i am in the process of restructuring the hierarchical structure of the local active directory server of the institution i am working for. I was wondering if anyone knew of any place i could find best practices for this task. For example if it is better to have machines and users in separate OUs etc or if there are any sites with examples i could have a look at to get ideas.


  • domain.local
    • computers
    • users
    • CompanyComputers
      • Servers
      • Workstations
        • Accounting
        • IT
        • Administration
    • CompanyUsers
      • Administration
      • Accounting
      • IT

The term "best-practices" when referring to the structure of your Active Directory is very open ended. There are a variety of factors that will determine what will make the most sense for you in your environment, and Microsoft identifies that what works for one enterprise will not necessarily work for another one.

That said, Microsoft recommends that you organize your AD structure in a logical manner, grouping objects together that have similar properties and that should share similar administrative properties.

These items that you may want to group together can include (but is certainly not limited to) the following

  • Physical Location of the Object
  • Desired effect of Group Policy of those objects (all objects are subject to same group policy unless otherwise stated)
  • Operating System of the computers
  • Object Type (computers, users, groups, general e-mail addresses, etc)
  • Department the object belongs to
  • Permission structures
  • Scripts that should run on the objects during logon/logoff or startup/shutdown
  • etc

It will be up to you to decide what structure works best for you. The 70-640 exam is exclusively for Active Directory administration and may prove to be a valuable asset to you in the structuring of your organization

EDIT : To reflect what Zoredache has pointed out, but flexibility is an important part of the AD structure. Companies are dynamic and you should plan your AD to be flexible. The key is the find a nice balance between functionality and flexibility.

  • I generally find that per-department OUs are often associated with ugly structures as the people realize that it is not unusual for people to work in multiple departments at the same time. I am not saying there is no place for that, just that you should avoid it unless you are certain you absolutely need it. – Zoredache Oct 05 '12 at 16:57
  • I would agree with you on that Zoredache - in any environment I've ever worked in we've avoided "per department" OU's, however I've mentioned them as Microsoft likes to use those structures in it's learning materials. – DKNUCKLES Oct 05 '12 at 17:10

Your structure looks generally good enough. My one suggestion is this. Don't get do per-department or per-program OUs unless the computers are dramatically different, or your departments are huge and you actually need them to be separate because of how many objects would be in a single OU that combined everyone.

I don't know about your organization but I have seen others where they have 'floater' people that move around from department to department as needed. This makes department level OUs to become a pain to detail with.

Some bad things I have seen people do as a result of people working in multiple departments is to build something silly like below where they create OUs that are meant as a join. The key thing to remember is group polices can easily apply to groups with the security filtering options. It is very easy to add people to groups as needed then create policies that only apply to specific groups. Trying to build an OU structure that permits the same level of flexibility as groups is difficult or impossibles.

  • CompanyUsers
    • Administration
    • Accounting
    • IT
    • Administration & Accounting
    • Administration & IT
    • Accounting & IT
I set mine up by departments, and now that some people work in both, it does become a bigger pain to manage. So from experience, I wouldn't recommend it.

