Delegation Model – Sites Area or Tier2

We call Delegation Model – Sites Area or Tier2 to the “Sites root OU” where all the different sites or areas or departments live inside. This area is where all the business employees will exist and organize. In other words, all user objects representing the employee identity. Creating the identity within this container, among the assigned computers, business groups and any AD object required by the business unit to operate. This area is effectively Tier2.

It is completely forbidden to have any kind of administrative account or group within this OU subtree. Any account or group that must get any delegated right to administer or maintain this area must not stay here. Please refer to Administration Area instead.


The root OU “SITES” (or any other given name) will implement, administered and maintained by the forest owner. Any major area, like the ones described here, will follow the same procedure. The root SITES OU is a standard OU without any special ACL change (inheritance enabled having all default permissions), except that the Infrastructure Administrators have the right to Create/Delete OU objects, and the delegated Domain Administrators can only change the OUs, but not create/delete them.

Only 2 Group Policy Objects (monolithic GPO) are within the plan for this root level, one for general User settings and the second one for general computer settings. No other GPO is intended at this level, unless there is a clear reason to implement a specific-purpose GPO, which has been previously analyzed, engineered, documented and approved by the Infrastructure Team in charge of the domain.

The following OU levels will define each of the individual sites. The second OU level will be the name of the site/department, always following the company naming standards.

Delegation Model - SitesArea or Tier2

The 2nd OU level will not have any specific ACL defined, only the inherited ones. No GPO will exist at this level, only the parent existing ones.

The 3rd OU level (and last one) will organize according to the object classes which will host. In other words, it will be a defined Users container, and ONLY user objects will get the delegated right to create User Object Classes within it.

Exceptions on Delegation Model – Sites Area or Tier2

There is one exception within this container: Global. This is the default container which will have a kind of “domain wide” objects without privileges. As already explained, each site has its own container for different object types; but what will happen when you do need a domain wide group, which is not directly linked or managed by any specific site? Well, creating such groups within Admin Area is not the solution. We do need an extra “generic” container, and of course the parent OU is the Sites Area.

Social network sharing