The OU design should be predicated on the administrative structure of the organization, not the departmental organization as seen on the company's organization chart. Most companies do not base the administration of resources on the organization chart. Usually, the IT department is responsible for objects within the company no matter which department is using the resource.
Although this centralized approach is the most basic method of controlling the objects within Active Directory, some organizations cannot utilize one single administrative group that has power over all of the objects. Other organizations will not have a centralized administrative team; instead they will have decentralized control over objects. In such cases, design decisions will have to be made that will dictate where the objects will reside within the OU structure. Microsoft has identified five design options when developing the OU design. These five allow the OUs to be designed by location, organization, business function, location then business function, or organization then location.
If an organization has resources that are centralized, but the administrative staff is based at different geographic locations, the OU design should take on a location-based strategy. Using this strategy, the OU structure is very resistant to reorganizations, mergers, and acquisitions. Because all of the objects are located beneath the top-level OU, which is based on company location as seen in Figure 5.1, the lower-level OUs can be modified and the objects moved within the OUs to accommodate the changes. Consider the alternative: having domains that are used to host the objects. Moving objects between domains has many more implications because the security ID of the objects will have to change as will the domain owners.
Figure 5.1: OU structure based on Location
However, some disadvantages to the location-based strategy exist. Unless the inheritance of permissions has been blocked, administrative groups that are granted authority at an upper-OU level will have the ability to affect objects in the lower-level OUs.
The location-based strategy works well within organizations that are using the departmental model but have geographically dispersed resources. In this manner, administrators located in the same site as the resources will have control over the objects that represent them in Active Directory.
If the administrative structure has an administrative staff that reports to divisions and is responsible for the maintenance of the resources for that division, the OU structure can be designed so that is takes advantage of the departmental makeup of the company as seen in Figure 5.2. Using this design strategy makes the OU structure much more vulnerable to change within the organization should a reorganization occur. However, it does allow departments to maintain autonomy over the objects that they own.
This strategy is usually employed whenever the cost center, product/service-based or projectbased business models are employed. This allows for the resources to be grouped so that the cost centers are separate OU structures. The product, service, or project resources can likewise be isolated within an OU tree, and those administrators who are responsible for the resources can be delegated the ability to control the objects within Active Directory.
Smaller organizations that have an administrative staff who has specific functions they provide to the organization typically use an OU design strategy based on job functions as seen in Figure 5.3 . In these smaller organizations, the administrators will have several job responsibilities. Building the OU structure based on the job responsibilities allows the controlled objects to be grouped together based on the tasks that need to be administered. This type of OU deployment is resistant to company reorganizations, but due to the way the resources are organized, replication traffic may be increased.
This strategy can be employed with any of the business models. Because it is usually implemented in smaller companies, a single administrative group such as Information Technology is responsible for maintaining all of the objects. The functions can be broken out based on the staff responsible for maintaining user objects, group objects, shared folders, databases, mail systems, and so on. Of course the administrative staff will have to be trusted by all divisions if this model is employed, but usually in the smaller companies, this is not as much of an issue.
Two hybrid methods of organizing resources exist. Each one is based on a combination of the location of resources and the method the company uses to organize the objects.
OUs Based on Location, Then Organization When you use an OU design strategy that is first based on location and then organization, the upper-level OUs are based upon the location of the objects within the directory, and the lower-level OUs are broken out by the organization's departmental structure as seen in Figure 5.4. This strategy allows the organization to grow if necessary, and has distinct boundaries so that the objects' administration is based on local autonomy. Administrative staff will need to cooperate if administrative groups are responsible for the departments within the OU structure, because if this is the case, OU owners will have control over all of the objects within the OU tree.
Figure 5.4: OU structure based on Location, then Organization
Large companies that employ the departmental business model may have several locations within the company that have administrative staff controlling the resources. If this is the case, the OU owner for the location can control all of the accounts that are OU administrators for the individual departments within that location. This allows the OU owner to control users within the location for which they are responsible, while still maintaining control over their location. OU administrators would only be able to affect objects within their department at that location.
OUs Based on Organization, Then Location With an OU design strategy that is first based on organization and then location, the OU trees are based upon the organization's departmental makeup with the objects organized based on location, as seen in Figure 5.5 . Using this strategy, the administrative control of objects can be delegated to administrative staff responsible for objects at each of the locations, whereas all of the resources can be owned by a department's own administrative staff. This allows for a strong level of autonomous administration and security; however, the OU structure is vulnerable to reorganization because the departmental design of the company could change.
Figure 5.5: OU structure based on Organization, then Location
Very large companies using the cost center-based, product/service-based, or project-based business models may create an OU tree that is based on the organizational makeup of the company and then have a decentralized administrative staff that is responsible for the resources within different geographic regions. This allows for more efficient control of the resources while still allowing the OU owners to have a level of autonomy over the objects that represent their resources within the company.
You will notice that each of the design options has its own unique set of advantages and disadvantages. To choose the best design for your company, you will have to weigh the pros and cons of each strategy so that you come up with a design that is the best fit for your environment. If your company is not going to undergo many reorganizations or mergers and acquisitions, you may want to choose a design that makes the delegation of control easiest for your current administrative model. Company reorganizations could force a reevaluation of the departmental makeup within the organization, thus forcing the OU hierarchy to change. Projects that are completed or abandoned will also force the OU structure to change. You may not want to rework the OU structure every time management decides they want to try running the business in a new fashion.
You will find that the adage "The only constant is change" will probably ring true no matter what strategy you employ, so try to employ the strategy that appears to be the least likely to change but reflects the way the administration is provided.
Was this article helpful?
What you need to know about… Project Management Made Easy! Project management consists of more than just a large building project and can encompass small projects as well. No matter what the size of your project, you need to have some sort of project management. How you manage your project has everything to do with its outcome.