I'm currently involved in a project to restructure our Active Directory (AD), and to be honest, the current setup is quite a mess. We have service accounts that don't have their own OUs, users and computers from different departments mixed together, and disabled users haven't been moved to a separate OU. I could really use some guidance or resources on how to tackle this big project efficiently without breaking anything, especially since I've got the green light from management. Our hybrid work environment complicates things as well since some admin roles are managed by a third-party service provider, so applying Group Policy Objects (GPOs) has been tricky. Any advice would be greatly appreciated!
4 Answers
There's no one-size-fits-all solution here—ask ten SysAdmins and you might get ten different ideas! I suggest keeping it simple and focused on what brings the most value. Are there GPOs linked to specific OUs in your current setup? If so, start documenting those. Consider whether you want to organize your OUs by location, job function, or some other criteria. Definitely ensure that computers, users, and service accounts are kept separate for better management!
I recommend starting fresh with your OU architecture rather than trying to fix what's broken. Set up a new top-level OU and create dedicated OUs for different categories like users and computers. If you're considering moving to Intune for policy management, keep your OUs as flat as possible. Take your time planning the overall structure before making changes to avoid future issues.
That's exactly what I did when I joined my current job! I first spent time learning the existing setup, then gradually created a simpler model. Starting with top-level OUs for computers and users helped a ton.
One quick win is to create a single top-level OU named after your company to house everything beneath it. Avoid touching the default Users and Computers containers since you can't link GPOs to those. Under your company OU, create dedicated OUs for users, computers, service accounts, and disabled accounts. Also, before making any moves, make sure to back up your existing GPOs!
Yeah, just focus on the top-level OU first! You can always expand later as the needs grow. And don’t forget to automate moving the disabled accounts into a separate OU after a specific time.
Absolutely, a clear logic structure is key! Keep GPOs manageable, and don’t forget to implement a solid naming scheme for your objects. It’ll save you a lot of headaches down the line.