Educause Security Discussion mailing list archives
Re: OU Structure in Active Directory
From: Patrick D Menard <pmenard () UNLNOTES UNL EDU>
Date: Wed, 21 Jul 2010 10:49:05 -0500
Brandon,
For the most part our OU structure mirrors administrative boundaries. The
root level OU's are colleges/divisions. Within that first layer are
individual departments. Undergraduate students are in their own OU, with
child OU's (A, B, C...) by last name. Groups are populated for each class
and section and these are used by departments for granting access
(restricted logons, door access) Departmental IT staff don't have access
to modify undergrads login scripts/profiles. Grad students can be moved to
department OU's by request (which then can be modified).
How the structure develops beyond that point is varied. We have a
distributed administrative structure where we give departmental IT staff
full control of their OU and any child OU's they create. Some departments
break the users down into sub-departments/areas. Within a department/area
typically the IT staff create child OU's for users and computer. Some also
create an OU for groups, others leave the groups in the parent OU. Some
create multiple computer OU's based on type (servers, desktops, laptops,
lab computers, etc)
The key for your OU structure is that it functions as a security layer by
grouping users into containers that can be assigned to different support
staff. Also, the OU's function as group policy layers (mostly in our
environment that occurs at the child OU layers within departments)
It's always best when creating OU's to create OU admin groups and only
grant the security access to the groups (much easier when IT staff
leave/join). We also created a security group that all the OU admin groups
belong to that has access to the Computers OU and an OU we call Unknown
(our automated account generation program will usually place staff in the
appropriate department OU's, but dumps them in Unknown if the department
information from the HR system didn't match any known department. (it's an
old HR system and the department field is entered by hand, so unique
entries are common))
The naming convention we use is first initial of first name, last name, and
a number (ie. pmenard1). If a department wants to create addition user
accounts, they prepend the user name with a department prefix and a
"-" (ie. cba-studentworker1) to ensure no conflicts with new users that
join the University. The same prefix is usually prepended to computer
accounts (although not required) as it helps most department recognize
their computer names on sight. (servers being the notable exception. most
server admins tend to follow themes on server naming)
Patrick Menard
Active Directory Project Coordinator
Information Services
University of Nebraska-Lincoln
From: Brandon Payne <payneb () SVCC EDU>
To: SECURITY () LISTSERV EDUCAUSE EDU
Date: 07/21/2010 09:47 AM
Subject: [SECURITY] OU Structure in Active Directory
Currently we are in the designing and implementing phase for the first time
with Active Directory. We are in a single domain environment.
How are you structuring your OU's? How are you targeting your users in the
OU structure? By dept? By employee category? By machine type (desktops,
laptops)?
For ex -
Employees
Staff
Faculty
Labs
Students
What has or has not worked out for your school in the long run? Do you
have any recommendations based on your experiences?
Thanks in advance,
--
Brandon Payne
Technical Support Specialist
Information Services
Sauk Valley Community College
Current thread:
- OU Structure in Active Directory Brandon Payne (Jul 21)
- Re: OU Structure in Active Directory Patrick D Menard (Jul 21)
- Re: OU Structure in Active Directory Alex Keller (Jul 21)
- Re: OU Structure in Active Directory Brandon Payne (Jul 21)