Windows Server 2003 - OUs and Delegation

OpusFlow Exchange
Group Calendar

 

Delegation and OUs (Organization Units)

Introduction

In my view, modern domains have lots of OUs. Whereas, old fashioned thinking means that all the accounts are created in the one USERS folder.

There is a new breed of people called Network Architects, their role is to help with designing OUs and assist with delegating permissions.  Delegation is versatile; for instance, at the DOMAIN level you could grant the HelpDesk Global group the permission to reset any password in the entire domain.

Another use of delegation would be to give managers complete control of users their own department.  With this arrangement managers can create new users, groups and computer objects, but only in their own OU.  Now put on your Network Architect hat and plan those organizational units.

Topics

• Three aspects to planning your OUs
• Changes compared with Windows 2000
• Getting Started
• Recommendations

One problem with NT 4.0 domains was that often there were too many of them.  This came about partly because of the SAM limit of 40 MB, but more likely because each manager wanted total control of their own department.  You can solve this problem in Windows Server 2003 by creating OUs and then allowing department control over their own users and OUs.  Only create more domains when there is a good business case, for example: multinational company with different languages and vastly different security settings.

Three aspects to planning your OUs

1. Organize your users by 'filing' them into OUs named after their departments.
2. Delegate mundane tasks like resetting passwords to local administrators.
3. Plan desktops through group policies.  Realize that different OUs and departments can have different group policy settings.

1. Organize users by 'filing' them into OUs

By default all users are created in the Users folder.  Much better to distribute users into OUs so that you can manage them more easily.  Once you have organized the user accounts you can apply the same techniques to computers and groups.

2. Delegate mundane tasks like resetting passwords

If you take the time consuming job of account lockout.  When you establish OU's and delegation then a local administrator or power user can reset the password and leave you to get on with more interesting work.  You decide which administrators have control over which tasks.  For the more experienced you could allow them to create user accounts for new joiners, and disable accounts for those who have left.

Active Directory Training.  As an MCT trainer, I can thoroughly recommend TrainSignal because they provide practical hands on training.  In particular, I like the way that TrainSignal cover all learning methods, instructor lead, video and of course text material.  You can either take one module, for example Active Directory or go for a combination of modules.  See more about Active Directory training

Delegation Tactics

Firstly create groups with delegation in mind. 
Example: Global Group = HelpDesk to allow password changes.
Global Group = HR Deputy to add more users. 

Secondly consider the tactical question: "Do you delegate at the Domain level or at the OU level?"
Example: At the Domain level, delegate HelpDesk, to Reset Passwords.
Example: At the OU HeadQuarters, delegate HR Deputy to create accounts for new staff. 

Active Directory is flexible so you can do both, or change your mind if the strategy changes.

3.  Plan desktops through group policies

Incidentally the default Users container is not an OU and so you cannot set group policies there.  Group policies are the best way to control the user's desktop and to assign the software they need.  Organizational units are the best place to apply most of the policy settings.  The exceptions are security policies which must be set at the domain level.  By creating OU's you can fine tune which software is assigned to which users.  Customer facing users will need stricter controls over their wallpaper and desktop icons than the back-room team in tech support.

Changes compared with Windows 2000

OU's and delegation are virtually identical in Windows Server 2003 and Windows 2000.  The only relevant new features are improvements to group policies, and they are covered on a separate page.

One minor change is that you can now drag and drop objects between OUs, however take care, you do not want to lose your users!

Creating OUs - Getting Started

Go to the Active Directory Users and Computers, select 'Domain', Right Click, New OU.  Then to delegate Right Click the OU and Delegate is the first item on the shortcut menu.

  Firstly, make sure that the Security Tab is available on the OU Properties.  On the above diagram you would go to the View (menu) and select Advanced Features.  Now go back and check the OU, Properties, Security (tab), Advanced should now be there.

When you create OUs balance geographic sites with departmental structure. 
Example: Create a top level of OUs reflecting the branch offices, then nest departments inside each branch OU. 

Delegation - Getting Started

When you right click an OU or the Domain, Delegate control is the first item on the menu.  Once activated, the wizard will lead you through the steps to select the group then choose the tasks to delegate.  It pays to run the wizard a number of times, just to see all the options available.

Recommendations

• When you create your top level OU's, consider whether they will contain skilled staff who you can delegate routine tasks such as resetting passwords.
• The two main choices at the top level are by geographic location or by department.
• Do not use more than one level of OU nesting.
• Remember to design your OU structure with Group Policies in mind.
• Decide in which OU's will you place the computers and groups.
• Delegate by group rather than individual user.