Home > Active Directory, Microsoft, Windows Server > Best Practices of designing a Windows Server 2003 (R2) AD Organisational Unit and Group structure
Best Practices of designing a Windows Server 2003 (R2) AD Organisational Unit and Group structure
If you are confused about domain groups, try to remember the following. Use domain local groups to control access to resources, and use global groups to organise similar groups of users.
- Set up OU structure, and move your user and computer objects from default Users and Computers containers.
- While designing the OU structure, keep in mind the principle as simple as possible.
- When designing OU structure, try to keep OUs 3 layers deep, if possible. You can use more layers, if needed, but don’t nest OUs more than 10 layers deep.
- Use OUs only when necessary, and try to keep their number minimal.
- Apply Group Policy to members of groups through Group Policy Membership Filtering where possible.
- Use domain local groups to control access to resources, and use global groups to organize similar groups of users.
- Use distribution groups or mail-enabled security groups to create email distribution lists in environments with Exchange 2003/2007.
- Mail-enable security groups if separation of security and email functionality is not required.
- Don’t delete/re-create groups randomly, because each of them has a unique SID.
- Don’t include users from other Mixed mode domains in a forest in universal groups.
- Don’t use local groups for permissions in a domain environment.