This post is as an update to the Server 2003 version of Organising Active Directory Users and Computers. The structure and operation of Active Directory hasn’t really changed much on the surface as you can see from the comparative screenshots below.
To access Active Directory Users and Computers, Start Server Manager, then from the Tools Menu, choose Active Directory Users and Computers.
The default structure of Active Directory is fine if you are only managing a handful of machines with a handful of users, although implementing a sensible structure at an early stage will result in less work later on.
The Default Active Directory structure has the following containers;
- Built-in: Contains Domain-Local security groups, such as Administrators, Users and Guests.
- Computers: The Default location where computer accounts are created when a machine joins the domain.
- Domain Controllers: The Default location for servers that are network Domain Controllers (Actually an Organisational Unit).
- ForeignSecurityPrinciples: A container used for storing Domain Trust account details.
- Managed Service Accounts: A container that is used for storing account details for Managed Services (see Technet Blog)
- Users: Contains the Administrator account as well as Global Security Groups.
Objects (such as users, groups and computers) in Active Directory are stored in containers or Organisational Units (OU). Out of the box, Active Directory has some containers and a single OU. It’s important to note that you can’t create containers and to be honest they aren’t going to be much use to you anyway since you can’t apply all important Group Policies to a container. Objects are created in Active Directory by right clicking in the appropriate branch and then choosing New context menu item.
Organising Active Directory
It is good practice to create an Organisational Structure that fits the needs of the establishment. A structure that allows the network administrator to build up Group Policies and separate resources. This allows common policies to be applied to both students and staff, and then apply further restrictions where needed.
I usually start organising Active Directory by creating the following structures, starting with a Managed OU sitting at the top of my Active Directory tree.
This structure obviously isn’t set in stone and should be adjusted to suit the particular environment and organisational structure of your business. Organising Active Directory with separate areas for “Users” and “Computers” will give greater flexibility with Group Policy. The Computers OU can be crafted into curriculum areas, or into actual classrooms if you want to manage this level of detail.
Something to note when you are creating a new OU is that since Server 2008, the OU will be automatically protected against accidental deletion of the OU. The feature can potentially prevent hours worth of Active Directory authoritative restores or account re-creation, since when you delete an OU, you can also delete everything in it.
It really is worth designing your Active Directory in advance, although if you decide to change things later, it is possible to drag and drop Objects around in the GUI. If you decide to move Active Directory objects, keep in mind that object inheritance is key, especially with Group Policies. Don’t forget to switch off the accidental deletion protection for Organisational Units that you want to move. Enabling the Advanced Features view (from the View menu of the Active Directory Users and Computers app), then right clicking the OU you wish to move, select the Object tab, then remove the tick from Protect object from accidental deletion.