Organizing your computers with Organizational Units

AD is the structure in which all your user, computer, and server accounts reside. As you add new users and computers into your domain, they will be automatically placed into a generic OU (called an OU), which is a type of storage container. You could get away with leaving all your objects in their default locations, but there are a lot of advantages to putting a little time and effort into creating an organizational structure.

In this recipe, we will create some OUs inside Active Directory and move our existing objects into these OUs so that we can create some structure.

Getting ready

We will need a DC online for this recipe, which is a Server 2019 machine with the Active Directory Domain Services role installed. Specifically, I will be using the DC01 server that we prepped in the Configuring a combination Domain Controller, DNS server, and DHCP server recipe.

How to do it…

Let's get comfortable working with OUs by creating some of our own, as follows:

1. Open Active Directory Users and Computers. This can be launched from the Tools menu inside Server Manager. As you can see, there are some pre-defined containers and OUs in here:
   

   Figure 2.11 – The Active Directory Users and Computers management console

   Tip

   Alternatively, you can also open Active Directory Users and Computers by running dsa.msc from Command Prompt or the Start screen.

2. We can already see that the DC servers have been segmented off into their own OU. If we look in our Computers folder, however, we can see that, currently, all the other systems we have joined to the domain have been lumped together:
   

   Figure 2.12 – The Computers OU in the Active Directory Users and Computers console

3. Currently, it's hard to tell which machine accomplishes what purpose apart from the machine name. The name helps, but what if you are working in an environment where there are hundreds of objects already? Or if your naming scheme were a lot more complicated? We want to break these machines up into appropriate groups so that we have better management over them in the future. Right-click on the name of your domain in the left-hand window pane and navigate to New | Organizational Unit.
4. Input a name for your new OU and click OK. I am going to create three new top-level OUs: Servers, Office Computers, and Staff. Then, under Servers, I'm going to create Remote Access, Database, and Web Server. Under Staff, I'm going to create Sales, Marketing, Executives, and Sysadmins. We're not going to use the Staff OU right now, but it will come in handy later:
   

   Figure 2.13 – Showing the new OUs that have been created

5. Now, for each object that you want to move, simply find it, right-click on it, and then click on Move...:
   

   Figure 2.14 – An example of moving a server to a different OU

6. Choose which OU you would like this object to move into and click OK.

   Tip

   You can also drag and drop objects between OUs instead of right-clicking and choosing Move....

   The PowerShell command I used for creating one of my new top-level OUs is as follows:

   New-ADOrganizationalUnit -Name Servers

   Creating OUs as children of other OUs isn't quite as straightforward as it requires you to know the LDAP distinguished name for the group you want to create it under. In this example, I would run the following:

   New-ADOrganizationalUnit -Name Database -Path 'OU=Servers,DC=ad,DC=cookbook,DC=packt,DC=com'

How it works…

The actual work involved with creating OUs and moving objects around between them isn't complicated at all. What is more important about this recipe is prompting you to think about which way works best for you to set up these OUs to make the best organizational sense for your environment. By breaking our computer accounts out into pinpointed groups, we are able, in the future, to easily do things such as discover how many web servers we have, or do some quick reporting on how many user accounts we have in the sales group. We could even apply different Group Policy settings to different computer sets based on what OU they are contained within. Both reporting and applying settings can be greatly improved upon by making good use of OU inside AD.