Designing Your Organizational Unit Structure

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

When you plan your configuration management solution, ensure that you design an OU structure that facilitates the management of Group Policy.

The OU hierarchy does not need to mirror your organization’s departmental hierarchy. Create every OU to have a defined purpose, such as delegation of authority or application of Group Policy. Business needs must drive the OU hierarchy. By delegating administrative authority, you can designate groups of users to have control over the users and computers or other objects in an OU. An OU is the smallest Active Directory container to which you can assign Group Policy settings.

Note

  • Redirusr.exe (for user accounts) and redircomp.exe (for computer accounts) are two new tools included with Windows Server 2003 to assist with the application of Group Policy to new user and computer accounts. These tools are located in %windir%\system32. New user and computer accounts are created in the CN=Users and CN=Computers containers by default. It is not possible to apply Group Policy directly to these containers. By running Redirusr.exe and Redircomp.exe once for each domain, the domain administrator can specify OUs into which all new user and computer accounts are placed at the time of creation. This allows administrators to manage these unassigned accounts by using Group Policy before the administrators assign them to the OU in which they are finally placed. It is recommended that the OUs used for new user and computer accounts be highly restricted by means of linked GPOs to increase security around new accounts.

For more information about redirecting the Users and Computers containers, see article Q324949, "Redirecting the Users and Computers Containers in Windows Server 2003 Domains," in the Microsoft Knowledge Base. To find this article, see the Microsoft Knowledge Base link on the Web Resources page at https://www.microsoft.com/windows/reskits/webresources.

For more information about the redirusr.exe and redircomp.exe tools, see the Redirecting Users and Computers link on the Web Resources page at https://www.microsoft.com/windows/reskits/webresources.