I'm not sure whether it's better to nest groups under each of my organizational units or to make an organization unit directly under the root DN just for groups. Is one considered best practice over the other? I want to keep my configuration as vanilla as possible to maximize compatibility with LDAP-aware applications.
My immediate needs include:
- SSO with Atlassian Crowd
- Google Apps Directory Sync (LDAP Groups -> Mailing Lists)
- pGina for Windows Authentication
Here is a diagram showing the two strategies I'm considering:
Best Answer
According to the AD design guidance, there are 2 things to consider when designing your structure: 1)delegation of administrative control and 2)group policies.
Since Group Policies don't apply to groups, you're basically left with one - delegation of Administrative control. Your model B gives the option to do some local delegation of administrative tasks at each school, which might be something you'll implement, so that's what I would have gone for.
I've seen examples of further dividing groups into separate OUs by group type, such as application group, policy group, permission group, and so on.