# Lessons learned and best practices + **OU structure design is not a one-time effort.** As a company increases cloud adoption and migrates additional workloads into the AWS landing zone, its OU design (and implicitly its concept of policies) will also naturally evolve. + **Don't mistake OUs for folders; consider them a target for policies.** The OUs and their hierarchy provide the structuring element for AWS accounts and should always be treated as containers for policies. We recommend that you place all AWS accounts that require the same set of policies into the same OU. This guideline also extends to nested OUs (OUs within OUs). AWS environments that require centrally shared functionality and cross-workload data sharing capabilities (which are frequently seen in enterprise data platforms) are easier to accommodate in an OU structure that is not based on lines of business (LOB) function classification. For example, a production environment for a manufacturing application is no different from a production environment for a clinical trial analytics application in terms of policies in AWS Organizations. + **Respect and use inheritance.** When you attach a policy to a specific OU, AWS accounts that are directly under that OU or under any child OU inherit the policy. When you attach a policy to a specific AWS account, the policy affects only that AWS account. The migration effort from one OU structure to another depends on how extensively existing policies were configured at the OU or AWS account level. Another important factor is how much policy inheritance was used in the existing OU hierarchy, or if the inheritance was broken. The complexity of migration increases with the implementation of irregular or deviating inheritance paths. For example, if you apply policies at the individual AWS account level or make frequent policy exceptions (which break inheritance), migrating those policies into a new structure will take significantly more effort. In such cases of high complexity, we recommend that you invest the time to review and redesign policy inheritance during migration planning. + **Take care of both AWS Organizations policies and AWS Control Tower controls.** The OU structure is shared between AWS Control Tower and AWS Organizations. AWS Control Tower provides its own set of detective and preventive controls. These controls apply at the AWS account or OU level. AWS Organizations orchestrates policies on the OU level. In an OU migration we recommend that you migrate AWS Organizations policies first, because these carry more weight for compliance. We recommend that you apply AWS Control Tower controls to the new OU structure in the second migration step. + **It takes time to update AWS accounts.** You must re-enroll existing AWS accounts individually into the new OU structure by using AWS Control Tower. This takes time. If you have a large number of accounts, we recommend that you streamline this work through automation to control and automate the OU placement of AWS accounts. Here are two example scenarios: + *Manual change for a small migration:* The migration lead reassigns each AWS account from its old OU to its new OU in the AWS Management Console. When that reassignment is complete for all AWS accounts, the migration lead opens AWS Control Tower either for each AWS account separately or for all OUs. Re-enrolling AWS accounts in AWS Control Tower requires 10-15 minutes for each AWS account depending on the number of AWS Regions used within the account. AWS Control Tower allows up to five concurrent operations of this kind to run in parallel. + *Custom change automation:* Automation simplifies and saves effort. For example, you can automate the management of an AWS account lifecycle from its creation to migration and termination. You can use [AWS Control Tower Account Factory](https://docs.aws.amazon.com/controltower/latest/userguide/account-factory.html) to change the OU assignment for an AWS account and run the re-enrollment process. This automation supports the large-scale migration of hundreds of AWS accounts.