Introducing ADAudit Plus' Attack Surface Analyzer—Detect 25+ AD attacks and identify risky Azure configurations. Learn more×
 
Support
 
Phone Get Quote
 
Support
 
US: +1 888 720 9500
US: +1 888 791 1189
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9892

Top 5 Active Directory OU best practices

Since OUs play a vital role in deploying organization-wide policies and settings, they require careful planning and design for flexibleadministration. Here are five AD OU best practices that you should follow to simplify and secure your AD administration.

 

Plan ahead

A poorly planned OU structure can lead to confusion over where to place newly created objects in your directory tree. Microsoft suggests that you ensure simplicity and adaptability while planning your OU design. So, prepare a layout of your Active Directory OU structure keeping Group Policy Object (GPO) linkage and delegation in mind to avoid creating OUs at will in the long run.

 

Choose a model

Administration of AD objects becomes easier when the OUs mirror your organization's structure. Different OU models serve their own purposes. For example:

  • The geographic model separates your OUs based on the location of your offices
  • The department model divides OUs corresponding to the departments in your organization
  • The type-based model classifies OUs based on object types

Choose an OU model that best fits your administrative needs.

 

Set apart users and computers

In AD, when user and computer objects are created, they are added to their respective containers by default. However, GPOs cannot be linked to containers; instead, create separate OUs for users and computers that require GPO application. This practice can be followed irrespective of the OU model you choose for your organization.

 

Utilize OU nesting

With OU nesting, you can make use of inheritance and delegate administrative rights flexibly. For example, if you want to delegate multiple permissions to a high-level user but you don't want those permissions to affect some of the users in that OU, you can create a nested OU that contains those users and apply the deny permission. This will prevent the creation of parallel OUs in your directory. Nesting also helps separate different AD objects like users, computers, and groups inside a parent OU.

 

Document your OU design

Your OU structure is always dynamic, as new objects are created regularly. So, document your OU structure and design by recording details such as the OU name, description, who created the OU, and when it was created. This information will be extremely valuable in the future to prevent accidental deletion of important OUs by administrators.

Simplify your OU management
using ADAudit Plus

Using native tools to monitor and document changes made to your OUs while keeping track of the delegated permissions can be a time-consuming process. ADAudit Plus, a UBA-driven AD auditing solution from ManageEngine, provides customizable change audit reports that keep you informed of all changes made to your OUs, GPOs, and permissions.

Download a 30-day free trial.

ADAudit Plus Trusted By