is through inheritance: You place a group policy object with these basic settings in a parent OU while one level down, nested OUs govern specific settings for subsections of the AD.
Use Nested OUs to Cover Exceptions
Nesting organizational units not only allows you to extend inherited group policies, but also to overwrite policies when necessary. Let’s look at an example: For security reasons, an organization has used group policy to set an automatic screen lock after 10 minutes of inactivity on all devices. However, in conference rooms, this has led to problems during presentations and video calls.
The solution: add conference room computers to a new organizational unit within their current OU and create a GPO to apply a longer time limit. These devices still inherit all relevant settings from their parent OU, only the unwanted setting is overwritten by the new group policy object.
Automatic Active Directory Management with tenfold
You want to get your Active Directory under control while saving valuable time by automating account, group and permission management? Identity & access management with tenfold is the answer you’ve been looking for!
Our automated user lifecycle management creates AD accounts as necessary, adds them to the correct groups and organizational units and updates accounts whenever an employee’s role changes. Thanks to our central permission reporting, admins can easily track effective permissions in Active Directory and across a wide range of supported systems, including shared files in Microsoft 365!
tenfold‘s self-service interface lowers your workload by giving end users access to commonly requested services like password resets and access requests. Last but not least, automated user access reviews help you conduct regular audits in accordance with your compliance & security needs. And the best part? tenfold guarantees that your AD follows all best practices and recommended guidelines.
Active Directory Best Practices covered by tenfold:
AGDLP group structure
List rights for access based enumeration
Automated user management
Eliminate orphaned accounts
Try tenfold today!
If you want to see firsthand how you can benefit from the advantages of tenfold‘s automated user and permission management, all you have to do is sign up for a free trial! Our experts will guide you through the setup process and introduce you to our IAM platform. After this introduction, you’ll have the chance to test tenfold to your heart’s content in your own IT environment.
Sign Up for a Free Trial to Discover tenfold’s Full Range of Features