Educause Security Discussion mailing list archives
Re: OU Structure in Active Directory
From: Patrick D Menard <pmenard () UNLNOTES UNL EDU>
Date: Wed, 21 Jul 2010 10:49:05 -0500
Brandon, For the most part our OU structure mirrors administrative boundaries. The root level OU's are colleges/divisions. Within that first layer are individual departments. Undergraduate students are in their own OU, with child OU's (A, B, C...) by last name. Groups are populated for each class and section and these are used by departments for granting access (restricted logons, door access) Departmental IT staff don't have access to modify undergrads login scripts/profiles. Grad students can be moved to department OU's by request (which then can be modified). How the structure develops beyond that point is varied. We have a distributed administrative structure where we give departmental IT staff full control of their OU and any child OU's they create. Some departments break the users down into sub-departments/areas. Within a department/area typically the IT staff create child OU's for users and computer. Some also create an OU for groups, others leave the groups in the parent OU. Some create multiple computer OU's based on type (servers, desktops, laptops, lab computers, etc) The key for your OU structure is that it functions as a security layer by grouping users into containers that can be assigned to different support staff. Also, the OU's function as group policy layers (mostly in our environment that occurs at the child OU layers within departments) It's always best when creating OU's to create OU admin groups and only grant the security access to the groups (much easier when IT staff leave/join). We also created a security group that all the OU admin groups belong to that has access to the Computers OU and an OU we call Unknown (our automated account generation program will usually place staff in the appropriate department OU's, but dumps them in Unknown if the department information from the HR system didn't match any known department. (it's an old HR system and the department field is entered by hand, so unique entries are common)) The naming convention we use is first initial of first name, last name, and a number (ie. pmenard1). If a department wants to create addition user accounts, they prepend the user name with a department prefix and a "-" (ie. cba-studentworker1) to ensure no conflicts with new users that join the University. The same prefix is usually prepended to computer accounts (although not required) as it helps most department recognize their computer names on sight. (servers being the notable exception. most server admins tend to follow themes on server naming) Patrick Menard Active Directory Project Coordinator Information Services University of Nebraska-Lincoln From: Brandon Payne <payneb () SVCC EDU> To: SECURITY () LISTSERV EDUCAUSE EDU Date: 07/21/2010 09:47 AM Subject: [SECURITY] OU Structure in Active Directory Currently we are in the designing and implementing phase for the first time with Active Directory. We are in a single domain environment. How are you structuring your OU's? How are you targeting your users in the OU structure? By dept? By employee category? By machine type (desktops, laptops)? For ex - Employees Staff Faculty Labs Students What has or has not worked out for your school in the long run? Do you have any recommendations based on your experiences? Thanks in advance, -- Brandon Payne Technical Support Specialist Information Services Sauk Valley Community College
Current thread:
- OU Structure in Active Directory Brandon Payne (Jul 21)
- Re: OU Structure in Active Directory Patrick D Menard (Jul 21)
- Re: OU Structure in Active Directory Alex Keller (Jul 21)
- Re: OU Structure in Active Directory Brandon Payne (Jul 21)