Elsmore.net : Plink

1 - In our case, we have a single company ("Regence") spread out over four states (OR, ID, UT, WA). So in my case, I'm Thomas Duff/OR/Regence.

2 - We're a global company and we use Local Subsidiary/Region/Company. In some countries there is more than one subsidiary and the regions are EU,AM,AP,JP,CN. There are a few exceptions where the region code is a 'special' department in the company.
Here's an example Vitor Pereira/RS/EU/Company.

3 - Certification with one OU per country should usually be enough. Since people move more within a country than between countries, you don't have to recertify people as often.

The problem with large organizations with lots of OU's is that the recertification can't keep up with the way people move around withing the organization. In the end you will have an organization with 30 - 50 % of the users in the wrong OU's, and by that, you have lost all meaning with the OU's.

For a company that is completely within one country, OU's could be used to denote city, county or state instead.

4 - In my last job they used country codes (2 digits), airport codes (3 digits), company codes(3 digits) and parent company name.

Example

For People
[CN]/[CountryCode]/[CompanyCode]/[ParentCompanyName]
Jack Taylor/GB/CMP/Company

For Servers
[CompanyCode][AirportCode][NumericDigit]/[CountryCode]/[CompanyCode]/[ParentCompanyName]
CMPGLA1/GB/CMP/Company

5 - My clients are either CN/O or they've gone nuts with OU's and hence created a whole lot more work for themselves, although larger companies don't typically have much of a choice. My advice is always to keep it as simple as is humanly possible.

And on the note of recertification customer environments.... I highly suggest using a third party product as doing it manually is SUCH a pain!

6 - The last O & OU restructure that I was a part of we needed to address lack of previous maintanance (people in the wrong OU), high turnover & job changing and a company rename.

The solution was to go flat at the OU level & innocuous at the O level. (Yes, it freaked some people out, and pissed others off, but none had a genuine business case)

John Doe/Domino or potentially John Doe/Users/Domino became the new style. I concider /Users to be safe as an OU because John will nver become a server thus needing to change to the /Servers/Domino OU and /Domino will never become /Exchange. This allows for */Users/Domino to be granted access instead of using default, but, thats trivial.

When this is achieved, the only need to change a persons name is based on a common name change, common name uniqueness was enforced over time, so, when you quit, your common name quit too.

In a large organization that might benefit from some of the other advantage of OU separation, I strongly recomend the use of 3rd party tools for maintenance. Once tools have been used its very hard to go back, and once tools are used all sorts of more complicated options are available. Groups are much easier to maintain than OU's are.