Recently, we on-boarded a new client with an on-premises Active Directory (AD) domain, synchronized with Entra ID (EID) for use with Azure Virtual Desktop (AVD). This “lift and shift” approach is common for organizations transitioning from on-premises AD to Azure.
This week, the client requested the creation of a new user. Typically, this is straightforward: create the user in AD, wait about 30 minutes for Entra ID Connect to sync the new user, assign the license, and the user is ready to log into AVD.
However, the previous IT company made a decision to move the default domain security groups to one of the Organizational Units (OU) that syncs with Entra ID. While this is technically feasible, I believe it is not advisable.
In my approach to planning an Active Directory domain, simplicity is key. I create a single OU for the company, containing three sub-OUs: Computers, Groups, and Users. For domains syncing with Entra ID, I establish new OUs for objects that should not sync, or I apply the DoNotSync flag to those objects. Additionally, when integrating AVD, I create a dedicated OU for all AVD-related objects.