Admins who create all AD users in the default users OU with no structure/organization, who hurt you?
Posted by Defconx19@reddit | sysadmin | View on Reddit | 283 comments
It's just so common and fucks with my tism to see AD with no sense of Organizational Hierarchy. I mean if you have a company with 5 people sure, but places with 100+ even 1000+ users what is your life where you can't be bothered to create a base departmental OU structure?
deltashmelta@reddit
They go in the default people OU, and security groups are assigned to users by type and status imported from HR's ERP system. Not bad.
FlibblesHexEyes@reddit
Given our executive branch seem to want to restructure once a year, and we’re moving to an Azure only model, attempting OU based organisation in AD was kind of pointless for us.
Instead we just use the user department attribute which dynamic groups in Azure look for.
This makes it far easier when we start implementing HRIS, which will finally move the restructuring task to HR where it belongs.
lordmycal@reddit
That works until you have a user that works part time in two different departments...
reserved_seating@reddit
Go based on what HR has. HR is the true source of employee info and usually wouldn’t actually have someone in two departments “in the system.”
lordmycal@reddit
Depends on which system you use. You may be able to have people in multiple departments in your HR software. AD and Entra don't support that.
reserved_seating@reddit
There should be (stress should) be a single source of truth in the HR world. If there isn’t then just go with whatever they do full time and special privileges assigned to their specific account for the PT stuff.
420GB@reddit
You don't understand, there is a single source of truth and it is the HR system. But employees may just officially hold two positions or two functions.
hasthisusernamegone@reddit
Well then they just need to have two accounts. Thank you very much, where do I submit my consultancy invoice to?
420GB@reddit
Good luck being paid by the fuming CFO who has to sign out and sign into another account to access a file in their role as Press Contact, then sign out and back in as CFO to send a mail with the proper signature, repeat x30 per day lol
hasthisusernamegone@reddit
Well then he can just share the login details with one of the juniors on his team and get them to do it.
Thank you very much, where do I submit my consultancy invoice to?
420GB@reddit
Los Pollos Hermanos Inc.
308 Negra Arroyo Lane,
Albuquerque, New Mexico
matroosoft@reddit
Big brain moment
the_federation@reddit
We have some users that don't do anything FT; they're PT for 1 different departments, which sums up to an FT position.
We have a department with a special domain for branding, let's say @SpecialDept.com. All users in that department get an @SpecialDept.com address as their primary SMTP as well as a standard @Company.com as an alias. One of these users switched to a role where they did work 50/50 for the special department and a standard department. The manager from the standard department complained that internal emails from this user were showing as coming from @SpecialDept.com. We told her that internal users will see the user's contact card in the GAL which shows his primary SMTP, even when he sends as alias. So she asked to change his primary SMTP to @Company.com. Well, the manager from Special Department didn't like that and said he still works for them, so he needs @SpecialDept.com to be his primary. We took this to HR to tell us what his main department is... they couldn't tell us. (The manager from Standard Department tried having us create a separate mailbox for him and have him manage two mailboxes. We squashed that idea quickly.)
MalletNGrease@reddit
This causes me to drink. The organization chart is more of a venn diagram
Cyhawk@reddit
So put them in whatever is first in the list, or alphabetical.
ReputationNo8889@reddit
No they would have someone with the department Finance/IT in their system wich will break dynamic groups for this user ...
Been there done that ...
ZealousidealTurn2211@reddit
My status in slack is "HR data is just your opinion, man" for a reason. They're not exactly fastidious record keepers.
HugeAlbatrossForm@reddit
Middle aged white lady, "He's both. Put him in both."
oyarasaX@reddit
it also works until your internet connection goes down.
FlibblesHexEyes@reddit
Most of our perms are applied using access packages in Azure, so we simply manually apply an access package to a user for the time that HR says they’re in that department.
It doesn’t happen often enough in our org for us to come up with anything more automated/elaborate.
altodor@reddit
The only time I've seen something like this personally, a user was like an associate dean or something by day and an usher for the school's theatre by night.
BigSnackStove@reddit
MyBusiness
Vicus_92@reddit
Someone worked with Small Businesses.
clt81delta@reddit
How bout those companies who outgrew SBS, or the hardware wasn't beefy enough to run AD, DNS, CA, Exchange, SQL, Sharepoint.... Worked for an MSP at one point, I think I performed a half a dozen 'upgrades' to Server Standard and broke those services out into multiple Servers/VMs.
What an absolute nightmare that was....
Klynn7@reddit
The problem is anyone with the money for a server beefy enough to run all of that, wasn’t buying SBS in the first place.
SolidKnight@reddit
Those are what we like to call good times.
xMcRaemanx@reddit
We look at our virtualized (mostly) single role servers and thank the lord we no longer have to answer the age old question of "why is my ad/dns/dhcp/fs/exchange/sharepoint/iis/sql/rds server for 100 users so slow?"
kidrob0tn1k@reddit
Is there a “standard” or “go to” setup regarding the number of roles/services per server? I imagine this would be based on the resources available, right? CPU, RAM, etc?
xMcRaemanx@reddit
The fewer the better. Not only to account for resource availability but downtime tolerance.
If you only host one app on a server and it's having issues or it needs maintenance it's a lot less impact to have it standalone.
I would much rather manage 4 servers hosting one major service each with 4 vcpus and 8gb memory than a single server running 4 major services with 16 vcpus and 32 gb memory kind of thing.
Acceptable compromises are hosting an app and it's associated database on the same server since it's all related. Obviously ad+dns maybe dhcp. You might have a few IT tools running on the same server for simplicity since they can pull up their big boy pants and tolerate some downtime.
SBS 2011 was sold to small business as a compromise before virtualization took hold and it was a hot mess once they started to scale up. They basically went against all previous recommendations of keeping ad seperate from exchange seperate from SharePoint seperate from your rds server seperate from your fileserver (since it was unaffordable) and bundled it all together saying go nuts.
For like 1-25 people it was ok but if you were actually utilizing all those services the gradual increase killed the server over time as you grew.
kidrob0tn1k@reddit
I appreciate the insight. I’m new to learning things related to SysAdmin so this information is helpful. Thanks again!
1armsteve@reddit
Little bit more for you since you said you're learning, AD server will always have the DNS server role as well so thats one where you will always see two roles. DHCP should be ran on separate servers or dedicated network appliances. File servers should only be file servers, IIS should be IIS, print servers should be print servers etc.
Since SBS encouraged you to install all these services on the same server, a lot of self taught sysadmins from that time will shove all these services onto one server and not think a thing of it until everything stops working because of one misconfiguration of one service they configured years ago. I shudder recalling the calls at the MSP I worked at back in 2010-15 from churches, dentist and lawyer offices who had a SBS server setup by a long gone PC repair tech back in 2003 that just stopped working.
We have been migrating a lot of these dedicated service servers to Server Nano, like DHCP, DNS, NAP, CA to help save resources since there is no GUI. Something to look into.
ethnicman1971@reddit
I never had the “pleasure” of working with SBS but I seem to remember hearing that trying to go from SBS to hosting each app on its own server was no easy task.
1armsteve@reddit
Correct because of the nature of SBS, a lot of the roles expected other services to be running on the same host. It was a nightmare and we would typically just start over and migrate data to new servers than try to undo it all.
kidrob0tn1k@reddit
Thank you. Yes, I am in the early stages of attempting to transition into this field. I currently have a VM installed on a workstation that is running Windows Server 2022. I just completed two courses, one on Udemy & one on LinkedIn Learning, that cover the basics. So I am now familiar with many of the various roles, but what wasn’t covered was the way in which you should deploy them (1:1). So again, thank you for sharing your knowledge.
Vino84@reddit
Don't forget that sometimes compromises must be made. It's okay to colocate two or three services on the same VM if you have hardware or licensing restrictions. We used to have File and Print on the same VM for branch offices at an old job.
monoman67@reddit
Think of everything in terms of being a risk pool. How much stuff do you want to stop working if this thing breaks?
clt81delta@reddit
Look up Microsoft Small Business Server
kidrob0tn1k@reddit
Looks like it is now called Windows Server Essentials. Thank you.
mustang__1@reddit
dont forget MAS90/Sage100....
1armsteve@reddit
LOL, you just triggered a serious PTSD flashback. AD/Print/DHCP/File/SQL/MAS90/NAP/Exchange all on one poor PowerEdge T series underneath boxes of copier paper and plastic cups in a dusty, cramped supply closet in the back of a real estate office in the early 2000s with a beeping UPS on its side behind it. The office workers thought the server beeped; as in it was meant to do that, like nothing was wrong.
WhAtEvErYoUmEaN101@reddit
Every single fucking time.
I hope i'll never have to see this „oopsie woopsie, you broke the license agreement by promoting another domain controller, i‘ll shut down in X minutes“ screen ever again
GhoastTypist@reddit
I felt that.
But I do agree. Small business doesn't require the same level of organization that big enterprise does. However when a business starts scaling up, so should the internal processes match a bigger workforce. I've been trying to relay that to my organization and yet we only just learned the concept of change management (been pushing that for close to 7 years). Its not implemented but we had an introduction to it.
Thats essentially small business. You have some internal workers that see the future and know where we're going but the rest of the organization wants to stay compartmentalized and stuck in their no change ways. So growth is really resistant, new improved practices are avoided.
Ekgladiator@reddit
Why change what isn't broken? ☠️
Mr-RS182@reddit
Wounded
DiHydro@reddit
Don't remind me of work during non-work hours....
hangin_on_by_an_RJ45@reddit
Attacked! :(
Defconx19@reddit (OP)
ohno
alluran@reddit
The outsourced MSP :'(
Goose-Pond@reddit
Sometimes the mountains of tech debt are insurmountable, if you’re not going to be there long term why fuck with it. Pay me shit get shit back.
Maro1947@reddit
I inherited an AD like this
We demerged and I created a brand new AD for all servers then gradually migrated users across after the heavy lifting.
dirtyredog@reddit
"One" of our domains have singluar and plural versions. They once asked me to switch everyone I just laughed in the most above my pay grade voice I could conjure.
Maro1947@reddit
Oh indeed, i negotiated a big pay rise, bonus and promotion before I even attempted it.
Even then I told them it was in them and the Good/Fast/Cheap pyramid would be in effect
It took double the predicted time because of that
hangin_on_by_an_RJ45@reddit
This sums up everything I hate about working in IT nicely
Playful_Tie_5323@reddit
A phrase i'm hearing quite a lot at my place is "We've always done it this way" - Yeah but what if that "way" was absolutely shit all along?? Frustrating the life out of me
klauskervin@reddit
I get this a lot for software that used to have network based licensing now switching to user based licensing. What do you mean we all can't share a single account???? It's fun telling them they were following the terms and conditions of the software to begin with and now their little work around of licensing doesn't work anymore. Time to pay the vendor the money you should have been paying them for single licenses the whole time!
SFHalfling@reddit
On the other side I've seen some software recently move where before the license was explicitly sold, label;ed, and documented, as a floating license for simultaneous users and they're moving to named user solely to make more money for the same product.
klauskervin@reddit
That has definitely happened too. Several of our "perpetuals" turned out not to be so perpetual after the vendor took down their licensing server the perpetual licenses needed to communicate with in order to activate a license. So the few devices with those perpetuals still activated are all there will ever be.
hangin_on_by_an_RJ45@reddit
Software licensing sucks ass no matter which way you slice it.
wonderwall879@reddit
If you're solo consulting and you do this, expect to get taken to small claims court down the road eventually. Botched jobs eventually are going to come back to bite you once a competent party comes in and blows the whistle.
roy_derg@reddit
Wrong mentality
skylinesora@reddit
Pretty stupid mentality. If the shit was pay, you didn't have to take it.
CracklingRush@reddit
Ah, the classic pathetic sysadmin attitude.
changee_of_ways@reddit
after 10 or 15 years of rolling the boulder uphill, you just realize you might as well let 'er go.
Rolli_boi@reddit
Google Apps.
That1DudeOne@reddit
After 15 years of being a director at my current employer, I’m moving on to a new larger employer. Who happens to have all of their 1000+ users in 1 OU along with their PC’s and Servers in the Computers OU…. One of those “I messed up” moments…
hurkwurk@reddit
on the flip side, why the fuck are their defaults if they arent supposed to be used?
orion3311@reddit
Because AD never took off the way MS intended and it still looks like it did in 2000, which was 25 years ago.
Dissk@reddit
Dude, what? Almost every enterprise company in the world uses Active Directory. What does it looking old have anything to do with it, if it ain't broke don't fix it.
orion3311@reddit
Its one thing to look old and be reliable, and its another thing to add a single digit number of features to a system over the course of 25 years.
To clarify my statement, when I say "took off", I mean the deep integration they intended to do with it with apps.
Being a requirement of having a domain means that everybody is going to use it no matter how bad or good it is.
lordmycal@reddit
They gave up on it when Satya Nadella took over with his "Cloud First" vision. There really haven't been any major improvements to active directory since then because he wanted everyone to move to Azure. Azure AD and Intune are still a bit of a shit show from a management perspective, and on-prem AD is still solid but really showing it's age.
ProfessionalITShark@reddit
I mean they did add a functional level with 2025.
lordmycal@reddit
Amazing. But no new features that anyone really gives a shit about. The last big feature change I can remember off the top of my head was when they added the AD recycle bin. It's been over a decade since then.
ProfessionalITShark@reddit
Eh, I like the new 32k database, and object repair features.
themanbow@reddit
You're not wrong.
After all, aside from the 2025 functional level ProfessionalITShark mentioned, the last functional level that was added was 2016!
When was the AD Recycle Bin added? 2008!
This is why I tell anyone new to Active Directory to study some old Windows Server 2012 R2 MCSE material, as 1) per your point, AD hasn't really changed all that much, so they can still learn the fundamentals from this material, and 2) Microsoft discontinued Windows Server-based Microsoft Certifications after around that time frame.
agitated--crow@reddit
What do you mean by functional level?
Suaveman01@reddit
What improvements can you think of? I think it’s pretty solid as well and I can’t think of how I’d improve it off the top of my head. Sure it’s not behind a pretty web console but I actually kind of like it that way.
lordmycal@reddit
One of the biggest problems with AD and AD joined systems is that they're still using passwords under the hood for just about everything. You can install Duo on all your workstations and servers, but that doesn't stop a rogue actor from plugging in a laptop somewhere and remoting in with powershell or psexec or something.
Suaveman01@reddit
There are literally multiple ways you can stop people from remotely accessing your domain joined workstations and servers, I’m not really seeing the issue here.
lordmycal@reddit
Sure, but every modern system under the sun does multifactor authentication out of the box. Active Directory does not; they've pawned that off to the workstation to handle as an add-in you buy from a 3rd party. If you use powershell remoting to access another workstation in your domain, all you need is a valid username and password. If you use psexec the same thing applies. The underlying authentication method is basically the same as it was in 2012. With 3rd party software the GUI gets MFA, but the command line and anything else under the hood does not.
Suaveman01@reddit
Fair enough, that would be one thing that could be done better but with everything else you can put in place to mitigate that risk its not something that would deter me through using it
fadingcross@reddit
I understand what you meant by that and agree with you but saying "AD never take off" is wild statement if you remove the context given there are likely more orgs with on prem AD than there without worldwide.
Imagine if AD had a supply chain remote exploit that's been hidden from a decade the world would burn.
orion3311@reddit
I agree but most places didnt have a choice as it was the next gen NT domain.
ProfessionalITShark@reddit
Wait what did they intend?
orion3311@reddit
I think they wanted all the on-prem apps to dive into AD; storing settings and metadata in AD, etc. I'm sure a bunch of apps did but in my experience nothing I saw other than Exchange onprem ever really integrated into it. It wasn't until much later on where companies started syncing with it for cloud IDP use, but I wouldn't call that integrated.
WWGHIAFTC@reddit
It's a blank slate system. It's up to you to built it out, not stay inside some pre-drawn lines that restrict what you can do.
The default exists because an object has to go 'somewhere' - it's not a default to be used.
lukistellar@reddit
Came from a smaller environment, in the past I always thought, it must be a charm to work for bigger firms, with their organizational knowledge they surely will be professional as heck. Oh boy was I wrong.
Dimens101@reddit
It sounds like place where all users are so competent you do not need GPO's aka heaven and it doesn't exist.
Fresh_Dog4602@reddit
Security group filtering?
Eneerge@reddit
Let me know when you upgrade to Entra.
TheRani_Ushas@reddit
In AD my philosophy has always been to only create OU's/structure when it serves a specific purpose. I have always resisted creating an organizational hierachy/structure just to satisfy my obsessive compulsive desire for structure. My OCD is strong, my resistance, so far, has been stronger. I have always had a very flat AD structure because I refuse to create OU's unless there is a reason. The number 1 reason I have encountered is the application of Group Policies. This means I generally need to create an Users OU separate from the built-in users OU. For computers I will create a Laptop OU, a Desktop OU, and a Servers OU because we have those types and each needs different group policies applied. While we have departments like Accounting and HR there is nothing sufficiently different about those Users or computers to require different group policies (and their own OU) or that cannot be handled by targeting within the specific group policy.
Brave_Rough_6713@reddit
Or the opposite...you have a monkey cage situation, and over 2000 users all over the place because over time too many admins created infrastructure and in the middle of it, just left.
itmik@reddit
why are you so dedicated to imposing artificial class structure in places that don't need it? We are all humans, equality is more important than replicating the bullshit hierarchies our capitalist oppressors would never even see.
/s
cbass377@reddit
I will offer an opinion that is contrary.
OUs are not folders to organize your AD. They are for setting up group policy, delegation, and administrative boundaries.
If you only have 1 admin group for all users, why "folder" them?
You can apply GPOs at the container and apply it by security group.
A user can be in multiple security groups but can only be in 1 OU.
Populate the other fields in the ad object. Then tune your ADUC to see the columns, and sort them to find the accounts in one list. If you populate the address, or department fields then you can define a collection of saved AD searches, if it really bothers you.
I will say it does get tedious for more than 1000 or so. But why make it needlessly complex.
The last thing you want when you are troubleshooting why a GPO won't execute, or trying to figure out why another departments homegrown applications LDAP won't find a users is a 10 level deep OU tree.
Imagine how fast your powershell script can find a user if only has to search 1 OU instead of a 10 level deep OU tree.
The_Lez@reddit
This is exactly how my company is set up right now. All computers in the computer OU, and all users in the Mybusiness ou
I meant to reorganize when I started but just haven't had an opportunity
jstar77@reddit
They are the ones who say "see I told you so" when they migrated to Entra.
PacketMover@reddit
On the flip side I've seen some OU structures that make no damn sense.
mesaoptimizer@reddit
OUs for organization or categorization of accounts isn't always the best thing either. An OU should be created because you need to delegate permissions differently or to make policy management easier.
Agreed keeping them all in the default container is wild, but department structures aren't always the best either, people change departments, they get renamed or reorganized and it's a huge pain.
WokeHammer40Genders@reddit
The problem with OU is that AD design is flawed from the get go.
They should only exist for organization and delegation purposes.
And groups should be the way that GPOs are linked to computers.
But we all know this isn't a reliable way to work around it .
Unable-Entrance3110@reddit
Yep, our AD structure is in service of GPOs primarily and synchronization to the cloud secondarily.
Any other organizational structures in AD would be purely cosmetic.
tartarsauceboi@reddit
Just give everyone access to everything yall!!!! You're over complicating this 😭😭😭
soggybiscuit93@reddit
It's not overcomplicated. SG's are better ways of delegating GPOs than an overly complex OU structure.
Say you manage OUs by branch office and link branch office drive mapping to the OU...okay, now what if an employee floats between offices and needs both mapped drives?
What if you organize OUs by department and map GPOs that way: okay, now what if a role requires access to 2 different departments?
SG's are significantly more flexible. Hierarchical policy management is a legacy way of thinking.
patmorgan235@reddit
Don't use mapped drives use DFS-N with access based enumeration.
Agree SG are more powerful and allow you to compose GPs.
altodor@reddit
When I primarily did AD stuff I could get away with a blend of hierarchy, item-level targeting, and security groups based on what made the most sense for the policy. As primarily an Intune/Entra admin these days, I have lots of preference for linking shit to dynamic groups so no one has to manually maintain the memberships and the access control to anything that's not the high security stuff.
soggybiscuit93@reddit
We wanted to go full Intune management, but with a limited time frame given and a lot of legacy applications, just not enough time to make such a drastic change in addition to the merger.
We do have a few affiliate companies we own that need to stay separate, so we get to roll Entra/Intune only deployments there and experiment with all types of interesting styles.
Policy management via dynamic groups based on attributes is definitely the way to go. So long as desktop support fills out the user attributes well during on-boarding, that combined with Autopilot makes onboarding and user management such a breeze.
patmorgan235@reddit
I think OUs for categories is fine, you probably don't want to do location/department OUs, but having "Employees", "vendors","auditors",and "admins" OUs is useful for management/automation/reporting.
mesaoptimizer@reddit
But those are all categories probably need different policy applied to them, and at least Admins will need more restrictive delegations for AD management. So that perfectly fits in with the reasons why you SHOULD make an OU.
Elusive_Entity420@reddit
This doesn't happen at very large companies and even if it would a script easily moves users around.
IMplodeMeGrr@reddit
Unless you have Linux systems doing ldap against AD and are expecting entire dn for authentication, moving the user changes their dn, and now you've basically deactivated your entire devOps teams from their systems.
Elusive_Entity420@reddit
LUL, no
IMplodeMeGrr@reddit
I guess I meant apps , not "systems"
StunningChef3117@reddit
Seems like a flawed implementation either in the app or from admin that set it up ideally it would point to a group though i understand that your situation likely is not unlikely
IMplodeMeGrr@reddit
With companies keeping low staff and an itch to get things implemented cheaply, even from vaporware github projects... and the devs that built it moved on 3 years ago... its not a never issue.
But hey, even though ive experienced it myself, I can get on the ship and tell OP it's a never issue and never validate or worry about it.
StunningChef3117@reddit
Really sorry if it cane out arrogant or negative i now understand its more common than I thought
IMplodeMeGrr@reddit
It's more of... you came across as an exec that "knows better".
StunningChef3117@reddit
Oh thx didn’t realise
IMplodeMeGrr@reddit
LoL ...
Ssakaa@reddit
Whew. Sure glad we never have to deal with poorly designed enterprise software that does things like that... or open source (zabbix for example, and I've used others).
Using a fixed "bind dn" for the ldap sync/lookup account is common.
StunningChef3117@reddit
Sry if it seemed arrogant in any way im a student and most apps I’ve connected with ldap was able to use groups. but TIL
kona420@reddit
Glad I never spent 6 figures on a flawed piece of software from Oracle.
Isord@reddit
I work in one of the largest companies and people move all the time.
mesaoptimizer@reddit
Depends on your sector I'd guess, I'm in Education and this happens continuously in multiple orgs I've worked at with >5k employees.
meest@reddit
I was just going to say. The previous person has never worked in Higher Ed if they haven't experienced massive department restructures every 3 years.
Its the game of playing hot potato with the one outlier of a degree program that no one really wants to own. So it gets tossed around between Colleges whenever the Deans, Provost, or President change around or something.
dagbrown@reddit
What kind of company do you work at?
I work at a giant regulation-bound shop, the sort where people settle in for decades-long careers, and people move around from department to department (to say nothing of country to country) all the time.
HugeAlbatrossForm@reddit
Exatly: Google has 2 OUs for users, contractors and FTE. That's it.
exchange12rocks@reddit
A similar situation is in Microsoft AFAIK
purplemonkeymad@reddit
I still like to at least organise the wheat from chaff. Pulling those service accounts and groups away from users accounts helps finding stuff quickly. But in the end search is still a better method when you have decent amount.
Defconx19@reddit (OP)
I'm dying for any sort of structure lately, like literally anything, IDGAF, group based, OU based, fucking alphanumerical enumerators attached to the displayname like anything.
D0ct0rIT@reddit
I'll PM you, I got an example for you.
Defconx19@reddit (OP)
Oh I don't need examples of other methods, I'm with an MSP and all the customers that we on board lately are just a horror show to try and figure out what is going on and who is meant to get what.
TrickyAlbatross2802@reddit
I think I'd rather come into essentially a blank slate than try to undo decades of bad decisions, unnecessary silo'ing and segmenting in wildly inconsistent ways.
Also fun if the company has purchased/merged multiple others and combined them into a monstrosity of vastly different ways of managing and existing and each site/company/etc. is personally invested and takes any attempts at standardizing like you shot their gifted toddler.
RBeck@reddit
Grouped by astrological sign. Sub-divided by Mac or PC.
CracklingRush@reddit
But it's not that huge of a pain.. heh.
Dadarian@reddit
Flat data —> Metadata is way better than endless nested directories.
YouGottaBeKittenM3@reddit
I'll go with this one
Icy_Mud2569@reddit
I’ve seen this done so many different ways, the last place I worked where I was involved in a reorganization, we put all of the users into different OUs, by department, but there were automated scripts that looked at extended attributes to determine where an account should be, based on changes initiated by the HR team.
Reedy_Whisper_45@reddit
Okay - I have a simple question.
Why? What does it do for me that I can't do with security and distribution groups?
I'm serious here. I have yet to inherit a system that uses the default Users OU, but my current system is still flat - everyone but administrators in one OU.
Last place had complex hierarchy that I adhered to, but I reaped no benefit from it. I DID have to figure out where people were and move them though when they moved from one department or division to another. Group membership would have been easier to manage.
So why?
JohnL101669@reddit
Ha! Working at a client (A MAJOR University) and they have 187k users and 40k groups....ALL IN THE DEFAULT USERS CONTAINER.
It's disgusting. I truly want to vomit every time I even look at it. Right now we're doing a specific project with them but if we get more contracts you bet your ass I will add that to the docket of things to change!
Ok_Conclusion5966@reddit
flat is better
people move, people receive secondments, promotions, role changes, wfh, work from offices, roam, companies grow and shrink, departments change and disappear
f0gax@reddit
Laughs in domain name dot local.
purplemonkeymad@reddit
When the fix is to re-build everything with a new domain, we can just live with it. At least someone can't forget to renew the domain and now the AD domain is owned by someone else.
ohiocodernumerouno@reddit
small business
MidnightAdmin@reddit
I am working an AD that is an absolute mess, the company has not had a cohesive IT stratergy for 30 years, we are slowly moving in the right direction, I am the first full time IT tech they hired, and they recently got an IT manager under the CTO which will let me focus on doing the crap I need.
pertexted@reddit
In the early days, even 2000 AD, there were MVPs recommending building into to the built-in structure due to backward compatibility.
It's not a good reason to resist industry maturity. Just an opinion on how it happened.
Strassi007@reddit
If i ever did that in our organisation, it would instantly collapse. Too many things re depending on the correct OU placement.
WilfredGrundlesnatch@reddit
Because that's what the various user fields and security groups are for. If you need more metadata, AD comes with 15 extension attributes.
ForThePantz@reddit
I always thought somebody set it up as a test bed and two years later it was enterprise and nobody ever thought ahead. There’s momentum and eventually it’s too much work to clean up or replace.
DarkangelUK@reddit
I work at a huge global company with close to 100,000 users worldwide, and there's one single domain where everything is controlled by HQ. Granted each country has it's own OU, but every location is in that single OU (we have 5 different locations around the UK). Our Service Now instance is a single global one meaning CMDB takes an age to load CI's as it loads everything, we can't customise catalog forms as they need to work globally, we can't customise our laptop/desktop builds as they need to work globally with the only variance being language. You can also guess that everything being managed centrally means things can take weeks to process that should take a day or two.
KanadaKid19@reddit
Can’t be bothered? Give me one good reason. There’s already a department field on user objects, and that’s where I put that information. Hierarchy for the sake of it is useless and arbitrary.
Valkeyere@reddit
OU are primarily used for GPO, imo. Everything else is group based, via proper use of rbac so users are in ideally only one group.
oni06@reddit
But you can absolutely filter GPO application using group membership and/or WMI for device/os type.
Valkeyere@reddit
Correct. However GPO are easily linked based on location allowing nice visual review
xCharg@reddit
Is that question coming from a guy who never worked in 1000+ users environment? No way I will ever create a department-based OU structure because then I'll have to spend half a day syncing whatever new organizational structure HR came up today, with all the moves, renames, splits and unions of various departments, sub-departments and so on.
3500 users - I have one single workstations OU with every single workstations - because they are universal in every way. I have 1 OU with servers because again they are universal and gpos, if needed to be targeted at something specific either target site or security group or specific server accounts, and I have 3 OUs with users because they utilize different mail domain. If not that they'll be in one giant ou. Technically I also have subOU for users with identical name, surname and middle name so they end up with equal commonname and it has to be unique hence subOU.
And I also have OU with groups and OU with service accounts.
Why you all have to overcomplicate that stuff is beyond me. I do agree however that dunking all of that into built-in users OU is lame.
jeffrey_smith@reddit
This is the way.
Defconx19@reddit (OP)
Worked on or in all sizes. As long as there is some logical method to the environment IDGAF its the ones that have none what so ever and just fly by the seat of their pants that drive me up a wall.
bukkithedd@reddit
Yep, known, and it throws a massive spanner in the works for me every goddamn time. Spent a long time changing the structure in our AD in order to make it both make sense and also be controllable. Still not done, of course, but that's mostly due to office politics.
pixelsibyl@reddit
We no longer have hybrid joined or domain joined devices (AADJ only), everything possible is Azure and Entra ID based which is flat. Things like department, location, etc are all handled by extension attributes updated by workday which is then filtered into dynamic groups for actually organizing folks and adding azure/security/intune policies and licenses. If our users don’t even get GPOs and any policies they do get are assigned by dynamic groups that get maintained via workday integration what would even be the point of a complex nested OU structure for users? Especially with how mobile our users are today, and just being in one office when they’re hired doesn’t mean they’ll stay there, and workday does the job for us on keeping those accounts and their group memberships up to date.
It makes more sense for domain joined servers which have different use cases than it does for users or workstations in a primarily Azure/Entra ID managed environment to have any kind of OU structure. At least GPO and ConfigMan still look at OU membership (though they can also be managed/assigned by dynamic groups, too).
HealthySurgeon@reddit
It’s actually a lot easier to maintain a flatter OU structure when you have 1000s of users. You’ll never be able to fit the business needs in that large of an architecture by just using OU’s.
To be frank, it sounds like you’re wanting to do exactly what Microsoft warns against when creating an OU structure.
Here’s some relevant Microsoft documentation on it, and if you want to learn more about designing an OU structure, I’d probably read up in there a bit more than just the one article.
https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/reviewing-ou-design-concepts
Defconx19@reddit (OP)
I don't care what structure you use as long as there is some semblance of a plan, this is just one example.
HotPieFactory@reddit
I'm sorry, but I read "what is your life where you can't be bothered to create a base departmental OU structure?", so obviously you care and even suggest one of the worst structures out there.
dagbrown@reddit
Perhaps you should look into the wonderful world of group memberships then, instead of trying to create as much work for yourself as possible sorting everyone out into their right places on the company-wide totem pole.
rickAUS@reddit
The only immediate benefit I ever got out of OU's was easy to deploy site-specific GPOs to users/devices without needing to worry about item level targeting or other filtering based on group membership.
But most organisations I have ever been involved with didn't have site specific deployments other than printers, and with printer logic, that was generally irrelevant for the OU structure. And then we just used item level targeting for printers anyways and some people in other locations had a need to send jobs elsewhere via the MPSL/VPN so using OU to deploy was restrictive there also.
HealthySurgeon@reddit
Idk, I tend to find less road blocks when I read and follow the documentation, especially when it’s put out by the company who developed it
Defconx19@reddit (OP)
It doesn't say anything about not matching organizational structure. It says it doesn't have to and should reflect how you want to enforce policy as your groups and Users.
Coincidentally enough, Permission I ons and access tend to be similar among people in the same departments and roles lol, who would have thought?
HotPieFactory@reddit
Quite relaxed, thank you. There's other and arguably better ways to structure AD. I have 3000 users to manage and we have three OUs: employees, freelancers, clients in which user accounts get put. If I were to implement departments, moving users and creating new OUs would never stop. And I wonder how many people you manage, because if you would manage 1000 users, you would know how much useless work that is.
RadShankar@reddit
Ugh, yes. This is one of those things that feels like a minor inconvenience until it silently morphs into full-blown tech debt. Honestly, once you cross even 25 users, lack of OU structure (or any kind of org modeling) starts to hurt—automation becomes janky, policy enforcement stays manual forever, and forget about doing any kind of meaningful monitoring.
Worse, when the org suddenly decides it’s time to “get serious about security” or kick off a compliance initiative, IT basically has to drop everything and re-architect user management from scratch.
This is one of the first things we push our customers to get right. We’ve found a good moment to do it is when there’s already a major system rollout / change happening - say in your IdP, HRIS, MDM, ERP - there’s a lot of system rearch thinking and work anyway.
Just recently worked with a 1,000-person org that had zero distinction between W2s, 1099s, and true contractors. Their Okta setup used “Department,” and the absence of one was how they flagged contractors. HR unilaterally renamed “Engineering” to “R&D” and suddenly a bunch of folks lost access to critical tools. We helped them switch to using the Cost Center field to explicitly track employment type—now it’s way more resilient.
Still, unilateral HR decisions remain an eternal scourge. We can only automate around so much chaos.
rekcomeht@reddit
i inherited it.
i'm fixing it
7FootElvis@reddit
Same admins that set up a file server with everything including data files on one volume, the C drive. Oh, and the server's name is SERVER.
KRed75@reddit
Linux would blow your mind them. All our users and groups are stored in text files.
withdraw-landmass@reddit
The organizational structure was pretty much useless to program against everywhere I ever worked because it was full of caveats, so I just use MS Graph's, transitiveMembers for most in-app permissions.
dustojnikhummer@reddit
We are well in the "under 100" category. The only categories we have are AD groups.
peaceoutrich@reddit
Honestly, ten years back I was responsible for syncing HR to AD using janky perl. We were a Linux shop with 2000+ employees at the time. No reason do dick around with OUs, used groups for things.
Not really sure what OU would have helped apart from simplify click administration, but we didnt work like that. Every AD task was automated.
sync-centre@reddit
My domain is also Contoso. Fight me!
oni06@reddit
Makes all the MS documentation and example commands copy and paste 🤣
ThinInvestigator4953@reddit
Thats a chad move to take Contoso. Truly taking training to the big leagues.
mastert429@reddit
all my homies put users in OU=Users,DC=Contoso,DC=Com
oni06@reddit
CN=Users
ThatDistantStar@reddit
OU structures were mainly beneficial for branch office over slow links a decade ago so users would get the file server redirection for their local office. There's no need for that anymore with fast private links/SD-WAN. Your information is out of date OP
oni06@reddit
That’s AD Sites and Services
oni06@reddit
NTDS = Flat AD = nested OU structure AAD / EntraID = Flat Most other cloud directory services = flat
die-microcrap-die@reddit
Story time.
Previous company that I worked had a nicely organized AD infrastructure.
We merged and the other side had an AD “flat” design as you described.
Well, guess which way they went?
rust1112@reddit
For real! If its not in gpmc make the damn ou.
LastGearPinned@reddit
Just for the record, the default Users “thing” is not an OU, it’s a container. Thank you.
Any_Particular_Day@reddit
When I was a mere HD tech, we had two admins. One was OCD in how he setup AD; OUs for people and computers, sub divided into offices. The other admin just left users and computers in the default OUs. Then I’d get to listen to OCD admin and default admin bitching at each other about the best way to work. When I got promoted to the admin, all that shit got sorted into OUs. People, service accounts, groups, servers, workstations, all got their own OUs, broken down by location. OCD organization, on steroids. Next to nothing company specific in the default locations. I mean, AD has some things that need to stay, but all our people, groups and computers aren’t in the default locations.
ycatsce@reddit
I vastly prefer the granular approach for policy targeting and organization overall. I love it, in fact, and it's the way I set up AD when I have my say and know it can be maintained. I use redircmp and make a "Default Computers" OU with a "you can't do shit" policy on it as well.
That said, I have a customer with about 10,000 users all nicely organized by department, location, etc. etc., Except, they didn't maintain it/keep it up to date.
Now you've got the lovely issue of knowing that Jim Smith works in Location A, Department XZY, but not being able to find them because you don't know that they were at Location B, Department QWE 5 years ago when it was last updated. Then you realize that you need advanced view to see the object properties to figure out where the object lives inside AD, but that ADUC search results don't show advanced view, so any time you want to search, you have to hit up powershell.
ddaw735@reddit
azure ad is flat. So I stopped giving a fuck,
K2SOJR@reddit
Great question to ask a company when you are interviewing. "How is your Active Directory organized?" I never thought about it before, but it could tell you ask you need to know about the disorganization you are getting into.
scytob@reddit
Anyone who doesn’t need to differentiate users by ou based group policies. TBH even in MS there were not a ton of OUs
fupos@reddit
In all fairness I have 3 user accounts to manage, me, myself, and I. So an extensive structure is more trouble than it's worth.
snowsnoot69@reddit
Who cares! Put the groups in there too!
MarshallTreeHorn@reddit
Well, what if you don't have any sub-groups of users that need different GPOs?
OUs are only useful for assigning GPOs, and if your users all get the same policies, then they can all be in the same OU.
the_marque@reddit
In our org we only use OUs to organise user accounts on a technical level. The vast majority of users are standard users, so, one OU it is.
Organising them on a business level is done using attributes and group membership. That shit changes constantly and it's nothing to do with IT so this seems like the right way to do it. If you have a few hundred users OUs are an easy way to keep it tightly controlled, but thousands, no way.
JohnGillnitz@reddit
Some organizational structures, especially the smaller ones, are more like a spider web than folder system. "What department does Bob work in?"
"He's in Sales on Monday and Wednesday, works in Marketing on Tuesdays, Thursday, and Fridays, but sometimes covers for Sheri at Reception."
narcissisadmin@reddit
What if they don't need distinct policies?
wanderinggoat@reddit
I thought it was SOP to put OU in all kinds of weird and wonderfull places so that nobody could make sense of it
mustang__1@reddit
the previous admin
Stew514@reddit
I inherited a domain like this and didn't know any better, so I didn't take the time I needed at the beginning to get it under control and then it snowballed
Meecht@reddit
We have a single OU for users, but department- and role-based groups. There's too much overlap and "employee borrowing" for an OU-based structure to work.
Ron-Swanson-Mustache@reddit
The last guy.
RandomSkratch@reddit
The bigger problem is that the default OU isn’t an OU. You can’t apply GPO’s to it.
airinato@reddit
You're still using local AD? Everyone get a look at this loser!
rosseloh@reddit
It's on the list.
So are a million other things.
I'm sure you understand.
USMCLee@reddit
It could be worse.
Multi-company domain.
We have the users separated by country then by company.
So you have people in the same company in two separate OUs.
BrianKronberg@reddit
Best Practice is to manage real people programmatically. Putting users in more than one OU makes this harder. Sort with attributes not locations.
sumZy@reddit
Isn't that what AAD is?
fio247@reddit
My only real problem with a non-existent OU structure is that the default locations are containers, not OUs. At least have something.
yParticle@reddit
I fought for deep hierarchies for a LONG time and kept getting told to keep things flat. It's taken me 20 years to fully appreciate the elegant simplicity of the flat file and how smart use of groups and tags can be even more efficient than inheritance. I can't deny how much more streamlined it is to make changes now.
HugeAlbatrossForm@reddit
Yep, filter by title and boss.
HugeAlbatrossForm@reddit
That's the way they've always done it, the rest of the users are all in there so they know it won't fuck shit up. They're the sole sysadmin for 500 people and don't have time to fuck with things.
NETSPLlT@reddit
It's by design. Thousands of staff, all in one OU. There is no problem. Now with Azure and dynamic groups, it's just getting easier and easier to filter by meta, like Title, Dept, EmpID, etc.
I've been in places with highly organised OU structure, and it just wasn't useful. In NDS we made us of directory organisation, but once MS joined the party with AD it just was a sub par offering compared to NetWare's product. We did 'set it up' but over the years didn't find it especially useful, technically. As a human it's nice to browse and have it make sense, but to the computers it didn't matter so much.
rollingviolation@reddit
My workplace, every 3-5 years, gets a new person who is going to "fix" our AD structure and this time it will be based on location/department/last name/random schema thing, they get about halfway through rearranging everything, then they leave the org, so now I have half an org with OU by building, and half with OU by department and a small sprinkling of OU by security, whatever the fuck that was supposed to mean.
I got tired of screaming into the void, so now I just fire up the microwave and make popcorn while waiting to be invited to the next meeting on how we're going to fix our AD structure, this time totally for realsies, and we're going to tie it into OU by cloud.
e-motio@reddit
You need to stop giving those people ad access until they understand what you want it to be lol
Mandelvolt@reddit
Burn it all down and start over with a plan 😆
TalTallon@reddit
Side note, after 20 years, I still regularly forget to move a new PC from the default OU and then wonder why GP hasn't applied
HerfDog58@reddit
I inherited an AD structure that left all the users (4000+) in the default user CONTAINER, never did OUs or organization via job duties, locations, etc.
The hoops we have to jump thru now for pushing information between our HR system, our IDM system, M365, AD, and keep all the disparate authentication processes running is NUTS. But we can't change it now, because any of our in-house production apps using AD for authentication will die kicking and screaming.
Upper-Affect5971@reddit
it’s the same person that edited the default domain policy with desktop folder redirection
h00ty@reddit
This isn’t the 1990s. There’s no point in using different OUs for everything. We base everything off Active Directory properties now.
I move terminated employees to a separate OU, but that’s just for housekeeping. It doesn’t matter where a user sits in the OU structure; their permissions and attributes won’t change because of it.
Once you move into the world of Entra, you won’t have that kind of structure to lean on.
Fallingdamage@reddit
One giant unit. Control permissions with delegation!!!!
Free-Tea-3422@reddit
The 'IT' person they had before me created an OU for users, then put the all users group in the built-in container 🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️
dnuohxof-2@reddit
Azure “AD”
SmallBusinessITGuru@reddit
When they get synced to Entra ID and a flat hierarchy, what does it matter? It's 2025, not 2005.
Most OU structures I've encountered end up being several levels of empty with one OU full of users, another full of computers.
Companies don't rely as much on GPO now, so OU doesn't do much here either.
Majestic_Fail1725@reddit
Denied claims & coffee right. JK , those that comes before setup like that thus i just embrace traditions?
Int-Merc805@reddit
What do you do with the organization? Why are you spending very expensive hours (your pay) moving people into OUs that provide zero benefit to your company? I target all automation from AD attributes and so one directory is optimal.
This might be because we have an ERP system which is authoritative and the organizations are split there instead of in AD. I have just never cared.
I also have macs in the computers OU :)
Defconx19@reddit (OP)
It depends on the company and environment. Realistically breaking an AD into OU's for a base structure takes like 45min tops. Plenty of other ways to skin a cat too, just one example it was the flavor of the day on boarding a customer who had no rhyme, reason or forethought to anything that was done in the environment.
Int-Merc805@reddit
Fair, it is the constant moving of devices and users into and out of OUs where I see some admins waste a ton of time. It also becomes completely useless the second it is not maintained so everything I built these days is just one OU. Except service accounts of course.
The worse I ever saw was a place that had OUs for specific models and they had all sorts of custom scripts running for things like dell command. It was nightmare fuel for sure.
Defconx19@reddit (OP)
Yeah i don't go deep with it, and typically employ it to a level where it matches broad policies.
I'm also in the MSP world so not the same views as internal. Groups are the primary delegation and targeting, But when you have low level techs in and out of environments at varying levels of maturity, something as simple as 365 Users OU and non-365 Users for example even go away long way to quickly identify synced accounts. Sure you could find the groups too but the OU's are right in front of your face and typically easier and faster to flush out when needed.
Deepest I go is typically s I meshing like, Company name User, below that Executive Leadership, HR, Finance, Legal, Operations and maybe a few more, but I don't break them up any further, at minimum with a quick look at AD I want anyone with half a brain to see Users with access to sensitive or privileged information without relying on a separate system or knowledge base whenever posssible.
But I have other environments where we don't do that. So its definitely case by case.
entropic@reddit
The first place I worked a million years ago was like this. Small non-profit org, not a tech company but used tech in their products.
I was very very very entry level, my first IT job, and my colleagues said something along the lines of "don't do anything new/different in the Active Directory, we barely understand how it works ourselves and we worry about breaking everything again."
Easy enough in that sort of environment and my level to not rock the boat. Everything got created in the default containers.
Years later, someone who works there's brother is a Microsoft MVP and we con him into helping us with some stuff with I think baked goods and some lunch. We blow his mind with our incompetence and fear, and he blows our minds with basic administrative concepts like OUs and GPOs. Everyone still living in fear after he left though. He told me some books to read to educate myself on these and other topics, which I got to do at my next job.
The funny irony is that setting up OUs/groups, blocking inheritance, linking/re-linking policies as needed, have more rather than fewer policies, etc, all makes it much easier to test a change before you break your whole environment.
CatsAreMajorAssholes@reddit
I AM CHAOS AND MAYHEM AND I DO WHAT I WANT
RoxoRoxo@reddit
we have 9 people dont judge me
soggybiscuit93@reddit
We're going through a big merger now and moving both companies (5 figure user count total) into a brand new AD.
Were looking at a mostly flat OU structure. Service accounts, admin accounts, SG's, etc. Will all be in different (top level OUs) - but there's really no point for breaking apart end users into different OUs.
Security Groups are a much better way of managing policies. Those OU structures aren't following you into Entra. You're gonna be searching or querying by attribute in any large forest anyways. And you don't run the risk of breaking LDAP on some legacy app if a user changes office/department whatever your structure is based on.
AlfaHotelWhiskey@reddit
I’m curious to hear from orgs that have AD accounts automated from HRIS system hooks. HRIS systems can be source of truth for users and org structure and carrying that data over to AD is either time consuming to do manually or expensive for the API
grumpyolddude@reddit
The design and strategy for how a directory is organized depends a great deal on the needs of the organization it supports. A "flat" users OU makes a lot of sense in many cases. I've worked extensively with a large organization (university) that has 40,000+ user accounts (mostly students) in a single OU for very good reasons. They do have computers/managed devices organized in a hierarchical OU structure that closely mimics the organizational structure. Loopback policies and managing user group memberships with GPO filtering meets their needs. There are quite a few integrated services, applications and other directories that access AD through LDAP or other methods where a complex hierarchy and naming would be difficult or not impossible to automate. Flat is the right answer in many situations. There are other situations where grouping users by OU is the right solution. AD is configurable for good reasons. Also, The default "users" is a container not an OU.
AppIdentityGuy@reddit
I've always operated on the principle that the tow things your OU structure should. NOT map to is either you company organogram or your physical locations except possibly country level. Of course if delegation of permissions follows that OK. As an example go and look at some stuff on AD Hardening I don't that is more than 4 levels deep especially in the Tier 0 space...
grumpyolddude@reddit
I think for every "best practice" or "rule of thumb" there are higher level considerations regarding the business and technical requirements and environment. Something like "no more than 4 levels deep" might be something appropriate for keeping a particular directory consistent and manageable but it doesn't mean that another organization might need 5 levels, 3 levels, or might need the flexibility of using whatever number of OUs are needed. Rules like naming conventions need to take into account technical limitations like LDAP length limitations, and interoperability with other systems. For hardening in particular I think simplicity and consistency are key so that it's easy to audit for discrepancies. In some cases that might mean a shallow OU structure, but not always.
AppIdentityGuy@reddit
Oh absolutely but I've domains with 16 090 ous in it where most of them were empty. The longest DN I found was like 240 characters and it was empty...
grumpyolddude@reddit
Ah, the human element. I remember seeing one OCD admin copy the org chart verbatim and pre-create sub ou's in each department for USERS, COMPUTERS, PRINTERS, etc. "Groundskeeping" was one of the OUs and when I asked that department had no IT assets and the employees didn't have accounts. I doubt those OUs will ever have anything in them, but it didn't hurt anything and helped them sleep better at night having a place ready just in case.
Mandelvolt@reddit
Every time I do something that isn't by the book, it's because someone a long time ago set it up this way and now it's enshrined in our documentation and compliance policies. So many systems I just cringe at, do the minimum to keep it running and move on to the next thing because it's not worth the paperwork to fix. Lucky I got to be the AD architect at my last place and played the part of my own best friend while setting it up. Categorized so damn good, so easy to apply GPO any particular class of user without looking anything up, plus the smartcard login has been a bulletproof godsend for making it stupid simple for users to log in, I never deal with password resets, only the occasional lost auth hardware. I think I handle like maybe 10 AD related tickets a year now for a relatively large organization, everything just works. Onboarding/offloading only takes like 10 minutes per user. Granted I had several months of uninterrupted project time to set it all up the way I wanted to. When it works, it's beautiful and you'll never have to touch it again. When it doesn't, you'll want to set fire to everything and take a vacation in grippy sock land.
benderunit9000@reddit
If I had on-prem AD for my business, I'd probably lose all desire to live.
ElectroSpore@reddit
Admins who never made use of the AD attribute from the 2000s on, guess what it is time to stop using OU folders and start automating that shit with user attributes and dynamic groups in Entra.
progenyofeniac@reddit
You could be like my company where they decided to create an OU for each department and a Users OU inside each of those. Then they rename departments over the years, people transfer to other departments, and it turns into even more of a cluster. I’d take the default OU over that.
stupidic@reddit
Default-First-Site-Name would like to have a word with you.
Chellhound@reddit
screams in tech debt
WitnessRadiant650@reddit
I am so glad we're moving away from AD and into Cloud.
cryonova@reddit
I cant even get my other admins to put fucking passwords in the vault when they deploy something let alone be organized in any other way
maximumtesticle@reddit
Oh look, another smug, "OMG WHY DOESN'T EVERYONE'S ENVIRONMENT MATCH MINE??? EVERYONE IS STUPID EXCEPT FOR ME!" post.
Cool.
Defconx19@reddit (OP)
Dont get it confused, while I use this as an example I've found every domain so far that dumps users in the default OU typically have no other methods to their madness on permission delegation
Typically followed with inheritance on file shares broken 50 ways til Sunday with direct permissions to folders everywhere where.
Different strokes for different folks, but some people just be chaotic for no reason.
stesha83@reddit
Entra doesn’t have an OU hierarchy so who cares? Just create dynamic groups based on fields like office, department etc. You’re only going to have to wave goodbye to all your nicely organised OUs eventually.
CRTsdidnothingwrong@reddit
SBSUsers
PopularDemand213@reddit
My manager had no idea why all of our users were in SBSUsers. I asked what does that even mean? He said "Dunno. It was set up that way long before I got here."
Took me 30 seconds in Google to figure it out.
themanbow@reddit
Ah...the old Small Business Server schema.
PoliticalDestruction@reddit
Hey man! The certification course I took had me create users in the /users OU and now you’re telling me they should go somewhere else?
/s (probably)
Cpt_plainguy@reddit
The last company I worked at was setup that way when I started. One of the first things I did was organize the organizational AD lol
badlybane@reddit
I have seen it done well with minimal OUs and relying on filtering and delegation. Like legitimately I wanted to hate it but after trying to come up with better less complicated designs I just realized it was simpler and less complicated to do it their way.
Very fews times have I ever looked at something and gone. "I guess I don't know what I am doing."
badlybane@reddit
This is every small office I have ever walked into where they had a "guy" set it up.
Jazzlike-Vacation230@reddit
I'm guessing most of the time it may be some configuration somewhere would freak out if things were redone, but I get it though, I prefer things organized
Suaveman01@reddit
Sounds like the type of thing an admin that has no idea what they are doing would do
Razgriz6@reddit
Chillll. haha. I was just a snot-nosed kid fresh out of college. Working at a start up in 2015. I'm much better now. I promise.
Columbo1@reddit
Given that GPO can’t target a user group, only an OU, it makes absolutely zero sense to not use a custom folder structure.
Sure, you can apply GPOs to the default OU and scope by user groups, but that’s nowhere near granular enough for even the smallest of orgs
QuiteFatty@reddit
You assume my shitshow company has a plan.
hihcadore@reddit
Hope they updated the description block at least hahahaha
signalcc@reddit
lol I have mine so broken out it’s almost annoying. I have it by department then by office then by user/computer/laptop. Those 3 OUs below the office. It’s not insane but it’s also only about 650 people so it works pretty well for us.
Stephen_Dann@reddit
Even 5 users, proper OU structure. I have seen so many 500 plus size companies still trying to run as if they are 10 people. That includes the AD and AD policies
1ndomitablespirit@reddit
It is usually inherited from the previous (or longer) admin. Yeah, it drives you mad and you want to fix it, but every time you do there's some weird legacy policy that is apparently profoundly important and breaks everything.
You end up getting tired of hunting down all the gremlins and so you make do with what you have because it works and you have a mountain of other things to fix.
ms6615@reddit
My company can’t even decide who is in what department lmao. I can only organize a pile of shit to a certain degree and no matter how well I do it it’s still always going to be shit. So who cares? They’d need to pay me triple what they do now for me to be motivated to start a fight with the CEO about how his departments should be properly structured.
Also for those of us who have largely dispensed with local AD and use Entra, OUs don’t even exist there so it doesn’t matter. Users are users and devices are devices. They don’t “go” anywhere.
c1ncinasty@reddit
Some orgs use external management tools against AD.
cjcox4@reddit
Historically, we built the OU structure under Users. Why? Integration wise things will want to enumerate all users from a base without necessarily having to go "full tree". And, at least in our case, early on, when the company was tiny, all was, as you said, under Users.
I guess the worst case is having trees only joined at the very top, but arguably, that's just Users, but worse (more objects to sift through). For full enumeration, you're giving a lot of rights way to all those different trees.... or you open up the top (which probably don't want). Many ways to skin a cat. Some are more painful than others.
So... yes, we have structure and nobody sits simply at OU=Users, they are under OUs inside of that, but for enumeration, old school searches off OU=Users continue to work for find "all users". Again, this is mainly for things that support LDAPS and often times will use LDAPS bind for auth. Things outside of Microsoft (only) land.
Not saying you have to used the default OU=Users name, but maybe having something with a different name is still good for enumeration rather than opening up higher scoped privs or defining a gazillion tiny scopes (most software won't support that btw with regards to enumeration support, again, talking about big name products that aren't owned by Microsoft).
joebleed@reddit
I blame these people for programs saving methods and storage programs being the way they are. It's like they were designed for junk to be dumped in one place and something else handle sorting/searching it.
virtualadept@reddit
When the guy signing the paychecks says "Stop fucking around and just create the fucking accounts," that's what you get in AD.
ML00k3r@reddit
Hah, I'm kind of on the flip side. Healthcare IT and we have a metric ton of OUs with the vast majority of having sub OUs depth near the recommended ten for reasons that escape me. No, the office manager does not need their own OU.
dlongwing@reddit
We keep ours organized by department, but I can actually see a strong argument for putting all users in a single OU and just applying GPOs by security group instead of OU-based delegation.
Thinking about my usual workflow for user-management in AD, I'm often bouncing back and forth across a dozen OUs while dealing with issues or changes. When it comes to users it'd actually be a value-add for me to have them all in one big list instead.
It'd create a fresh set of headaches though. You'd need to have your security groups perfect and you'd need to keep them that way, as they'd be your primary form of access management.
All that said, keeping them in the DEFAULT OU? Nope, nope nope nope.
Grandpaw99@reddit
Hahaha, Just read the title. Cheers mate.
Toasty_Grande@reddit
Ah, if you are in a cloud environment like Azure (Entra), you don't bother with organizational hierarchy. Sure, it was a benefit to a human doing manual human things, but with automation and role based assignments, the visual org structure within AD is somewhat dated. Based on user attributes and roles you can simulate it visually for human eyes, but it's not really necessary today.
titlrequired@reddit
Same people who use the default domain controllers policy and default domain policy.
WWGHIAFTC@reddit
Lazy asses that don't even try? yes. I've cleaned up after them at literally every job I've had.
Usually places that say things like "AD doesn't replicate anymore, not sure what's going on - been like this for years" Or that didn't get the memo that they should have switched to DFS replication.
Spore-Gasm@reddit
At least the domain isn’t office.local
crashorbit@reddit
Arbitrary hierarchies are of the devil. Use groups to manage groups. Exploit hierarchy when you must. Keep the entry hierarchy shallow.
rustytrailer@reddit
My first job in the field for some bag biter break/fix shop was like this.
It was a crash course in IT figuring shit out for 2 years before I bounced. When I left I learned about GPO’s and realized my last team actually had no idea of group policies. One of them was a sysadmin for 15 years? Not a single group policy for any client.
ibringstharuckus@reddit
With just one group policy that gives every printer and desktop shortcut
orion3311@reddit
Mine was literally that way until I wanted to set up ldap address books on our copiers, and I didn't want "extra" accounts showing up. Suddenly, a lightbulb flickered on and I realized I could have an "active users" OU that just included the warm bodies, and my 10 minute ldap project was a multi-day re-org of AD.
codenaamzwart@reddit
In-house built account management software that cannot handle more then one OU. We've been trying to get it replaced and the AD up to standards, but always gets pushed back for some reason or another. yeay.
seamonkey420@reddit
😂 i needed a good chuckle today!
apathyzeal@reddit
That awful Sarah, Plain and Tall. Now, she manages the domain.
CollegeFootballGood@reddit
I agree lol this needs to be outlawed at the next council meeting
doneski@reddit
That's a thing?