An organizational unit (OU)
is a logical group of Active Directory objects, just as its name
implies. OUs serve as containers within which other Active Directory
objects can be created, but they do not form part of the DNS namespace.
They are used solely to create organization within a domain.
OUs can contain the following types of Active Directory objects:
Users
Groups
Computers
Shared Folder objects
Contacts
Printers
InetOrgPerson objects
MSMQ Queue Aliases
Other OUs
Perhaps the most useful feature of OUs is that they
can contain other OU objects. As a result, systems administrators can
hierarchically group resources and other objects according to business
practices.
Another advantage to OUs is that each can have its
own set of policies. Administrators can create individual and unique
Group Policy objects (GPOs) for each OU. GPOs are rules or policies
that can apply to all the objects within the OU.
Each type of object has its own purpose within the
organization of Active Directory domains. Later in this chapter, you'll
look at the specifics of User, Computer, Group, and Shared Folder
objects. For now, let's focus on the purpose and benefits of using OUs.
1. The Purpose of OUs
OUs are mainly used to organize the objects within
Active Directory. Before you dive into the details of OUs, however, you
must understand how OUs, users, and groups interact. Most importantly,
you should understand that OUs are simply containers that you can use
to logically group various objects. They are not, however, groups in
the classical sense. That is, they are not used for assigning security
permissions. Another way of stating this is that the user accounts,
computer accounts, and group accounts that are contained in OUs are
considered security principals while the OUs themselves are not.
OUs do not take the place of standard user and group permissions.
A good general practice is to assign users to groups and then place the
groups within OUs. This enhances the benefits of setting security
permissions and of using the OU hierarchy for making settings. Figure 1 illustrates this concept.
An OU contains objects only from within the domain
in which it resides. As you'll see in the section titled "Delegating
Administrative Control," later in this chapter, the OU is the finest
level of granularity used for group policies and other administrative
settings.
2. Benefits of OUs
There are many benefits of using OUs throughout your network environment:
OUs are the smallest unit to which you can assign directory permissions.
You can easily change the OU structure, and it is more flexible than the domain structure.
The OU structure can support many different levels of hierarchy.
Child objects can inherit OU settings.
You can set Group Policy settings on OUs.
You can easily delegate the administration of OUs and the objects within them to the appropriate users and groups.
Now that you have a good idea of why you
should use OUs, take a look at some general practices you can use to
plan the OU structure.
