I get the sense that everyone is really getting deep into the theory and highlighting the differences in how the art of design is practiced ;)
OU's are grouping mechanisms in a directory world. Microsoft makes it easy to work with because you can change them easily and often if you like. As easily as changing groups. That's not the case with LDAP directories...
As for OU design, as mentioned it's not a performance impact, but rather an administrative impact[2]. Was it me, I'd continue to use the same OU structure you had before (based on the information you've presented and the experience you've mentioned) since it works for you and the way you manage your directory/users/etc.
Rule #1 of design - the design should work for the company it's being built for based on their requirements and not the application vendor's requirements[1].
Rule #2 of design - when in doubt, be sure to reference rule # 1
[1] within the confines of reality of course. The consultants job is to act as a transmission - marry the power of the application with the path of business to move the company towards it's goals as seemlessly as possible.
[2] Think about it: if you have too many OU's you won't be able to effectively administer the system. If you didn't set recommendations like "...keep it 5-7 deep." then people would deploy 105.2 OU's deep every chance they got. Then they'd wonder why they had "unexpected" results. By unexpected, I mean they didn't expect it, but the system will do what it does regardless. PITA to troubleshoot as well.
Al
On 4/13/06, Ulf B. Simon-Weidner <[EMAIL PROTECTED]> wrote:
Yes - prio 1 is delegation, prio 2 GPOs since you have multiple ways to influence GPOs.Gruesse - Sincerely,
Ulf B. Simon-Weidner
MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz
Weblog: http://msmvps.org/UlfBSimonWeidner
Website: http://www.windowsserverfaq.org
Profile: http://mvp.support.microsoft.com/profile="">
From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Dave Wade
Sent: Thursday, April 13, 2006 9:22 AMSubject: Re: [ActiveDir] OU's Structure
Joe,The problem is that, as some one else mentioned your OU structure serveves two purposes:-1) To delegate authourity2) To apply rights and restrictions via GPO'sNow if you are going to delegate authourity, as far as I can see, the only way to do that is via OU's. You could apply specific rights to indivual users, but thats messy to manage and impractical. On the other hand users get many rights already because of group membership, so its (more?) natural to apply GPOs based on group membership rather than having rights or restrictions "drop on you from above" because of where you are in AD. Mind you of course NTFS rights may also descend from above.Dave.As a general rule, I am much more a fan of setting up my GPO structure on an OU basis versus a group filtering basis. If anything applying a bunch of GPOs to an OU a user is in and then filtering out which ones they really have access to with groups would be slower than having multiple OU levels because there are more GPOs to loop through and check. I doubt it would add very much overhead but there would certainly be more than a deployment based on the hierarchical structure would have.
