AD: OU for system administrator accounts

by SubZeno   Last Updated May 15, 2019 17:00 PM

Just a simple question:

Does it make sense create a dedicated OU in Active Directory for system administrators (including domain controller admins)? Are there drawbacks following this approach? Is there a good practice in regards?



Answers 2


To keep it simple; yes it add value, I don't see any drawback.

The goal in such scenario is if your organization use a lot users group policy.

As a dedicated OU allow you to isolate the administrator's account from all the users GPO easily.

yagmoth555
yagmoth555
May 15, 2019 16:25 PM

The Real Answer(tm) is something like: Uhh-- maybe, depending on what you're trying to accomplish. Tell us more about why you're thinking about doing this and we can give you a more specific answer. What are you trying to actual accomplish?

There is no specific best practice that I'm aware of. Active Directory has a safeguard (adminSDHolder and sdProp) to prevent Delegation of Control activities from compromising privileged accounts. You don't have a major risk of opening up "Domain Admins" or other privileged group membership simply by placing privileged accounts into an OU.

If you're looking to do this simply for visual organization you should read-up on using queries in "Active Directory Users and Computers". You can make "views" of Active Directory objects that look virtually any way you can think of.

If you goals go beyond visual then you need to think about a variety of concerns.

The physical structure of domain partition of an Active Directory (the OU structure) is best structured to facilitate Delegation of Control first, and Group Policy deployment second.

If this proposed separation is based on a Delegation of Control concern then you'd do well to read up on adminSDHolder, sdProp, and how permissions for privileged accounts works in AD.

If you're talking about controlling Group Policy application then, sure, put the accounts in an OU. (Heck, put 'em in two.) There's still an "it depends on what you're trying to accomplish" component to that, too. Are you looking for an easy way to segregate user Group Policy for a class of users? Filtering GPOs with group membership might accomplish the same thing you're looking for and could prevent you from needing to "repeat yourself" by linking common GPOs in multiple locations (or, worse, duplicating the same settings in multiple GPOs).

The nature of your question makes me think you should probably take a look at some Active Directory design documentation (like https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/ad-ds-design-and-planning), too.

Evan Anderson
Evan Anderson
May 15, 2019 16:34 PM

Related Questions


Syncing on-prem subdomain AD to Azure AD

Updated February 24, 2017 22:00 PM




Exchange 2016 does not start after fresh install

Updated August 12, 2019 16:00 PM