Organizational Units (OUs)

https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/reviewing-ou-design-concepts

https://learn.microsoft.com/en-us/answers/questions/1663568/ou-permissions

https://medium.com/@ihouelecaurcy/mastering-organizational-units-ous-in-windows-server-structure-strategy-best-practices-94bd74f4a22c

https://community.spiceworks.com/t/how-to-organize-computers-to-ou-in-active-directory-to-link-gpos/1087953

https://www.techtarget.com/searchwindowsserver/definition/organizational-unit-OU

  • Containers for organizing AD objects (users, computers, groups)
    • cannot assign permissions to OUs themselves
  • Used for administrative delegation and Group Policy applications

Personal Definition:

Organizational Units (OUs) are containers that can hold users, groups, and computers. They are the smallest unit to which we can assign group policy to; allow for hierarchical organization

Built-in OUs in Domain Services:

AADDC Computers - Contains computer objects for all domain-joined computers
AADDC Users - Includes users and groups synchronized from the Microsoft Entra tenant

Common (example) OU Structure

(imported from web diagram)

Domain Root
├── Users (default container - not an OU)
├── Computers (default container - not an OU)
├── Domain Controllers (OU)
├── Corporate (custom OU)
│ ├── Users
│ │ ├── IT Department
│ │ ├── HR Department
│ │ └── Sales Department
│ ├── Computers
│ │ ├── Workstations
│ │ ├── Laptops
│ │ └── Servers
│ └── Groups
│ ├── Security Groups
│ └── Distribution Groups
└── Service Accounts (custom OU)

Structure:

  • Domain Root - The top level of the structure, representing the entire domain
  • Containers vs OUs - Items marked as "default container" are built-in and cannot have Group Policies applied; custom OUs can have policies

Components:

  • Corporate OU - Main custom organizational unit that houses all company-specific objects,
  • Departmental structure - Users and general departments (IT, HR, Sales) allow different policies
  • Computer organization - Workstations, Laptops, and Servers
  • Groups location - Security Groups (for permissions) and Distribution Groups (for email)
  • Service Accounts OU - Isolated at root level for special accounts that applications use

Policy & Management :

  • Inheritance flow - Policies applied to "Corporate" flow down to all sub-OUs unless
  • Administrative delegation - Each OU can have different admins
  • GPO application - Group Policies can be linked at any OU level and affect all objects within and below

Design :

  • Logical grouping - Structure mirrors real-world organization (departments, device types) for easier management
  • Security boundary - Each OU can have unique security settings, password policies, and access controls
  • Scalability design - Structure allows easy addition of new departments or computer types without reorganizing existing OUs

MANAGEMENT TOOLS AND EXAMPLES

Create an organizational unit (OU) in Microsoft Entra Domain Services - Microsoft Entra ID
Learn how to create and manage a custom Organizational Unit (OU) in a Microsoft Entra Domain Services managed domain.
https://learn.microsoft.com/en-us/entra/identity/domain-services/create-ou

BEST PRACTICES:

TO DO

https://learn.microsoft.com/en-us/previous-versions/technet-magazine/cc462797(v=msdn.10)?redirectedfrom=MSDN

WRITING MY OWN GROUP POLICY:

Create a Group Policy Object
Access to this page requires authorization. You can try signing in or changing directories.
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717274(v=ws.11)