I have recently had a few customers who are focusing on a consolidation or ‘modernization’ of their directory services infrastructure, including delegation models.  A big part of this adjustment is the consolidation or restructuring of OUs.  Then the question becomes, “How do we approach this?”  The following is not meant to be a comprehensive solution but rather a high-level introduction to the migration considerations and approach.

Background

In Active Directory, organizational units (OUs) are created for one or more primary purposes:

• Administrative convenience
• Delegation of administration
• Group policy application

While there are several different methodologies for the implementation of OU models, there are five basic models which are most commonly used:

• Geographic. This OU model is built on the distribution and segregation of resources across various geographic locations. Often this model is used in organizations which have delegated control or apply group policies according to geographic locations.
• Business unit. The business unit model forms an OU structure which divides resources based on the organization’s business or mission units. This model is often used by organizations which are managed in a way to provide each organizational business unit different policies and access.
• Object type. The object organizational unit model creates an OU structure which divides organizational resources by object type such as users, groups, workstations, application servers, etc. This model is most often used by organizations with globally standardized practices which are centrally managed.
• Minimized. Organizational unit structures often quickly grow deep and complex; particularly in large organizations. The minimized OU model strives for simplicity to prevent this growth and complexity. This model is used by a variety of organizations of size and complexity.
• Hybrid. Very often, organizations blend some combination of the previously described models to create a hybrid OU model to best suit their needs. This model is used by a variety of organizations of size and complexity.

Problem Statement

As organizations evolve, they often outgrow their chosen OU model or the administrative models that they once elected. The evolution of an organization and its administrative models also requires the evolution of the OU model, delegation, and policy structures.

This presents a significant challenge and cost to an organization which has invested time in the development and implementation of OU permissioning and group policy application. An additional challenge, which is typically the easiest for an organization to overcome, is the adjustment to a new OU structure for accessing organizational resources. Each of the other challenges, delegation and group policy application, are addressed briefly below.

Solution

Delegation

As organizational unit structures are collapsed or otherwise modified, the delegation of access to the organizational units must also be modified. When permissions and access rights have been granted using native Active Directory permissions, it may be difficult and time consuming to accurately and completely assess current delegation. In addition to native permissioning through Security properties, Microsoft provides additional tools such as DSREVOKE, to assess levels of access to Active Directory for each security principal. The collection and analysis of this data may become complex in large organizations and in nearly all organizations requires a significant investment of time.

Impact Risk

Oversights in the collection and evaluation of this data will typically only directly impact administrators. However, by restricting or delaying administrator access, user functionality is also risked because those administrators may be prevented from completing tasks to support users until the appropriate access is restored.

Recommendation

Collapse of OU models is a common task among organizations as they consolidate, merge, or adjust administrative models and the completion of this task is encouraged. However, this task should be undertaken with great care to first ensure that the target model will provide the highest level of flexibility, and second that the organization is not enticed by haste to complete the task. Experienced administrators and migration experts will be able to help to minimize organizational impact and avoid common pitfalls which may be encountered.

Group Policy Application

Organizational unit models are very often built around the application of group policies. However, where they are not, group policy models are often built around the OU structure. When this occurs, it presents a significant challenge to organizations looking to collapse or adjust the OU structure. The adjustment of policies to match a new OU structure is the most significant challenge and risk to an organization. An organization must first establish the current and target OU structure along with a mapping from the source to the target. Once developed, distribution and placement of group policies must be established to create a policy footprint and to determine where policies may be collapsed by breaking links or where policies have to be collapsed. This may also require the evaluation of policies for overlap in settings to protect logon and policy application times.

Impact Risk

If policies are not properly accounted for during an OU collapse, both admins and users may be impacted. Access and functionality may be provided to users through the policies which apply to their user accounts or the computers which they use.

Recommendation

The most significant risks to successfully adjusting group policy models are haste to execute the project and group policy inexperience. It is recommended that any organization considering the adjustment of their OU model take care and time in the collection and analysis of existing policies. Group policies are particularly critical to organizations and it is important that appropriate levels of expertise are leveraged when adjusting group policy models.