Organising Active Directory

Comparing Server 2012 Active Directory Users and Computer tools with Server 2003

This post is as an update to the Server 2003 version of Organising Active Directory Users and Computers.  The structure and operation of Active Directory hasn’t really changed much on the surface as you can see from the comparative screenshots below.

2003

2003 Active Directory Structure

2012 R2

ActiveDirectory2012

To access Active Directory Users and Computers, Start Server Manager, then from the Tools Menu, choose Active Directory Users and Computers.

Default Structures

The default structure of Active Directory is fine if you are only managing a handful of machines with a handful of users, although implementing a sensible structure at an early stage will result in less work later on.

The Default Active Directory structure has the following containers;

  • Built-in:  Contains Domain-Local security groups, such as Administrators, Users and Guests.
  • Computers:  The Default location where computer accounts are created when a machine joins the domain.
  • Domain Controllers:  The Default location for servers that are network Domain Controllers (Actually an Organisational Unit).
  • ForeignSecurityPrinciples:  A container used for storing Domain Trust account details.
  • Managed Service Accounts: A container that is used for storing account details for Managed Services (see Technet Blog)
  • Users:  Contains the Administrator account as well as Global Security Groups.

Objects (such as users, groups and computers) in Active Directory are stored in containers or Organisational Units (OU).  Out of the box, Active Directory has some containers and a single OU.  It’s important to note that you can’t create containers and to be honest they aren’t going to be much use to you anyway since you can’t apply all important Group Policies to a container.  Objects are created in Active Directory by right clicking in the appropriate branch and then choosing New context menu item.

Organising Active Directory

It is good practice to create an Organisational Structure that fits the needs of the establishment.  A structure that allows the network administrator to build up Group Policies and separate resources.  This allows common policies to be applied to both students and staff, and then apply further restrictions where needed.

I usually start organising Active Directory by creating the following structures, starting with a Managed OU sitting at the top of my Active Directory tree.

Active Directory Structure

This structure obviously isn’t set in stone and should be adjusted to suit the particular environment and organisational structure of your business. Organising Active Directory with separate areas for “Users” and “Computers” will give greater flexibility with Group Policy.  The Computers OU can be crafted into curriculum areas, or into actual classrooms if you want to manage this level of detail.

Accidental Deletion

Something to note when you are creating a new OU is that since Server 2008, the OU will be automatically protected against accidental deletion of the OU.  The feature can potentially prevent hours worth of Active Directory authoritative restores or account re-creation, since when you delete an OU, you can also delete everything in it.

Active Directory, create OU

It really is worth designing your Active Directory in advance, although if you decide to change things later, it is possible to drag and drop Objects around in the GUI.  If you decide to move Active Directory objects, keep in mind that object inheritance is key, especially with Group Policies.  Don’t forget to switch off the accidental deletion protection for Organisational Units that you want to move.  Enabling the Advanced Features view (from the View menu of the Active Directory Users and Computers app), then right clicking the OU you wish to move, select the Object tab, then remove the tick from Protect object from accidental deletion.

 

Similar Posts

  • Adding DHCP to your Windows Server 2003

    DHCP is a service that is responsible for assigning IP addresses to computers on your network.  Using DHCP takes the hassle out of managing your network IP addresses.  DHCP is an essential part of using the PXE boot feature of your computers network card.

  • Planning a School Network

    ICT is major part of the school curriculum, the use of computers and IT resources has grown exponentially and continues to grow.  Almost gone are the days of running a few standalone PCs, or running a Peer to Peer Internet enabled network.  It is time to embrace the centralised server environment.  It isn’t as complex as…

  • Organising Active Directory for Users and Computers

    Organising Active Directory is a very powerful and flexible way to manage your school network. In this tutorial, we are going to create a basic structure that will allow us to manage both users and computers in a single branch.

  • Install the Windows Recovery Console for Server 2003

    Some times it is necessary to boot into the recovery console to repair your server installation or run a chkdsk.  Normally you would boot from the installation CD and choose the relevant boot options.  However you can also install the Recovery Console to the system partition so that you can boot into the recovery console…

  • Desiging and Implementing a Folder Structure

    When planning for your Server enabled environment, it is important to think about how the server resources will be managed.  Where are the user home folders going to live, how will these be accessed and will you require any type of public or resource folders.

  • GPOGUY.com – Group Policy Stuff

    Whilst surfing the net looking for information on using Group Policy to set workstations power options so that they would not go into standby. I came across a website that had programs, links and valuable resources for Group Policy.