Designing an OU Structure that Supports Group Policy
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
In an Active Directory environment, you assign Group Policy settings by linking GPOs to sites, domains, or organizational units (OUs). Typically, most GPOs are assigned at the organizational unit level, so be sure your OU structure supports your Group Policy-based client-management strategy. You might also apply some Group Policy settings at the domain level, particularly those such as password policies, which only take effect if applied at the domain level. Very few policy settings are likely to be applied at the site level. A well-designed OU structure, reflecting the administrative structure of your organization and taking advantage of GPO inheritance, simplifies the application of Group Policy. For example, it can prevent needing to duplicate certain policies so that the policies can be applied to different parts of the organization, or having to link the same GPO to multiple Active Directory containers to achieve your objectives. If possible, create OUs to delegate administrative authority as well as to help implement Group Policy.
OU design requires balancing requirements for delegating administrative rights – independent of Group Policy needs – and the need to scope the application of Group Policy. The following OU design recommendations address delegation and scope issues:
Delegating administrative authority You can create OUs within a domain and delegate administrative control for specific OUs to particular users or groups. Your OU structure might be affected by requirements to delegate administrative authority. For more information about planning for delegation of Active Directory administrative authority, see "Designing the Active Directory Logical Structure" in Designing and Deploying Directory and Security Services of this kit.
Applying Group Policy An OU is the lowest-level Active Directory container to which you can assign Group Policy settings.
Think primarily about the objects you want to manage when you approach the design of an OU structure. You might want to create a structure that has OUs organized by workstations, servers, and users near the top level. Depending on your administrative model, you might consider geographically based OUs either as children or parents of the other OUs, and then duplicate the structure for each location to avoid replicating across different sites. Add OUs below these only if doing so makes the application of Group Policy clearer, or if you need to delegate administration below these levels.
By using a structure in which OUs contain homogeneous objects, such as either user or computer objects but not both, you can easily disable those sections of a GPO that do not apply to a particular type of object. This approach to OU design, illustrated in Figure 2.3, reduces complexity and improves the speed at which Group Policy is applied. Keep in mind that GPOs linked to the higher layers of the OU structure are inherited by default, which reduces the need to duplicate GPOs or to link a GPO to multiple containers.
Note that the default Users and Computers containers cannot have Group Policy applied to them until you use the new Redirusr.exe and Redircomp.exe tools. When designing your Active Directory structure, the most important considerations are ease of administration and delegation.
Figure 2.3 Example OU Structure
Applying Group Policy to New User and Computer Accounts
New user and computer accounts are created in the CN=Users and CN=Computers containers by default. It is not possible to apply Group Policy directly to these containers, although they inherit GPOs linked to the domain. Redirusr.exe (for user accounts) and Redircomp.exe (for computer accounts) are two new tools included with Windows Server 2003 that enable you to change the default location where new user and computer accounts are created so you can more easily scope GPOs directly to newly created user and computer objects. These tools are located in %windir%\system32. By running Redirusr.exe and Redircomp.exe once for each domain, the domain administrator can specify the OUs into which all new user and computer accounts are placed at the time of creation. This allows administrators to manage these unassigned accounts by using Group Policy before the administrators assign them to the OU in which they are finally placed. You might want to consider restricting the OUs used for new user and computer accounts by using Group Policy to increase security around these accounts.
For more information about redirecting users and computers, see article 324949, "Redirecting the Users and Computers Containers in Windows Server 2003 Domains," in the Microsoft Knowledge Base. To find this article, see the Microsoft Knowledge Base link on the Web Resources page at https://www.microsoft.com/windows/reskits/webresources.
For more information about the redirusr.exe and redircomp.exe tools, see the Redirecting Users and Computers link on the Web Resources page at https://www.microsoft.com/windows/reskits/webresources.
Sites and Replication Considerations
As you determine which policy settings are appropriate, be aware of the physical aspects of Active Directory, which include the geographical location of sites, the physical placement of domain controllers, and the speed of replication.
GPOs are stored in both Active Directory and in the Sysvol folder on each domain controller. These locations have different replication mechanisms. Use the Resource Kit tool Gpotool.exe to help diagnose problems when you suspect that a GPO might not have replicated across domain controllers. For more information about Gptool.exe, in Help and Support Center for Windows Server 2003, click Tools, and then click Windows Resource Kit Tools Help.
Domain controller placement is an issue when slow links, typically to clients at remote sites, are involved. If the network link speeds between a client and the authenticating domain controller fall below the default slow-link threshold of 500 kilobits per second, only the administrative template (registry-based) settings, the new Wireless Policy extension, and security settings are applied by default. All other Group Policy settings, including software distribution and folder redirection, are not applied by default. You can, however, modify this behavior by using Group Policy.
You can change the slow link threshold by using the Group Policy Slow Link Detection policy for both the user and computer aspects of a GPO. If necessary, you can also adjust which Group Policy extensions are processed below the slow-link threshold. However, it might be more appropriate to place a local domain controller at a remote location to serve your management needs.