Designing the Active Directory Structure |
At first, the phrase "organizational unit structure" might start you thinking about creating a structure that mirrors your business organization and its various divisions, departments, and projects. It is possible to create such a structure, but it might prove difficult and expensive to manage. OUs are for delegating administration, so the structure you create is most likely a reflection of your administrative model. The administrative model of your organization might not map exactly to your business organization.
For example, consider the business-oriented structure shown in Figure 9.12. OUs have been created for the Home Electronics (Electronics OU), Medical Systems (Medical OU), and Automotive (Automotive OU) divisions, where the users on the Automotive teams are in the Automotive OU, and so on.
Figure 9.12 OU Structure Aligned with Business Structure
Assume that the company in this example uses a centralized administration model. A single group of administrators manages all of the users across the company, regardless of business division. During the day-to-day operation of the company, many things can happen. If a person transfers between the Home Electronics and Automotive divisions, an administrator has to move that person's user account from the Electronics OU to the Automotive OU. If the number of transfers is high, this could amount to a significant amount of work for the administration group. But what is actually being accomplished?
For the same company, now consider an OU structure that consists of a single OU that contains all user accounts. If a user transfers between divisions, no additional work to move the object is created for an administrator. Whenever you create structure, make sure that it serves a meaningful purpose. Structure without justification will always create unnecessary work.
You might want to mirror your business structure in your OU structure to make it easy to generate lists of users based on business unit. Using OUs is just one way of doing this. Your business structure might more closely reflect the way resource access is granted to your users. For example, users on a particular project might be granted access to a specific set of file servers, or users in a particular division might be granted access to a particular Web site. Because resource access is granted using security groups, you might find that your business organizational structure is best represented in security group structures instead of OUs.