Export (0) Print
Expand All

Reviewing Organizational Unit Design Concepts

Updated: March 28, 2003

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

The OU structure for a domain includes the following:

  • A diagram of the OU hierarchy.

  • A list of OUs.

  • For each OU:

    • The purpose for the OU.

    • A list of users or groups that have control over the OU or the objects in the OU.

    • The type of control that users and groups have over the objects in the OU.

The OU hierarchy does not need to reflect the departmental hierarchy of the organization or group. OUs are created for a specific purpose, such as the delegation of administration, the application of Group Policy, or to limit the visibility of objects.

You can design your OU structure to delegate administration to individuals or groups within your organization that require the autonomy to manage their own resources and data. OUs represent administrative boundaries and enable you to control the scope of authority of data administrators.

For example, you can create an OU called ResourceOU and use it to store all the computer accounts that belong to the file and print servers managed by a group. Then you can configure security on the OU such that only data administrators in the group have access to the OU. This prevents data administrators in other groups from tampering with the file and print server accounts. Figure 2.36 shows an organizational unit that is created to enable delegation of administration.

Figure 2.36   Creating an Organizational Unit to Delegate Administration

Creating an Organizational Unit

You can further refine your OU structure by creating subtrees of OUs for specific purposes, such as the application of Group Policy, or to limit the visibility of protected objects so that only certain users can see them. For example, if you need to apply Group Policy to a select group of users or resources, you can add those users or resources to an OU and then apply the Group Policy to that OU. You can also use the OU hierarchy to enable further delegation of administrative control.

Figure 2.37 shows a subtree that was created inside the ResourceOU. The subtree includes two additional OUs: The Print Servers OU includes all the computer accounts of the print servers; the File Servers OU includes the computer accounts for all of the file servers. This subtree enables the application of separate Group Policies to each type of server managed in the ResourceOU.

Figure 2.37   Creating an Organizational Unit Subtree for Application of Group Policy

Creating an Organizational Unit Subtree


  • While there is no technical limit to the number of levels in your OU structure, for the purpose of manageability, it is recommended that you limit your OU structure to a depth of no more than 10 levels. There is no technical limit to the number of OUs on each level. Note that Active Directory–enabled applications might have restrictions on the number of characters used in the distinguished name (the full LDAP path to the object in the directory), or on the OU depth within the hierarchy.

The Active Directory organizational unit structure is not intended to be visible to end users. The organizational unit structure is an administrative tool for service and data administrators and is easy to change. Continue to review and update your OU structure design to reflect changes in your administrative structure and to support policy-based administration.

Community Additions

© 2016 Microsoft