Skip to main content

OU Hierarchy Configuration

Overview

When customers are created in Atria, a corresponding Organizational Unit (OU) is created in Active Directory. All Active Directory objects related to that customer are stored within the customer's OU. This ensures permissions can be scoped appropriately—each customer can only see their own objects or those of their child customers.

This document outlines the feature and how it is used.

OU Configuration Options

In Atria, Organizational Units can be configured in the following ways:

  • Flat or hierarchical structure
  • Separate root OUs configurable per reseller
  • Each root OU can have its own hierarchy configuration
  • The top-level customer (service provider) can be excluded from the hierarchy and stored alongside its children
  • OU offsets can be configured per customer to allow non-customer-related OUs between customers
  • Only one root OU can be active at a time per reseller (this is where new child customers are created; existing ones remain where they are)

OU Placement Properties in Atria

These settings are configured on the Customer Portal Settings service. They apply to child customers of a reseller, so the reseller’s instance is the right place to set them.

CustomerOURoot

  • Determines where customer OUs for the reseller are created
  • Only one root OU is allowed per reseller
  • The OUHierarchyEnabled flag can be set per root OU

Default value:
OU=Customers,{domainDn}

OUHierarchyEnabled

  • False: All customers are created under the CustomerOURoot
  • True: A hierarchy is created; customers are placed within their parent’s OU
    • If RootCustomerExcludesHierarchy = True, the root customer is placed at the same level as its immediate children

Default value:
True

RootCustomerExcludesHierarchy

  • Only applies when OUHierarchyEnabled = True
  • True: Top-level reseller’s customers are placed at the same level as the reseller
  • False: Customers are placed within the reseller’s OU
  • Applies only to the top-level reseller

Default value:
True

CustomerOUOffset

  • Defines an offset OU between the reseller/root OU and the customer OU
  • Used in hierarchy patterns as {OUOffset}

Default value: (empty) — no offset
Example: OU=DEF456,OU=ABC123

CustomerOUName

  • Defines the pattern used to generate the customer OU name

Default value:
{CustomerLongName} ({CustomerShortName})

Summary of Default Settings


PropertyValue
CustomerRootOUOU=Customers,{domainDn}
OUHierarchyEnabledTrue
RootCustomerExcludesHierarchyTrue
CustomerOUOffset(empty)
CustomerOUName{CustomerLongName}({CustomerShortName})

General Rules


  • A CustomerOURoot set at the reseller level controls placement of its immediate children, regardless of hierarchy settings
  • Top-level resellers have no parent and are placed directly under the CustomerOURoot
  • Hierarchy can be configured differently per reseller
  • Only one CustomerOURoot is allowed at a time per reseller
    • If multiple "active" locations are needed, use separate reseller configurations (virtual resellers if necessary)
  • OU offsets can be set to place customers into distinct OUs within the same structure for operational reasons (e.g., access control)

Special Considerations

There are two hidden path patterns used:

  1. Hierarchy pattern:
    OU={CustomerOUName},{OUOffset}{ResellerOU}

  2. Non-hierarchy pattern:
    OU={CustomerOUName},{OUOffset}{CustomerOURoot}

These are returned to provisioning rules by the stored procedure:
sp_CustomerOUPathPatternGet

Behavior Based on Settings
  • RootCustomerExcludesHierarchy = True: Root and level 2 customers use the non-hierarchy pattern
  • RootCustomerExcludesHierarchy = False: Only the root uses non-hierarchy; others use hierarchy
  • If using non-hierarchy pattern, the CustomerOURoot is saved to the customer’s Proxy Service to prevent changes from affecting existing customers
  • When a CustomerOURoot is set, all directly child customers are placed there
  • OU placement is calculated during Customer Creation or Update
  • User and Group placement is determined by retrieving the existing CustomerOU from AD and applying the appropriate object offsets

Implementation in Atria

  1. In the Atria portal, navigate to Configuration > System Manager > Service Deployment.

  2. Under Service Filter, choose Top Environment Services.

  3. Expand the Customer Portal Settings service.

  4. Expand Service Settings.

This will allow you to change configuration options globally. This can be overridden in the hierarchy by configuring the Customer Portal Settings service at reseller or customer level.

Root OU Configuration

New customers will be created under a root-level OU in Active Directory called CSPHosting. Existing customers are not affected. Set this in the Customer Portal Settings Service at the top or location level.

OU Hierarchy

OU Name Configuration

Atria can be configured to name the Customer OU using only the Customer Label, without {CustomerShortName}.

OU Hierarchy

If you experience any issues or require any assistance, please contact us at support@getaitra.com.