Active Directory OU – AD Organizational Unit Best Practices. Active Directory Organizational units (OUs) help in classifying Active Directory (AD) objects to simplify the administration process and tasks to the users, computers and groups. Since OUs is important tool in deploying organizations policies awe created an article about Active Directory OU- AD Organizational Unit Best Practices.
What is Active Directory
Active Directory (AD) is a database and services that connect users with the network resources. The database (or directory) in AD contains critical information about your environment (users and computers , access permissions). Active Directory tool make sure each person is who they claim to be (authentication) and allow them to access only the data they’re allowed to use (authorization).
IAM in Active Directory
Implementing this IAM helps with securing networks, organizing digital assets and ensuring easier identity management. Please follow Active Directory OU – AD Organizational Unit Best Practices to improve security.
What is an organizational unit (OU)
Apart from the three objects, an OU can contain another OU – just not from another AD domain.
Let’s start with Active Directory OU – AD Organizational Unit Best Practices.
Active Directory Organizational Unit (AD OU) best practices
Some of the best practices we will see help decreasing issues that could cause breaches and abuse of privileges. They include: unauthorized access, avoiding confusion, easier ways to manage groups of assets and to Organizational units scalability of the business.
Follow this article about Active Directory OU – AD Organizational Unit Best Practices.
Plan before organizing
Like any technology security task, creating an OU structure in AD requires planning. Planning helps avoid confusion later when it comes to deciding where to place new objects.
A simple, yet detailed, design or layout plan cuts the need for adding more OUs in the future when objects can’t be assigned one.
Put the plan to paper
The OU design and implemented structure need to be properly documented with details like why and by whom they were created. This makes it easier for administrators down the line when they need to modify or delete parts of the architecture.
Grouping objects in AD
The easiest way to go about grouping objects is by choosing one of three models:
- The geographic model – to group objects by location (London, Paris, Moscow, etc.)
- The department model – to group objects by business units (Marketing, Finance, IT, etc.)
- The type-based model – to group objects by features and characteristics (Computers, Servers, Laptops, etc. or Managers, Accountants, Programmers, etc.)
Keep different objects apart
Leverage OU nesting
Apart from making it easier, nesting also ensures the separation of objects within an OU. Otherwise, a parallel OU would need to be created each time a unique right or role was required by a group of objects.
A rule of thumb here is to never nest OUs more than 10 layers deep to avoid confusion and conflicts.
Implement a disaster recovery plan
Even the most secure of networks face a risk of being breached. A breached AD could result in not only the loss of accounts – or their roles – but also direct access to the entire network’s assets. On the other hand a compromised Active Directory could mean users and devices being locked out of the network – although, they would still temporarily be able to log into their computers using cached credentials.
Use a monitoring tool
Introduce InfraSOS Active Directory Reporting Tool
- Create compliant Active Directory by using our Reporting Tool and Office 365 Reports.
- InfraSOS is available on Prem AD / Azure AD / Office 365 SaaS Reporting Solution.
- Improve the Security & Health of your Active Directory by finding: A)the true last login time for users? B)users who haven’t logged on in the last 30 days. C)who’s password have expired. D) or maybe you need a report on locked out users ?
- Many more reports on your AD (over 200 reports).
- Azure AD / Office 365 Reports.
- Active Directory Logon Reports.
- Active Directory Password Reports.
- Active Directory GPO Reports.
Keep track of structural changes
An organization should have a system where, for example, accounts are disabled for employees leaving them. They should keep track of employees’ movements within the organization and adjust their roles and permission accordingly. The same goes for hardware that is being assigned to a new department.
Audit trails are important – use them
One way malicious users gain access to a network is with the help of escalated privileges through manipulated OUs.
It is, therefore, important to keep an eye on changes that are made by anyone other than the administrators. This can be done by enabling “Audit Policy” for “Audit Directory Service Access”. It should be configured to alert for both “Success” and “Failure” events.
Stick to a naming convention
All the objects in the OU, and indeed in the AD, need to follow a naming convention. In the case of objects, it helps identify them uniquely and descriptively. A “LON-MKTG-LAP1” would be the first laptop in the Marketing department in the London office.
Assigning its user the “LON-MKTG-L-RW” would allow them to only administer (RW for “Read, Write”) the objects in the Marketing department. For the sake of simplicity, administrators should make sure that the names aren’t longer than 15 characters.
A naming convention ensures fewer mistakes are made.
Never use defaults
Avoid using default values for everything. Administrator accounts should not be used or copied – they should be renamed and assigned from scratch for every OU to avoid giving permissions by mistake.
Administrators should make a habit of recreating each OU’s administrators’ accounts. Copying of accounts, roles, and permissions opens the door to the allocation of unwanted privileges. The accounts themselves should be renamed to make it difficult for malicious users.
Start with the lowest privileges
A good strategy to adopt when assigning privileges is to allow the minimums. Default users’ roles should only allow them to do what they are supposed to do, and nothing more.
Implementing least-privilege administrative models allow for strict control of accounts. Additional privileges should only be implemented once a user has the proper clearance. Even then, each new privilege should be added individually and not as a bundle to avoid unauthorized access.
Enforce strict password policies
Every OU should have a GPO that enforces strict password policies. Although the default AD policy takes precedence over GPO password policies, fine-grained password policies for OUs should still be used to make sure stricter rules apply to devices that are exposed to the public.
A laptop that is used by customer facing staff, which is always online and used for financial transactions should have stricter password policies than the back office one which is only used, for example, for creating offline documents and spreadsheets.
That’s great! We have learned about Active Directory OU – AD Organizational Unit Best Practices. Let’s conclude.
Active Directory OU – AD Organizational Unit Best Practices Conclusion
We have seen that implementing best practices for AD OUs helps in securing a network. But, one point that shouldn’t be forgotten is that the security of the domain starts from the moment you start installing AD.