Windows Server 2003 – OUs and Delegation

How To Delegate OUs (Organization Units)


In my view, modern domains have lots of OUs. Whereas, old fashioned thinking meant that all the accounts were created in the one USERS folder.

There is a new breed of people called Network Architects, their role is to help with designing OUs and assist with delegating permissions.  Delegation is versatile; for instance, at the DOMAIN level you could grant the HelpDesk Global group the permission to reset any password in the entire domain.

Another use of delegation would be to give managers complete control of users their own department.  With this arrangement managers can create new users, groups and computer objects, but only in their own OU.  Now put on your Network Architect hat and plan those organizational units.

OU Delegation Topics


One problem with NT 4.0 domains was that often there were too many of them.  This came about partly because of the SAM limit of 40 MB, but more likely because each manager wanted total control of their own department.  You can solve this problem in Windows Server 2003 by creating OUs and then allowing department control over their own users and OUs.  Only create more domains when there is a good business case, for example: multinational company with different languages and vastly different security settings.

Three Aspects of Planning Your OUs

  1. Organize your users by ‘filing’ them into OUs named after their departments.
  2. Delegate mundane tasks like resetting passwords to local administrators.
  3. Plan desktops through group policies.  Realize that different OUs and departments can have different group policy settings.

1. Organize Users by ‘Filing’ them into OUs

By default all users are created in the Users folder.  Much better to distribute users into OUs so that you can manage them more easily.  Once you have organized the user accounts you can apply the same techniques to computers and groups.

Guy Recommends 3 Free Active Directory ToolsDownload Solarwinds Active Directory Administration Tool

SolarWinds have produced three Active Directory add-ons.  These free utilities have been approved by Microsoft, and will help to manage your domain by:

  1. Seeking and zapping unwanted user accounts.
  2. Finding inactive computers.
  3. Bulk-importing new users.  Give this AD utility a try, it’s free!

Download your FREE Active Directory administration tools.

2. Delegate Mundane Tasks Like Resetting Passwords

If you take the time consuming job of account lockout.  When you establish OU’s and delegation then a local administrator or power user can reset the password and leave you to get on with more interesting work.  You decide which administrators have control over which tasks.  For the more experienced you could allow them to create user accounts for new joiners, and disable accounts for those who have left.

OU Server 2003 Delegation Tactics

Firstly create groups with delegation in mind. 
Example: Global Group = HelpDesk to allow password changes.
Global Group = HR Deputy to add more users. 

Secondly consider the tactical question: "Do you delegate at the Domain level or at the OU level?"
Example: At the Domain level, delegate HelpDesk, to Reset Passwords.
Example: At the OU HeadQuarters, delegate HR Deputy to create accounts for new staff. 

Active Directory is flexible so you can do both, or change your mind if the strategy changes.

3.  Plan Desktops Through Group Policies

Incidentally the default Users container is not an OU and so you cannot set group policies there.  Group policies are the best way to control the user’s desktop and to assign the software they need.  Organizational units are the best place to apply most of the policy settings.  The exceptions are security policies which must be set at the domain level.  By creating OU’s you can fine tune which software is assigned to which users.  Customer facing users will need stricter controls over their wallpaper and desktop icons than the back-room team in tech support.  See more on how Windows Server 2003 Group Policies.

Guy Recommends:  A Free Trial of the Network Performance Monitor (NPM)Review of Orion NPM v12 v12

SolarWinds’ Network Performance Monitor will help you discover what’s happening on your network.  This utility will also guide you through troubleshooting; the dashboard will indicate whether the root cause is a broken link, faulty equipment or resource overload.

Perhaps the NPM’s best feature is the way it suggests solutions to network problems.  Its second best feature is the ability to monitor the health of individual VMware virtual machines.  If you are interested in troubleshooting, and creating network maps, then I recommend that you give this Network Performance Monitor a try.

Download your free trial of SolarWinds Network Performance Monitor.

Changes In Windows Server 2003 OU (Compared with Windows 2000)

OU’s and delegation are virtually identical in Windows Server 2003 and Windows 2000.  The only relevant new features are improvements to group policies, and they are covered on a separate page.

One minor change is that you can now drag and drop objects between OUs, however take care, you do not want to lose your users!

Creating OUs – Getting StartedWindows Server 2003 OU

Go to the Active Directory Users and Computers, select ‘Domain’, right-click, New OU.  Then to delegate right-click the OU and Delegate is the first item on the shortcut menu.

  Firstly, make sure that the Security Tab is available on the OU Properties.  On the above diagram you would go to the View (menu) and select Advanced Features.  Now go back and check the OU, Properties, Security (tab), Advanced should now be there.

When you create OUs balance geographic sites with departmental structure. 
Example: Create a top level of OUs reflecting the branch offices, then nest departments inside each branch OU. 

Delegation – Getting Started

When you right-click an OU or the Domain, Delegate control is the first item on the menu.  Once activated, the wizard will lead you through the steps to select the group then choose the tasks to delegate.  It pays to run the wizard a number of times, just to see all the options available.

Recommendations For Creating Windows Server 2003 OU

  • When you create your top level OU’s, consider whether they will contain skilled staff who you can delegate routine tasks such as resetting passwords.
  • The two main choices at the top level are by geographic location or by department.
  • Do not use more than one level of OU nesting.
  • Remember to design your OU structure with Group Policies in mind.
  • Decide in which OU’s will you place the computers and groups.
  • Delegate by group rather than individual user.

If you like this page then please share it with your friends


More Windows Server 2003 topics:

• Windows Server 2003 Roles   • IIS v 6.0 Explained   • Upgrade from NT 4.0 •   Install Server 2003

• Active Directory – Intro   • Active Directory – DNS   • Group Policy in Windows 2003   • FSMO Roles

• Windows Secondary Logon Service   • Windows Server 2003 OU   • .NET Explained   • Computer Jokes