Creating a Basic OU Structure

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

You need to create OUs for the users and computers you want to manage within your domain. This chapter uses a simple OU structure for a simple environment. If your environment requires a more complex OU structure, refer to the following documentation for planning information:

To create the OU structure

  1. Using GPMC, expand the forest node, the domains node, and the domain

  2. Right-click,and click Active Directory Users and Computers.

  3. In the Active Directory Users and Computers MMC, expand

  4. Right-click, point to New, and click Organizational Unit.

  5. For the new OU name, type IT.

  6. Repeat steps 4 and 5 to create OUs named Bookkeeping and Sales.

  7. Right-click the OU named IT, point to New, and click User.

  8. Type the user information for Florian Voss, as shown in Table 9.1. Set the User logon name as Florian, and click Next.

  9. When prompted for a User Password, type in a strong password. Make sure that User must change password at next logon is not checked.

  10. Repeat steps 7 through 9 to create the user accounts within the appropriate OUs, as shown in Table 9.1.

  11. With highlighted, click Builtin in the left pane, and double-click Administrators.

  12. Click Members, and click Add. In the object names text box, type Florian,and click Check Names to resolve the entry to Florian Voss. Click OK.

  13. In the right pane, double-click Domain Admins.

  14. Click Members and repeat step 12 to add Florian to the Domain Admins security group. Click OK twice, and click in the left pane.

  15. Right-click, point to New, and click Group.

  16. Type the group name RUPUsers. Make sure that the group type is Security, and that the group scope is Global.

  17. Double-click the security group RUPUsers.

  18. Click the Members tab, and click Add.

  19. Click Advanced, and click Locations.

  20. Expand adatum, click Sales, and click OK.

  21. To select all users in the Sales OU, click Find Now. To add the users to the RUPUsers security group, click OK.

  22. Repeat steps 17 through 19 to add all of the IT OU members to the RUPUsers security group.

  23. Close the Active Directory Users and Computers snap-in, and minimize GPMC.

Although not addressed in this chapter’s procedures, it is useful to understand that new user and computer accounts are created in the CN=Users and CN=Computers containers by default. It is not possible to apply Group Policy directly to these containers, although they inherit GPOs linked to the domain. Redirusr.exe (for user accounts) and Redircomp.exe (for computer accounts) are two new tools included with Windows Server 2003 that enable you to change the default location where new user and computer accounts are created so you can more easily scope GPOs directly to newly created user and computer objects. These tools are located in %windir%\system32.

By running Redirusr.exe and Redircomp.exe once for each domain, the domain administrator can specify the OUs into which all new user and computer accounts are placed at the time of creation. This allows administrators to manage these unassigned accounts by using Group Policy before the administrators assign them to the OU in which they are finally placed. You might want to consider restricting the OUs used for new user and computer accounts using Group Policy to increase security around new accounts.

For more information about redirecting users and computers, see article 324949, "Redirecting the Users and Computers Containers in Windows Server 2003 Domains," in the Microsoft Knowledge Base. To find this article, see the Microsoft Knowledge Base link on the Web Resources page at

For information about Redirusr.exe and Redircomp.exe, see the Redirecting Users and Computers link on the Web Resources page at

For additional information about these tools, see "Designing a Group Policy Infrastructure" in this book.