This has been something that has bugged me for quite a while, when I see environments where Active Directory OU’s have been created to reflect the organization structure, whether that be departments or physical locations, I always wonder why someone would choose this model and if they really understand the features and functions in Active Directory.
When you create an Active Directory OU structure that reflects physical location or departments you have doomed yourself to a life of constant object moves for little or no value. If you want to see which users are in a particular location or department use the attributes in Active Directory that correspond to those things! Use a product like PeopleUpdate to allow delegated updates to Active Directory and then when you want to see all users in a particular location or department just perform a quick search of Active Directory.
When someone asks me when they should use or create another OU my answer is for Active Directory security delegation. In limited cases I can buy in to creating OU’s to support Group Policies or at a very high level to separate normal user and computer accounts from IT/service accounts and computers. One commonly overlooked feature of Group Policy is the ability to use WMI filtering, Active Directory security groups, and Active Directory Sites to filter when or to whom Group Policy is applied to users.
I’d like to hear from you what you think about this topic too, so post a comment or two. We would love to hear from you.
For more information contact us.
You hit the nail on the head with this post. Only two reasons to create OUs: 1) delegate administration of directory objects and 2) apply group policy. This is straight out of Microsoft’s original Windows 2000 documentation circa 1998. And my 12 years of experience since have only reinforced the need to stick to these basics.