I think there are some common guidlines people should follow when building your OU Structure, but it’s really dependent on the type of organization and the resources available.
What might work for one organization might not work for another. I have seen this in the real world while working for different organizations (school districts, hospitals, lawyer’s office, and other environments).
How to setup Active Directory OU structure.
Setting up your Organizational Units (OU) can be a daunting task. It’s important to take your time when figuring out what structure you want to use early in the beginning. It can be difficult to make core structural changes in the future when you have hundreds or even thousands of AD Objects and group policies in a working production environment.
For this example, we are going to structure our Active Directory OUs for a made-up hospital.
- Main hospital: Illinois
- Outside clinic 1: California
- Outside clinic 2: Oregon
- Servers: Exchange, SQL, Print
Let’s Get Started
With our newly setup Windows Server 2012 machine with AD DS (Active Directory Domain Services) role installed and configured, launch Active Directory Users and Computers.
From Server Manager, click Tools and select Active Directory Users and Computers.
I like to create a master OU in which I would then place all my sub-OUs. This keeps the root of the OU structure clean in my opinion.
Right-click on NOTCREATIVE.internal, select New, select Organizational Unit.
Name the master OU. For this example, I will name it NOTCREATIVE OU.
The reason I used caps is to have it stand out when quickly looking at the OU structure.
For the remaining OUs, follow the instructions above until your AD structure looks like the following.
This OU structure is a good start. It has some flexibility to allow for growth in the future.
Let’s go into a little more detail about why I chose to structure a couple of them the way I did.
- Underscore to set it at the top of the tree
- Used for newly imaged computers
- Used for newly joined or re-joined computers
- Used for Security Groups for Group Policy objects
- Used for distribution Groups
How to Delete OU
Since Windows Server 2012 has the Protect from accidental deletion feature enabled by default, if you need to move or delete an OU, you will probably run into the following error: You do not have sufficient privileges to delete <OU name>, or this object is protected from accidental deletion.
To fix this, we need to disable the option on that particular OU.
Click View and then select Advanced Features.
You should notice there are more OUs (folders) in the tree. Navigate to the OU you need to move or delete, right-click and select Properties.
Select the Object tab, then uncheck the Protect object from accidental deletion option, then OK.
You should now be able to move or delete the OU (object).