This area will host all objects required by the delegation model in order to operate as mentioned in this design. This is the container holding all the objects needed for domain administration, regardless of the Area/Tier where they belong to. This includes the Built-In Administrator, the privileged groups as Domain Admins or Enterprise Admins, all users/groups used to delegate rights and administrative tasks, all service accounts, etc. This area is effectively Tier0.
All the domain administration and delegation, while having a well-defined and organized structure, will reside in this area and will be managed and maintained by the infrastructure owners. This is accomplished by sub-dividing the objects into functional containers. This area should be as restrictive as possible while maintaining the operational level.
This OU (or area) is used to consolidate and secure all privileged identities while delegating tasks and rights to each of the objects of the domain.
As a good start, the 1st level OU (called in this document Admin OU, being the equivalent of Tier0) has to be secured. This is accomplished by modifying the SACL’s (Security Access Control List) of the OU. The default inheritance must be modified and the legacy compatibility groups must be removed. Additionally, the standard operational groups must be removed as well. Some other groups have to be created for the specific and secured operation of this area.
Once the “root” is created and secured, we must define additional sub-containers for the proper management of the environment. These containers should include the Users, The Groups, The Service Accounts, The Management Computers and the redirected User and Computer containers. When deciding the number of sub-containers, we have to keep it as simple as possible, while committing our goals. If our goal can be fulfilled with a single OU, then adding additional containers will barely help, but will make our operational costs higher and will jeopardize our security.
Once the root OU has been created and secured, all the required sub-OU will be created, now having enabled inheritance from the custom OU just mentioned. Auditing must be enabled and implemented for every object within this area. Only Infra Admins have the right to create and delete OUs within the domain.
After the creation of the Sub-OUs, additional groups must be created within is corresponding container. Some of these groups will have the delegated ability to manage objects in this area.