OU-Specific Administration
One strategy is to establish specific administration within an OU. There are several ways to implement this. The flexibility provided in Active Directory makes almost anything possible. This section looks at two scenarios. The first scenario is based on an organization that has three levels of a possible large multinational administration. The major geographies are autonomous, and inside of the geographies are locations requiring administration. Table 13.4 describes the organizational requirements and the impact on administration. Figure 13.1 is a picture of a European domain expanded in the context of this implementation. There is a corporate domain, a European domain, and a North American domain.
| Region (Domain) | OU Implementation | Administrative Strategy |
|---|---|---|
| Europe (European domain) | OU for each country | Domains: No standards defined for the organization. European-unique security and desktop standards. |
| OU: Complete administrative control within OU. | ||
| North America (North American domain) | OU for each time zone | Domain: NA security, desktop standards, standard applications, and enterprise applications. |
| OU: Eastern, Central, Mountain, and Western. Regional administrators for maintenance. Little design authority in OU. |
Figure 13.1. Domain and OU design based on geography.
The second scenario, in Table 13.5, is with an enterprise that is divided based on corporate function. This company has a single domain and has OUs for each of the corporate functions. Each corporate function has a its own resources defined by location. As an example, manufacturing has an OU for each manufacturing plant. At each plant, an administration team collectively manages the manufacturing OU and manages the contents of the OU based on their location. Under this same design, the marketing organization, which only exists at corporate headquarters, has an OU that is managed by the centralized IT staff. Figure 13.2 gives a subset of what the domain and the OUs look like. Each has their own number of OUs based on the organization. Associated with each location OU are users, computers, GPOs, and printers.
| Corporate Organization (OU) | OU Implementation | Administrative Strategy |
|---|---|---|
| There is a single domain for the entire enterprise. | ||
| Finance | OU based on each physical office location | All the OUs are managed by corporate IS with input from a central administrator for Finance. |
| Sales | OU for each sales region | All the OUs are managed by corporate IS with input from a central administrator for Sales. |
| Engineering | OU for each manufacturing plant | Each OU is managed by the Engineering organization IT staff at each plant. |
| Manufacturing | OU for each manufacturing plant | Each OU is managed by the Engineering organization IT staff at each plant. |
| Corporate | Single OU for corporate headquarters | The Corporate OU is managed by central IT at headquarters. |
| Marketing | Single OU for corporate headquarters | The Marketing OU is managed by central IT at headquarters. |
Figure 13.2. OU design based on organization.
In each of these examples, the administrative tasks are divided between the centralized staff and OU administrators.
The role of the OU administrator is dependent on the namespace design you have chosen. Each of the examples can be further customized. Within each OU, administration can span from full control to a dministration for specific tasks, such as changing passwords or adding users. If your OUs were based on specific application use, administrators would have OU administration only for the applications that they have administrative responsibility for. In any case, your OU structure design should complement the way you want to administer your environment.