AD: OU for system administrator accounts

Just a simple question:

Does it make sense create a dedicated OU in Active Directory for system administrators (including domain controller admins)? Are there drawbacks following this approach? Is there a good practice in regards?


As noted in other responses it can be good for GPO linking -- though I would never make this configuration change solely for that purpose.

Also noted, Active Directory does a have "a safeguard (adminSDHolder and sdProp) to prevent Delegation of Control activities from compromising privileged accounts", but this safeguard only deals with user accounts that a members (directly or indirectly) of the Protected Groups (Domain Admins, Server Operators, Account Operators, Backup Operators, etc.; full list here: https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-c--protected-accounts-and-groups-in-active-directory). I propose that the sdProp process - while beneficial - is just one layer of protection for Active Directory security, and that it is insufficient to be relied upon as the sole layer of securing sensitive security principals.

While this is a great feature of Active Directory, the problem is that if the (at times, nebulous) best practices are being followed, these groups will be mostly empty. Also by choosing to adhere to best practices it necessarily follows that several custom groups must be created and used to secure different access in the environment - groups with admin access to workstations, groups with admin access to servers, groups with admin access to Exchange, groups with admin access to the virtualization environment, groups with admin access to shared file systems, groups with admin access to other applications and other LDAP-integrated applications, services, and devices; groups that are delegated access to Active Directory itself.

Several of these groups should be treated with as much reverence as "Domain Admins" or any of the other groups detailed in the link -- and sdProp/adminSDHolder does not support the inclusion of additional groups - only the exclusion of (at my last check) 4 of the pre-defined groups.

In order to properly and easily achieve delegation of management of these groups, these groups should be kept in a separate OU to which access can either be delegated, or remain as the default with Domain Admins retaining sole access to modify the groups' memberships. Since this OU is essentially required to secure the discussed groups, it logically follows that members of these groups (the dedicated secondary, tertiary, even quartenary administrative accounts for various users) should also exist in this location.


The Real Answer(tm) is something like: Uhh-- maybe, depending on what you're trying to accomplish. Tell us more about why you're thinking about doing this and we can give you a more specific answer. What are you trying to actual accomplish?

There is no specific best practice that I'm aware of. Active Directory has a safeguard (adminSDHolder and sdProp) to prevent Delegation of Control activities from compromising privileged accounts. You don't have a major risk of opening up "Domain Admins" or other privileged group membership simply by placing privileged accounts into an OU.

If you're looking to do this simply for visual organization you should read-up on using queries in "Active Directory Users and Computers". You can make "views" of Active Directory objects that look virtually any way you can think of.

If you goals go beyond visual then you need to think about a variety of concerns.

The physical structure of domain partition of an Active Directory (the OU structure) is best structured to facilitate Delegation of Control first, and Group Policy deployment second.

If this proposed separation is based on a Delegation of Control concern then you'd do well to read up on adminSDHolder, sdProp, and how permissions for privileged accounts works in AD.

If you're talking about controlling Group Policy application then, sure, put the accounts in an OU. (Heck, put 'em in two.) There's still an "it depends on what you're trying to accomplish" component to that, too. Are you looking for an easy way to segregate user Group Policy for a class of users? Filtering GPOs with group membership might accomplish the same thing you're looking for and could prevent you from needing to "repeat yourself" by linking common GPOs in multiple locations (or, worse, duplicating the same settings in multiple GPOs).

The nature of your question makes me think you should probably take a look at some Active Directory design documentation (like https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/ad-ds-design-and-planning), too.