All: I have been tasked with writing policy and redesigning the OU structure for our environment. As such, my leadership wants to gain control back of our OU structure. Currently, OU’s are created based upon various criteria, such as Department, Division, Application groups, College, Location, etc. In some cases, they are simple 3 letter OU names, and then others are multiple word names. Some OU’s are up to a hundred+ deep and a few are up to 7 levels deep.
I am curious if anyone on this mail list has controls or standards in place for their OU structure and what those might be? Would you be willing to share? Do you have a written security policy for AD and how it may be used and how the structure and delegations are granted?
· Moving forward in a new forest, my leadership wants to standardize on the following; · naming convention · Default structure · Only Delegated Admin’s can create OU’s · Vetting process for creating a new OU or additional OU’s outside of the default · Limiting the number of layers · Technical controls will limit the OU creation to delegated Admins.
· Naming conventions will be enforced by the delegated admins. · Vetting for new or additional OU’s will be around the necessity to apply same or different policy or admin controls more granularly.
· Minimizing the layers will be enforced by the delegated Admins.
You responses are very much appreciated, Brian Britt