University of Colorado at Boulder  
Map A to Z Index Search CU Home
ITS logo
Information Technology Services News | ITS Search
UCB Windows 2000 Resource Center

 
Learn More
Back to the UCB Windows 2000 Resource Center
UCB W2K Admin Guide Start
Why Windows 2000 and Active Directory at UCB?
Joining the AD infrastructure at UCB
Using the AD infrastructure at UCB
Additional information and resources
Quick index of the administrators guide documents


 

OU Design Suggestions for Windows 2000 Administrators at UCB

Once you have been delegated control of your Organizational Unit (OU) as the administrator of your department, you will want to plan your departmental OU structure. The Network and Desktop Operating Systems (NDOS) group created this document to assist administrators on the design of their portion of the Active Directory (AD).

There are multiple different design methods for your department, but some will work better than others. The most important thing to keep in mind when designing your OU is the purpose they serve. OUs are not just for separating and organizing objects, they are also for administration and security. The only way department administrators will be able to apply Group Policy Objects (GPOs) to select parts of their department is via OU division. GPOs can be applied at the OU level, but not on individual computers or groups. There are several other things you should consider when planning out your OU.

First, you should consider which groups within your department need to be managed differently. Do administrators, staff, faculty or student employees have different levels of access to their own workstations? Are restrictions based on the computers or the users?

Second, familiarize yourself with the settings available in GPOs. They may contain more, or less, than you think they do. Read the "GPO How to" guide for some examples of GPO application and OU design for GPO management. Keep in mind that differing levels of access to resources (file servers or printers) can be controlled on the resources at a user or group level. This means you should not create an OU structure based on the users' permissions on a resource.

Third, are there distinct political or geographic divisions within your group that have different computer management needs? Make sure your design is based on the management of resources and users and not just on political boundaries. Politics and geography can be useful in guiding your design, but making your administration of resources easier is the goal of OU design.

Sample Designs

There are hundreds of ways to design an OU structure, but there are four basic designs that can be very useful. These are:

  • Political/Functional
  • Geographic
  • Resource-based
  • User classification

Each of these designs has merits and drawbacks, and you should look at which design(s) fit your environment. In many cases this means a combination of two or more designs. The organization and size of your department will greatly affect your choices.

Political/Functional Design

A politically based design is useful in larger organizations and in organizations where different political groups have different computing needs or environments.

Windows 2000 OU with politically divided child OUs

While this design seems like a natural choice for many people, it usually does not reflect the IT management needs of smaller departments. Larger departments who use this design should consider using it in conjunction with one of the remaining designs. For example, each of the subgroups of the department could be further organized by resource or user classification. Some combined designs will be shown later.

Geographic Design

Departments that are spread across campus or between campus and other facilities may want to consider a geographic design. This design is only useful if geographic boundaries also represent IT management divisions.

Windows 2000 OU with geographically divided child OUs

Obviously this design is less useful for units housed at a single location, or when location does not affect how IT is managed. As with the political/functional design, this design may be used in conjunction with other designs like the resource-based design.

Resource-based Design

Often it is best to manage computing resources by type of resource: desktop computer, server, printer, etc. This design is most useful when all resources of a given type, like servers, are managed in the same way.

Windows 2000 OU with child OUs divided by resource

These divisions can be sub-divided if a resource, like workstations, is generally managed in a certain way, but a few of them have additional management requirements. These sub-divisions may rely on one of the other OU designs, especially the user classification design.

User Classification

Resources may be managed based on a user's job or function within a department.

Windows 2000 OU with child OUs divided based on user

This design allows for differing levels of restriction based on a user's needs. This may be a useful design for smaller departments that have no need for political or geographic divisions and who maintain mainly desktop computers (reducing the need for a resource-based design.

Hybrid Designs

The previous designss can be combined in a number of ways for more granular organization. Hybrid designs are most useful to larger departments attempting to manage large numbers of computers. Here are some sample hybrid designs:

Resource-User Hybrid

Windows 2000 OU with child OUs divided by resource and grandchild OUs divided by user

Geographic-Resource Hybrid

Windows 2000 OU with child OUs divided by building and grandchild OUs divided by resource

Getting Help

help@colorado.edu
       
       Support | Training | Facilities | About ITS | ITS Home
 

Last reviewed: October 30, 2006

IT Service Center: 303-735-4357 (5-HELP), help@colorado.edu, Location and Hours of Operation
Computer Support Representative (CSR) look-up tool

itsfeedback@colorado.edu  | Policies | Privacy
© 2000 The Regents of the University of Colorado