Microsoft Official Course

Module 7

Designing and Implementing an

AD DS Organizational Unit
Infrastructure
Module Overview

Planning the Active Directory Administrative Tasks

Delegation Model
Designing an OU Structure
• Designing and Implementing an AD DS Group
Strategy
Lesson 1: Planning the Active Directory
Administrative Tasks Delegation Model

What Is an Active Directory Administrative Tasks

Delegation Model?
Typical IT Administrative Models
Gathering Information on Current Administrative
Structures
Gathering Information on Organizational Resources
Planning Administrative Processes
• Considerations for Branch Office Delegation
What Is an Active Directory Administrative Tasks
Delegation Model?

• An Active Directory administrative tasks

delegation model describes:
• Which administrative groups (or users) …
• Have what kind of control (read/write/create/delete) …
• Over which objects or attributes …
• At which level

• The delegation model separates administrative

tasks to ensure that administrative groups have
the rights they need to fulfill their tasks
Typical IT Administrative Models

Model Description
Centralized Central Administration is
responsible for all tasks
Decentralized Multiple administrative entities
with equal rights
Outsourced Infrastructure and data
administration are separate
Centralized with Central infrastructure
Delegation administration with specific
delegations for branches, services,
or application owners
Gathering Information on Current Administrative
Structures

Gather the following information on the current

administrative structure:
• Organizational requirements
• Operational requirements
• Legal and regulatory compliance
• Expectations for future designs
Gathering Information on Organizational
Resources

Physical Computers Administrative groups

devices Printers “Who is managing”
Scanners

Equally administered
Human Users
resources
resources Groups
“Who is managed”
Permissions required

Locations Scope of administration

and Physical locations “What level, which objects
network (offices) are managed by the same
topography group”
Planning Administrative Processes

Administrative processes consider:

• Who creates and maintains Active Directory
objects
• How AD DS objects are managed and maintained
• How permissions and attributes are assigned to
objects
Gathering Information on Administrative
Processes

Best Practices:
• Use personalized, separate accounts for administrative
tasks
• Grant permissions via groups to administrative
accounts
• Put groups and accounts for administrative purposes in
a separate structure in your OU model
• Put regular objects together if they are managed by the
same group
• Always assign the least required privilege
• Always assign permissions at the highest possible level
Considerations for Branch Office Delegation

Tasks fulfilled in branch offices may include:

• User management, such as password reset or
unlocking locked accounts
• Group management for the groups that are
relevant to the branch, such as local file server
permissions or printer permissions
• User support that requires a local admin for the
branch client computers
• Installing or reinstalling client computers
• Managing local server connectivity
• Managing local backups
Lesson 2: Designing an OU Structure

Strategies for Designing OUs

How Administrative Permissions Work
Designing OUs for Delegating Administrative
Control
Designing OUs for Applying GPOs
Considerations for Designing OU Hierarchies
Protecting OUs from Accidental Deletion
• Demonstration: Implementing OUs
Strategies for Designing OUs

Location-based strategy Organization-based strategy

• Static • Not static

• Delegation can • Easy to
be complicated Hybrid strategy categorize

Resource-based strategy Multiple tenant-based

strategy

• Static
• Not static
• Easy to delegate
• Easy to delegate
administration
administration
• Easy to
include/separate
new tenants
How Administrative Permissions Work

• Users receive their token (list of SIDs) during logon

• Objects have a security descriptor, which describes:
• Who (SID)
• Has been granted or denied
• Which permissions (Read, Write, Create or Delete child)
• On what kind of objects
• In which sub-levels below

• When users browse the Active Directory structure, their

token is compared to the security descriptor to evaluate
their access rights
Designing OUs for Delegating Administrative
Control

Object-based design Role-based design

• Delegation of permissions • Delegation of permissions

is based on object types, is based on administrative
such as users, groups, tasks, such as password
and computers management and group
administration
Designing OUs for Applying GPOs

When designing an OU structure to support using GPOs,

consider the following:
• Assign GPOs at the OU level
• GPOs might require OUs in addition to those that you
create for administration
• OUs that you create for GPO requirements are commonly
resource-based
• Objects in child OUs inherit the GPOs
Considerations for Designing OU Hierarchies

• Align OU strategy to
match administrative
requirements, and not
business logic

• Make use of AD DS
native inheritance
behavior

• Plan to accommodate
change
Protecting OUs from Accidental Deletion

Protect OUs after migrations or when

earlier versions of adminstrative tools are
used

Graphical Tools: Windows PowerShell:

• Active Directory
Administrative Center
• Active Directory Users and
Computers
• Add-ADOrganizationalUnit
• Set-ADOrganizationalUnit –
ProtectedFromAccidentalDe
letion $true
Demonstration: Implementing OUs

In this demonstration you will see how to:

• Create an OU
• Verify that the OU is protected against accidental
deletion
• Examine the default security settings of the OU
• Delete a protected OU
Lesson 3: Designing and Implementing an AD DS
Group Strategy

Active Directory Groups in Windows Server 2012

Developing an Active Directory Group Naming
Strategy
Strategies for Using Groups to Access Resources
Considerations for Planning Group Administration
Guidelines for Designing an Active Directory Group
Strategy
• Demonstration: Creating and Managing Groups
Active Directory Groups in Windows Server 2012
Active Directory
groups

Security groups Distribution groups

Group scope Contains members Grants access

Global Same domain Resources from all trusted
domains
Domain Local Any trusted domain Local domain resources only
Universal Any trusted domain Resources from any trusted
domain
Developing an Active Directory Group Naming
Strategy

When developing an Active Directory group

naming strategy for your organization, ensure that
the naming convention:
• Conforms to a hierarchy of standard labels that you use
in a fixed order
• Includes information about the group’s scope and
purpose, and the owner's name and description
ACL_SalesFolders_Read

Prefix Suffix

Resource Identifier Delimiter

Strategies for Using Groups to Access Resources

Group Nesting (AGDLP):

• Accounts
• Global groups
• Domain Local groups
• Permissions

• Multidomain forest:
AGUDLP
Considerations for Planning Group
Administration

Options for group placement in AD DS include the

following:
• Place group objects in the same OU that contains
the group accounts
• Place group objects in the same OU where a
resource exists
• Place all groups centrally in the same location in
AD DS
• Place groups in separate OUs
• Allow group self-management
• Hybrid scenarios
Guidelines for Designing an Active Directory
Group Strategy
• Assign permissions to groups, not to individual users
• Create groups based on administrative requirements
• Add user accounts to the group that is the most
restrictive, if you have multiple groups to which you can
add user accounts
• Use built-in groups carefully, because they have a
predefined set of rights (in particular, avoid the Account
Operators group)
• Use group nesting to simplify administration
• Avoid duplicate groups with the same members
• Use the Authenticated Users group instead of the
Everyone group to grant user rights and permissions
• Limit the number of users in the Administrators groups
Demonstration: Creating and Managing Groups

In this demonstration you will see how to:

• Create an OU
• Create a group, and then configure management of the
group
• Add a user to the group
• Verify that the community group can manage itself
Lab: Designing and Implementing an Active
Directory OU Infrastructure and Delegation Model

Exercise 1: Designing an Organizational Unit

Infrastructure
Exercise 2: Implementing the OU Design
• Exercise 3: Designing and Implementing an Active
Directory Permissions Model

Logon Information
Virtual machine:
• 20413C-LON-DC1
User name Adatum\Administrator
Password Pa$$w0rd

Estimated Time: 120 minutes

Lab Scenario

In the past, A. Datum Corporation has used a

highly centralized approach to managing its IT
infrastructure. However, because the company has
expanded to other countries, this centralized
approach is no longer efficient. As a result, IT
management wants the Active Directory design
team to recommend how to change the Active
Directory administration structure to meet new
requirements.
Lab Review

What was your suggested OU design? What were

the reasons behind your design decisions?
While the lab had you use Windows PowerShell to
move user objects based on a certain attribute, can
you think of other ways to do this?
• Bill suggested self-management for certain
groups. How would you implement this? What are
the benefits and what are the risks associated with
this recommendation?
Module Review and Takeaways

Review Question(s)
Best Practice
• Common Issues and Troubleshooting Tips