Planning the Directory tree levels

You create container objects to form the top level of the Directory tree for both departmental and organizational strategies. These container objects help you manage and organize the network by relating groups of other container objects and leaf objects.

It is important to remember that the top level is the most important level of the Directory tree. All other levels of the tree branch off the top level. If you organize the top level well, you can organize your entire Directory tree more efficiently.

Consider the following when planning Directory tree levels:

• The name of the Directory tree must be unique on the physical wire or backbone of the actual network hardware connection.

• The depth of the Directory tree should be no longer than 256 characters for the Distinguished Name, which is the full context of the tree.

  Remember that each level you add to the tree can increase the length of a user's context. The shorter you can keep users' contexts, the less problem they will have remembering them.

• Partitions or replicas should be placed close to the end user.

  For example, if there are departments in two cities that access the same resources in the Directory tree, such as printers or servers, then place a replica in both cities to accommodate both departments.

• Rights should be granted by exception. That is, you should grant rights at the container level, then at the group level, and then at an individual object level if necessary.

  For example, if you have a group of users that will generally require the same rights assignment, plan to place them in the same container and assign the rights to the container. Then, if there is a small subset of these users that should not have one of the rights assigned to everyone else, plan to mask the right for those User objects or add those objects to a group that has the right masked.