Step A1: Design the OU Structure

Published: February 25, 2008


Objects in the directory are organized by using organizational units (OUs). The design for the OUs will have two primary factors: the delegation of the administration of directory objects and the application of Group Policy objects (GPOs). Fundamentally, the OU design should be a reflection of how the objects in the domain are managed.

Changing the OU design is not difficult, but it can be complex since access control lists need to be carefully manipulated. Once delegation and Group Policy have been established, redesigning the OUs to which the configurations have been applied will take time.

Since OUs serve the dual roles of administration delegation and the application of Group Policy, it will be necessary to go through the design process for OUs twice: once for delegation and then a second time with an eye toward Group Policy usage.

Task 1: Design OU Configuration for Delegation of Administration

OUs can be used to delegate the administration of objects, such as users or computers, to a designated group. Although it is possible to delegate permissions to an individual, it is a best practice to use groups because as people change in the organization, it is easier to update membership in the delegation groups than to update the permissions on objects in the directory. Delegation by means of an OU involves the following tasks:

  • Identify or create administrative groups to which rights will be delegated.
  • Place the individuals or groups to which rights will be delegated into the OU. Create the OUs to which the administrative groups will have authority.
  • Assign the object rights to be delegated to the administrative group within each OU.
  • Create/place the objects to be controlled within the OU.

When identifying the groups to which administrative tasks will be delegated, try to be as specific as possible about the minimum amount of control that is required. For example, if a group needs just the ability to update users’ telephone information, the group should not be granted full control.

Task 2: Design OU Configuration for Group Policy Application

OUs can be created to apply Group Policy settings to a specific subset of computers or users. By default, all objects in an OU will receive the settings contained in an applied GPO.

With the OU design complete from a delegation (or operations) perspective, the next step is to revise the OU design to account for any unique circumstances that Group Policy settings may introduce. For example, from a delegation perspective, an OU may be established called “Workstations” to delegate permissions to manage all workstations. When Group Policy considerations are applied, there may be a need for a desktop OU and a mobile OU to reflect the different policy needs for desktops and notebooks. In this case, these desktop and mobile OUs may be created as sub-OUs inside the workstations or OU, or the Workstations OU may be replaced by these two individual OUs.

Identify groups of users or machines to which a GPO needs to be applied. Then, examine the current OU design for the domain. Re-use existing OUs if possible and create new OUs only if necessary. If new OUs are created to support GPOs, then make sure to review the object delegation in the previous task to ensure that the object administration and operation model is up to date.

There are many filtering and targeting options for Group Policy application. Security filtering, Windows Management Instrumentation (WMI) filtering, and Group Policy preference targeting can all be used to target which objects receive which GPOs. Use these techniques as a last resort in lieu of using the default Group Policy application and precedence. Filtered Group Policy security is very difficult to troubleshoot and manage and can cause a slight performance degradation for client logons.

Decision Summary

The OU structure needs to be defined for each domain in the design. At the end of this decision, the OU design should have identified the following:

  • OUs to be created, based on one of two design criteria: delegation of administration or Group Policy application.
  • Which objects need to be located in each OU.
  • Administration (Delegation) groups to be created and mapped to OUs.
  • Object rights to be granted to each group in each OU.
  • Which GPOs need to be created and to which OUs they should be linked.

Additional Reading

Best Practice Active Directory Design for Managing Windows Networks at

This accelerator is part of a larger series of tools and guidance from Solution Accelerators.


Get the IPD Active Directory Domain Services

Solution Accelerators Notifications

Sign up to learn about updates and new releases


Send us your comments or suggestions