I present to you the optimal Active Directory structure used by many large companies. Sometimes the number of employees worldwide in such companies reaches 10 000. Naturally, in such large companies, the domain tree is divided into continents.
For example:
- root domain – vmkh.org
- child domains – europe.vmkh.org and australia.vmh.org
Moreover, the structure of each domain in the tree is the same.

The domain structure is divided into countries:
- Organizational Unit: AU (Country Australia)
Countries are divided into organizational units by objects:
- Groups
Groups are divided into organizational units according to the scope of groups:
- Local – local groups in the domain
- Global – global groups
- Universal – universal groups
- Distribution – distribution groups
Servers are divided into service organizational units:
- Organizational Unit: Servers (server accounts)
- Disabled – disconnected and decommissioned servers
- Exchange – servers where Exchange Server is deployed
- File – servers with shared and confidential network resources
- Normal – member servers that do not require a separation of services
- Print – servers with shared printers
And so on, depending on the need to separate the server by service.
Service accounts are divided into organizational units by role:
- Organizational Unit: Service (accounts for launching services)
- Disabled – Disabled Service Accounts
- Normal – Ordinary Service Accounts
Users are divided into organizational units by role:
- Organizational Unit: Users (user accounts)
- Admins – Advanced Accounts
- Disabled – Disabled User Accounts
- External – accounts for contractors and other freelancers
- Normal – Ordinary users who do not require role separation
And so on, depending on the need to separate users by roles.
Workstations are divided into organizational units by user roles:
- Organizational Unit: Workstations (workstation accounts)
- Admins – workstations that use accounts with extended rights
- Disabled – disabled and decommissioned workstations
- Normal – ordinary workstations that do not require separation by user roles