+ Reply to Thread
Results 1 to 6 of 6

Thread: OU Structures

  1. Senior Member
    Join Date
    Dec 2008
    Posts
    117

    Certifications
    MCSE: Server 2003, TS: Exchange Server 2007 Configuration
    #1

    Default OU Structures

    I've got most of the concepts down except for the OU structures. I understand that you create OUs based on administrative separation. However, I still do not think that I have a good feel on the proper design from the exams questions. I recall not making heads or tails from the graphs/structures I was presented.

    Can anyone give me some pointers as to what I should be focusing on to determine the proper placement?

    Thanks
    Reply With Quote Quote  

  2. SS -->
  3. Senior Member
    Join Date
    Mar 2007
    Posts
    12,308
    #2
    The proper placement/design really depends upon the organization and business requirements. OUs can be created for any, or a combination of, the following criteria: geography, politics, security, departments, resource type, special needs, administration, etc.

    This probably goes without saying, but you should always go with the simplest design that meets your requirements. If all else is equal, I'd use look at something like IT administration as the deciding factor (or anything else that jumps out at you from the requirements).

    For example, what's the difference between top-level OUs of NA, EU, and Asia that each have child OUs of Business, Sales, and Marketing and top-level OUs of Business, Sales, and Marketing that have child OUs of NA, EU, and Asia?

    Not much at first glace, that's why you'd need to look at other requirements and determine what would be the best fit. If each geographic area has IT staff that administers their own resources, the first design makes sense. If administration is divided based on department, then the later would probably be the best choice.

    There's not necessarily always going to be a right or wrong answer as multiple designs could still be functional. Your task is going to be to pick the most appropriate based on the organization's needs.
    Reply With Quote Quote  

  4. Drops by now and again astorrs's Avatar
    Join Date
    May 2008
    Location
    Vancouver, Canada
    Posts
    3,141

    Certifications
    I have numerous certs from VMware, Citrix, Microsoft, EMC, Nimble Storage, Palo Alto Networks and more...
    #3
    Quote Originally Posted by dynamik View Post
    This probably goes without saying...
    You'd think that right? But no it needs to be said again and again.

    I always tell people to ask themselves "do I need to delegate permissions or link a GPO to this OU?" and if the answer is no - get rid of it.

    Windows Server 2008 with Group Policy Preferences makes it even easier since you can shrink the number of GPOs in the environment and use security groups or O/S filters, etc to control which items in the GPP are actually applied to a user/computer. Most of the time for me with 2008 unless I'm delegating permissions the number of OUs is very minimal.
    Reply With Quote Quote  

  5. Senior Member
    Join Date
    Dec 2008
    Posts
    117

    Certifications
    MCSE: Server 2003, TS: Exchange Server 2007 Configuration
    #4
    Quote Originally Posted by astorrs View Post
    You'd think that right? But no it needs to be said again and again.

    I always tell people to ask themselves "do I need to delegate permissions or link a GPO to this OU?" and if the answer is no - get rid of it.
    I do know to choose the simplest design. Additionally, the permissions/GPO link is a good "rule of thumb" as well. However, it still puzzles me on what they are looking for in certain "graphs". Or perhaps I read the questions incorrectly.
    Reply With Quote Quote  

  6. Senior Member
    Join Date
    Apr 2009
    Location
    New Orleans, LA
    Posts
    199

    Certifications
    MCSE, MCITP:EA, CCNA, CCNP
    #5
    One tip I can give is to try your best to completely rule out No Override settings/Block Policy Inheritance in the structure of your OUs. There are many questions that I've gotten wrong because I thought "Well if I just select 'No Override' then this will all fit in place."

    If you've done the Transcenders you'll see in the notes that they try to dissuade you from enabling these options because it makes administration more complex.

    Try to find a structure that will allow delegation down the hierarchy with ease and remember that if a certain group of users are responsible for all computer or user accounts in a domain, you don't need to create an OU for them.

    Example:
    You have 3 departments: Sales/Marketing/IT
    Each department has their own local IT in charge of account management.
    You have a group of admins at corporate who can manage all account in the entire domain.

    Instead of having:

    Domain
    All Domain Users
    Sales Marketing IT

    You can have:

    Domain
    Sales Marketing IT

    Since you can delegate account management to the whole domain.

    I hope this helps!
    Reply With Quote Quote  

  7. Member Extraordinaire genXrcist's Avatar
    Join Date
    Oct 2008
    Location
    St. Paul, Minnesota
    Posts
    531

    Certifications
    CCNA:V MCITP:EA/EMA2K10 MCSE:S MCSA:M MCDST A+/Net+/Sec+
    #6
    What a great thread! Thanks for posting this Elwood and thanks to everyone for the great answers. This clarified what I thought I already had understood.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks