When creating an Active Directory structure it is good to develop the Active Directory design with a focus for efficient management, delegation of administrative tasks, and application of Group Policies (GPOs). This can be done using a strcuture based on continent, country, and role (e.g., users, servers).
Below is a recommended Active Directory design based on my experiences.
Table of Contents
Top-Level Active Directory Design Considerations:
Continent/Region-Based OUs: This allows for easy delegation of administrative control by region. It is not unusual that you have different MSPs or Teams in charge of specific continents or regions. Depending on your organization you might want to use Europe, North America, Asia or you want to add additional regions for India, China, EMEA (Europe, Middle East, Africa).
Country-Based Sub-OUs: Countries within each continent are separated into their own OUs for further delegation and policy application. Examples to use this are workers council requirements, data privacy configurations or compliance requirements.
Role-Based OUs: Within each country, separate OUs for users, servers, and other resources (e.g., workstations) are created. We want to seperate Group Policies for computer and user based components and this seperation is a basic approach for it. It also allows to create login scripts or delegate user administration from server and client object administration.
Server Version OUs: Servers should be further segregated by their operating system version for easier management of updates and group policies. This will become very important, when we start working with Windows Server 2025 Baseline configuration in the next part of this series.
Below is an example structure. Remember that the final Active Directory design depends on your organization size and structure. If you see Active Directories from multiple organizations you will notice, that the difference in the designs is normally in Layer 1 and 2, but you will always see the Users and Servers structure.
|-- Europe
| |-- Germany
| | |-- Users
| | |-- Servers
| | |-- Server2019
| | |-- Server2022
| | |-- Server2025
| |
| |-- France
| | |-- Users
| | |-- Servers
| | |-- Server2022
| | |-- Server2025
| |
|-- North America
| |-- USA
| | |-- Users
| | |-- Servers
| | |-- Server2022
| | |-- Server2025
| |
| |-- Canada
| |-- Users
| |-- Servers
| |-- Server2025
|
Benefits of This Structure:
Security Boundaries: By separating users and servers into different OUs, you can apply different security policies tailored to each group.
Delegated Administration: Administrators can be assigned permissions at the continent or country level without affecting other regions.
Simplified Group Policy Management: GPOs can be applied at various levels (continent, country, operating system version) to ensure consistent configurations across similar resources.
Scalability: The structure is scalable as new countries or regions can easily be added without disrupting the existing hierarchy.
Example Use Cases:
Delegating Control in Germany:
- You can delegate control of the
Europe\Germany
OU to a local administrator in Germany, allowing them to manage users and servers within that country without affecting other countries in Europe.
Applying Policies to All Servers Running Windows Server 2025:
- You can apply a GPO specifically to
Europe\Germany\Servers\
Windows2025 to enforce server-specific policies such as patching schedules or security baselines.
Applying Continent-Wide Policies:
- A GPO applied at the
Europe
level could enforce certain security settings across all European countries, ensuring consistency across the entire region.
Additional Considerations:
- Hybrid Structures: Depending on your organization’s needs, you may want to combine location-based OUs with department-based OUs (e.g.,
Europe\Germany\Finance\Users
). - Group Policy Inheritance: Be mindful of how GPO inheritance works in this hierarchical structure. Avoid blocking inheritance and filters wherever you can. Use Item Level Targeting with Group Policy Preferences, but avoid WMI Filters for performance reasons.
Powershell Script to create a structure
The following Script will create some example OUs for Europe and North America based on my recommend structure for the home lab and Active Directory in general. You can easily adjust the $domain path and add additional continents, countries and other OUs.
# Import Active Directory module
Import-Module ActiveDirectory
# Define the root domain for the OUs
$domain = "DC=ad,DC=hartiga,DC=de"
# Function to create an Organizational Unit if it doesn't already exist
function Create-OU {
param (
[string]$ouName,
[string]$parentOU
)
# Construct the full distinguished name for the new OU
$ouPath = "OU=$ouName,$parentOU"
# Check if the OU already exists
if (-not (Get-ADOrganizationalUnit -Filter {DistinguishedName -eq $ouPath} -ErrorAction SilentlyContinue)) {
# Create the OU if it doesn't exist
New-ADOrganizationalUnit -Name $ouName -Path $parentOU
Write-Host "Created OU: $ouName under $parentOU"
} else {
Write-Host "OU: $ouName already exists under $parentOU"
}
}
# Start creating the OU structure
# Europe OUs
$europeOU = "OU=Europe,$domain"
Create-OU "Europe" $domain
# Germany OUs
$germanyOU = "OU=Germany,$europeOU"
Create-OU "Germany" $europeOU
Create-OU "Users" $germanyOU
Create-OU "Servers" $germanyOU
# Germany Servers Sub-OUs
$germanyServersOU = "OU=Servers,$germanyOU"
Create-OU "Server2019" $germanyServersOU
Create-OU "Server2022" $germanyServersOU
Create-OU "Server2025" $germanyServersOU
# France OUs
$franceOU = "OU=France,$europeOU"
Create-OU "France" $europeOU
Create-OU "Users" $franceOU
Create-OU "Servers" $franceOU
# France Servers Sub-OUs
$franceServersOU = "OU=Servers,$franceOU"
Create-OU "Server2022" $franceServersOU
Create-OU "Server2025" $franceServersOU
# North America OUs
$northAmericaOU = "OU=North America,$domain"
Create-OU "North America" $domain
# USA OUs
$usaOU = "OU=USA,$northAmericaOU"
Create-OU "USA" $northAmericaOU
Create-OU "Users" $usaOU
Create-OU "Servers" $usaOU
# USA Servers Sub-OUs
$usaServersOU = "OU=Servers,$usaOU"
Create-OU "Server2022" $usaServersOU
Create-OU "Server2025" $usaServersOU
# Canada OUs
$canadaOU = "OU=Canada,$northAmericaOU"
Create-OU "Canada" $northAmericaOU
Create-OU "Users" $canadaOU
Create-OU "Servers" $canadaOU
# Canada Servers Sub-OUs
$canadaServersOU = "OU=Servers,$canadaOU"
Create-OU "Server2025" $canadaServersOU
This Active Directory design provides a flexible and scalable foundation for managing users, servers, and other resources across multiple regions and countries within Active Directory.
Layout in Active Directory Users and Computers
If you need to install the Active Directory, please check the guide here.