I think Hunter speaks wisdom on this one. Keep in mind that you want an OU for delegation of authority, GPO's (just ease of admin), and logical grouping of objects primarily. Given your criteria, I don't think you'll have a one-size fits all solution for this and so following your administration model will be the best way to approach this IMHO. What you may want to consider is a domain based grouping model where all NA users are in one container, all NA workstations are in a container, all applications that may need special GPO's are in another NA container etc. Same for Europe.
If you want to hedge your bets, populate the information on the users with regards to office, location, etc so you can easily sort and regroup if this doesn't end up working for you. Keeping things as simple as possible is a really good idea with Active Directory. Going through and adding extra administrative overhead by creating thousands of OU's can be cumbersome. It can also impact performance if you go too deep, so be aware of that as well. Have you taken into account any growth plans? You may want to prior to finalizing the OU decisions. My $0.02 anyway. -----Original Message----- From: Coleman, Hunter [mailto:[EMAIL PROTECTED] Sent: Thursday, March 04, 2004 1:12 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OU design quandary Mike- I think you'll want to lean towards Camp Two. Do you have a single group that handles all aspects of user account management (creation, modification, deletion, password resets, etc)? If you don't, and you put all 35,000 users in one OU, then you're going to have a bunch of IT support staff who can modify user objects outside of their areas of responsibilties. Same with workstations, servers, and anything else that you dump into one generic OU. Same thing for Group Policies. If you have a group of 1,000 users that need a specific group policy, why assign that GPO to an OU with 35,000 users and then have to filter out 34,000 of them so they don't get the GPO? Or have dueling admins in GP wars? You don't have to go crazy with an elaborate OU structure, but I think you'll quickly run into all kinds of hassles if you try the all-in-one approach. Hunter -----Original Message----- From: Mike Baudino [mailto:[EMAIL PROTECTED] Sent: Thursday, March 04, 2004 10:19 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] OU design quandary All, We are in the final stages of a global AD design for our company. The design will have two user domains -- one for North America and one for Europe -- and it will have an empty root. Each of the user domains will have approximately 35,000 users. Software distribution will be via Tivoli. Two camps have emerged regarding OU structure and there's a rather large gap between them. I'm asking for your expert and experienced input to help resolve this issue. Camp one: We're going to search instead of browse. So put all users in a single users OU, put all desktop machines in a single desktops OU, put all laptops in a single laptops OU, put all IIS servers in a single OU, all SQL servers in a single, etc, etc, etc. Manage by groups instead of by OU in which the object resides. Camp two: Regardless of whether we're going to search or browse, at some point having office heirarchy in the OU design will be helpful enough that it's necessary to build it now. Users, desktops and laptops will be grouped as child OUs to the office OUs. Servers for applications will be grouped by function and then by the , by the application suite or ASP that is responsible for the application. Allows more granular delegation and application of group policy. We have too little actual deployement and management experience in Active Directory, especially this size, to make a definitive decision so I would appreciate any and all feedback regarding the pros and cons. Thanks, Mike ******************* PLEASE NOTE ******************* This E-Mail/telefax message and any documents accompanying this transmission may contain privileged and/or confidential information and is intended solely for the addressee(s) named above. If you are not the intended addressee/recipient, you are hereby notified that any use of, disclosure, copying, distribution, or reliance on the contents of this E-Mail/telefax information is strictly prohibited and may result in legal action against you. Please reply to the sender advising of the error in transmission and immediately delete/destroy the message and any accompanying documents. Thank you. List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
