Active Directory OU – AD Organizational Unit Best Practices

Active Directory OU – AD Organizational Unit Best Practices.  Active Directory Organizational units (OUs) help in classifying Active Directory (AD) objects to simplify the administration process and tasks to the users, computers and groups. Since OUs is important tool in deploying organizations policies awe created an article about Active Directory OU- AD Organizational Unit Best Practices. 

What is Active Directory

Microsoft’s Active Directory is one of the leading products in the Identity and Access Management (IAM) tools market. 

Active Directory (AD) is a database and services that connect users with the network resources.  The database (or directory) in AD contains critical information about your environment (users and computers , access permissions). Active Directory tool make sure each person is who they claim to be (authentication) and allow them to access only the data they’re allowed to use (authorization).

While many of its users opt for a cloud domain controller using Microsoft Azure, it is the on premises Active Directory (AD) that dominates the market.

IAM in Active Directory

Identity and access management (IAM) is a set of processes and policies for naming and managing the roles and access privileges of users and devices to a cloud based and on premises applications.

Implementing this IAM helps with securing networks, organizing digital assets and ensuring easier identity management. Please follow Active Directory OU – AD Organizational Unit Best Practices to improve security. 

What is an organizational unit (OU)

An OU is the smallest grouping in AD domains that can be used to assign Group Policy (GPO) settings or account permissions to users, groups and computers.

Apart from the three objects, an OU can contain another OU – just not from another AD domain.

The main purpose of implementing OUs is to assign the GPOs to sets of objects and to delegate management of the objects within the domain without the need for assigning domain administrator privileges.

Let’s start with Active Directory OU – AD Organizational Unit Best Practices.

Active Directory Organizational Unit (AD OU) best practices

Some of the best practices we will see help decreasing issues that could cause breaches and abuse of privileges. They include: unauthorized access, avoiding confusion, easier ways to manage groups of assets and to Organizational units scalability of the business.

Follow this article about Active Directory OU – AD Organizational Unit Best Practices.

Plan before organizing

Like any technology security task, creating an OU structure in AD requires planning. Planning helps avoid confusion later when it comes to deciding where to place new objects.

A simple, yet detailed, design or layout plan cuts the need for adding more OUs in the future when objects can’t be assigned one.

Put the plan to paper

OU structures are fluid – they change shape and size with every new object added or the deletion of an expired one. New roles in an organization are created and assigned on a day to day basis.

The OU design and implemented structure need to be properly documented with details like why and by whom they were created. This makes it easier for administrators down the line when they need to modify or delete parts of the architecture.

Every user needs to be identified and assigned a role and privilege depending on the tasks they will be performing in the organization. Here’s a sample design:

Grouping objects in AD

The easiest way to go about grouping objects is by choosing one of three models:

    • The geographic model – to group objects by location (London, Paris, Moscow, etc.)
    • The department model – to group objects by business units (Marketing, Finance, IT, etc.)
    • The type-based model – to group objects by features and characteristics (Computers, Servers, Laptops, etc. or Managers, Accountants, Programmers, etc.)

Keep different objects apart

Each user and computer that is created in AD is, by default, added to its respective container. And yet, GPOs can’t be linked to containers.

Therefore, for the sake of easier GPO applications, it is important to create separate OUs for users and computers.

Leverage OU nesting

Nesting OUs in AD helps administrators assign inheritances and delegate administrative rights with ease. They can assign permissions to some users and deny them to others – even when they are all in the same OU.

Apart from making it easier, nesting also ensures the separation of objects within an OU. Otherwise, a parallel OU would need to be created each time a unique right or role was required by a group of objects.

A rule of thumb here is to never nest OUs more than 10 layers deep to avoid confusion and conflicts.

Implement a disaster recovery plan

Even the most secure of networks face a risk of being breached. A breached AD could result in not only the loss of accounts – or their roles – but also direct access to the entire network’s assets. On the other hand a compromised Active Directory could mean users and devices being locked out of the network – although, they would still temporarily be able to log into their computers using cached credentials.

A wise administrator always ensures the disaster recovery time is the shortest time. The most important thing, though, would be to add a secondary AD domain controller as well as implement a regularly scheduled server backup strategy.

Use a monitoring tool

There are many AD controller monitoring tools available that can help keep the AD controller healthy at all times. It would also be wise to invest in one such tool.

The server monitoring tool should be configured to send out alerts whenever there are suspicious activities noticed (like too many login attempts) or a drop in performance is encountered.

Introduce InfraSOS Active Directory Reporting Tool

  • Create compliant Active Directory by using our Reporting Tool and Office 365 Reports.
  • InfraSOS is available on Prem AD / Azure AD / Office 365 SaaS Reporting Solution.
  • Improve the Security & Health of your Active Directory by finding: A)the true last login time for users? B)users who haven’t logged on in the last 30 days. C)who’s password have expired. D) or maybe you need a report on locked out users ?
  • Many more reports on your AD (over 200 reports). 
  • Azure AD / Office 365 Reports.
  • Active Directory Logon Reports.
  • Active Directory Password Reports.
  • Active Directory GPO Reports.

Keep track of structural changes

An administrator must stay on top of changes in the AD structure. They should be informed whenever a user no longer needs their account or even when there is a change in role assignment.

An organization should have a system where, for example, accounts are disabled for employees leaving them. They should keep track of employees’ movements within the organization and adjust their roles and permission accordingly. The same goes for hardware that is being assigned to a new department.

Audit trails are important – use them

One way malicious users gain access to a network is with the help of escalated privileges through manipulated OUs.

It is, therefore, important to keep an eye on changes that are made by anyone other than the administrators. This can be done by enabling “Audit Policy” for “Audit Directory Service Access”. It should be configured to alert for both “Success” and “Failure” events.

Stick to a naming convention

All the objects in the OU, and indeed in the AD, need to follow a naming convention. In the case of objects, it helps identify them uniquely and descriptively. A “LON-MKTG-LAP1” would be the first laptop in the Marketing department in the London office.

Assigning its user the “LON-MKTG-L-RW” would allow them to only administer (RW for “Read, Write”) the objects in the Marketing department. For the sake of simplicity, administrators should make sure that the names aren’t longer than 15 characters.

A naming convention ensures fewer mistakes are made.

Never use defaults

Avoid using default values for everything. Administrator accounts should not be used or copied – they should be renamed and assigned from scratch for every OU to avoid giving permissions by mistake.

Administrators should make a habit of recreating each OU’s administrators’ accounts. Copying of accounts, roles, and permissions opens the door to the allocation of unwanted privileges. The accounts themselves should be renamed to make it difficult for malicious users.

Start with the lowest privileges

A good strategy to adopt when assigning privileges is to allow the minimums. Default users’ roles should only allow them to do what they are supposed to do, and nothing more.

Implementing least-privilege administrative models allow for strict control of accounts. Additional privileges should only be implemented once a user has the proper clearance. Even then, each new privilege should be added individually and not as a bundle to avoid unauthorized access.

Enforce strict password policies

Every OU should have a GPO that enforces strict password policies. Although the default AD policy takes precedence over GPO password policies, fine-grained password policies for OUs should still be used to make sure stricter rules apply to devices that are exposed to the public.

A laptop that is used by customer facing staff, which is always online and used for financial transactions should have stricter password policies than the back office one which is only used, for example, for creating offline documents and spreadsheets.

That’s great! We have learned about Active Directory OU – AD Organizational Unit Best Practices. Let’s conclude.

Active Directory OU – AD Organizational Unit Best Practices Conclusion

We have seen that implementing best practices for AD OUs helps in securing a network. But, one point that shouldn’t be forgotten is that the security of the domain starts from the moment you start installing AD.

Therefore, you must use professionals when you decide to setup Active Directory domain controllers. That is where we come in – contact us to find out how we can help secure your domain.

Avatar for Liku Zelleke
Liku Zelleke

Liku Zelleke is a technology blogger who has over two decades experience in the IT industry. He hasn’t looked back since the day, years ago, when he discovered he could combine that experience with his other passion: writing. Today, he writes on topics related to network configuration, optimization, and security for Cloud Infrastructure Services.

5 1 vote
Article Rating
Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x