Organising Active Directory

ByTerry Watts

Comparing Server 2012 Active Directory Users and Computer tools with Server 2003

This post is as an update to the Server 2003 version of Organising Active Directory Users and Computers.  The structure and operation of Active Directory hasn’t really changed much on the surface as you can see from the comparative screenshots below.

2003

2003 Active Directory Structure

2012 R2

ActiveDirectory2012

To access Active Directory Users and Computers, Start Server Manager, then from the Tools Menu, choose Active Directory Users and Computers.

Default Structures

The default structure of Active Directory is fine if you are only managing a handful of machines with a handful of users, although implementing a sensible structure at an early stage will result in less work later on.

The Default Active Directory structure has the following containers;

  • Built-in:  Contains Domain-Local security groups, such as Administrators, Users and Guests.
  • Computers:  The Default location where computer accounts are created when a machine joins the domain.
  • Domain Controllers:  The Default location for servers that are network Domain Controllers (Actually an Organisational Unit).
  • ForeignSecurityPrinciples:  A container used for storing Domain Trust account details.
  • Managed Service Accounts: A container that is used for storing account details for Managed Services (see Technet Blog)
  • Users:  Contains the Administrator account as well as Global Security Groups.

Objects (such as users, groups and computers) in Active Directory are stored in containers or Organisational Units (OU).  Out of the box, Active Directory has some containers and a single OU.  It’s important to note that you can’t create containers and to be honest they aren’t going to be much use to you anyway since you can’t apply all important Group Policies to a container.  Objects are created in Active Directory by right clicking in the appropriate branch and then choosing New context menu item.

Organising Active Directory

It is good practice to create an Organisational Structure that fits the needs of the establishment.  A structure that allows the network administrator to build up Group Policies and separate resources.  This allows common policies to be applied to both students and staff, and then apply further restrictions where needed.

I usually start organising Active Directory by creating the following structures, starting with a Managed OU sitting at the top of my Active Directory tree.

Active Directory Structure

This structure obviously isn’t set in stone and should be adjusted to suit the particular environment and organisational structure of your business. Organising Active Directory with separate areas for “Users” and “Computers” will give greater flexibility with Group Policy.  The Computers OU can be crafted into curriculum areas, or into actual classrooms if you want to manage this level of detail.

Accidental Deletion

Something to note when you are creating a new OU is that since Server 2008, the OU will be automatically protected against accidental deletion of the OU.  The feature can potentially prevent hours worth of Active Directory authoritative restores or account re-creation, since when you delete an OU, you can also delete everything in it.

Active Directory, create OU

It really is worth designing your Active Directory in advance, although if you decide to change things later, it is possible to drag and drop Objects around in the GUI.  If you decide to move Active Directory objects, keep in mind that object inheritance is key, especially with Group Policies.  Don’t forget to switch off the accidental deletion protection for Organisational Units that you want to move.  Enabling the Advanced Features view (from the View menu of the Active Directory Users and Computers app), then right clicking the OU you wish to move, select the Object tab, then remove the tick from Protect object from accidental deletion.

 

Similar Posts

Adding Roles to Server 2012

Since Windows 2008, Microsoft introduced the concepts of adding roles and features into the Server Operating System.  Roles and Features were added to Windows by using the links within System Manager.  The same is true of Server 2012, although they are no longer separate tasks.  A role can be defined as a Service or Program…

Installing a new Windows Server 2003 Domain

Getting a company to setup and install your network will always be easier than planning and deploying your own network solution, but if you have the time and are willing to learn then you can save your school some money.  This guide will attempt to help you to setup a Windows Server 2003 Domain for…

Group Policy Management Console

If you have been using Windows 2000 and Windows 2003 server platforms with Active Directory, you will already be aware of the power and flexibility that Group Policy can provide within the domain. Until recently Group Policy management was only available by using the Active Directory Users and Computers MMC snapin’s at the server or workstations…

GPOGUY.com – Group Policy Stuff

Whilst surfing the net looking for information on using Group Policy to set workstations power options so that they would not go into standby. I came across a website that had programs, links and valuable resources for Group Policy.

Desiging and Implementing a Folder Structure

When planning for your Server enabled environment, it is important to think about how the server resources will be managed.  Where are the user home folders going to live, how will these be accessed and will you require any type of public or resource folders.