Friday, October 1, 2010


Guidelines For Good And Simple Active Directory Design

Customizing the Active Directory structure is only problematic if you don't know what you are doing.

It is recomended that small and medium-sized businesses keep their Active Directory structure as simple as possible, and this often meant using the default Active Directory structure.And here is why...
  • As I'm sure you know, group policies are one of the primary security mechanisms used by Windows. Microsoft has designed group policies to be hierarchical in nature. In other words, you can create multiple group policy objects, which reside at various levels of the Active Directory, and those group policy objects will combine to form the effective policy.
  • SMBs try to keep things simple as it can be difficult to secure complex environments. Group policy objects often combine in ways that result in unanticipated security settings. On the other hand, if you have a simple Active Directory structure and only use the default domain policy, then the policy's effects are absolutely predictable.
Two different types of Active Directory environments are common among SMBs.
  1. To keep things really simple by sticking with the default AD structure, or
  2. The AD structure was extremely messy.
It was the messy Active Directories that remain complex. But remeber, when properly designed, an Active Directory could be complex without being messy.
Rapid growth often required AD restructuring. It would have been much easier to spend a little bit of extra time up front and design the Active Directory in a way that anticipated future growth than it was to restructure the Active Directory once the growth had already occurred.

Guidelines for good Active Directory design. 
We know that group policies are broken down into user policy settings and computer policy settings. It is possible to define both user and computer policy settings within a single group policy object. Instead though, it is recommended that each of your group policy objects define either user policy settings or computer policy settings, but not both.

Second recommendation is that you create an Organizational Unit (OU) structure that makes sense for your organization. You should have some OUs that will store computer objects and some that store user objects. You should then attach a dedicated group policy object to each OU.

In the default Active Directory structure for example, Microsoft gives you a Domain Controllers container and a Computers container. Expand on this concept.
For example, I like to move the user's desktops out of the Computers container and into a custom OU named Workstations. That way, I am not forced to apply the same security policy to user workstations as I am to network servers.

With the user workstations removed from the Computers container, that leaves behind any member servers that may exist. Depending on the size of the organization, I might create additional containers for specific types of member servers. For instance, I might create an Exchange Servers OU so that I can apply a dedicated security policy to an organization's Exchange servers.

In some organizations, the Users container works fine. In other organizations it may make more sense to create a dedicated OU for each department. That way, you can apply group policy settings on a per department basis.

This approach may seem like overkill, especially for smaller networks, but there is a method to the madness. Any time that a user logs on to the network, they are using exactly one user account and one computer. By structuring your Active Directory in the way that have described above, you can ensure that the optimum security settings are in place, regardless of where a user logs on.


About bench3 -

Haja Peer Mohamed H, Software Engineer by profession, Author, Founder and CEO of "bench3" you can connect with me on Twitter , Facebook and also onGoogle+

Subscribe to this Blog via Email :


Write comments
June 5, 2014 at 9:45 PM delete

Tɦіs item may sound to Ье а bit too good to ƅe true.
Befօre yyou purchase tҺem, ƴou will experience а lot of individuals աho will
plunge in when thеy discover a neѡ diet supplement
yet it's fairly vital tҺat you do а litytle
research regarding tҺе items fіrst just. Тhese are simple to pack аnd ϲan be eaten easily
ѡhile driving.

Sttop bү myy blog: ผลไม้ลดความอ้วน