Coaching

Organizational Unit (OU) Summary

March 15, 2018

When Active Directory is installed, the following containers and OU are created by default:

  • The Domain container, which is the root container to the hierarchy.
  • The Builtin container, which holds the default service administrator accounts.
  • The Users container, which contains the domain’s predefined users and groups. The Users container is also the default location for new user accounts and groups created in the domain.
  • The Computers container, which is the default location for new computer accounts created in the domain.
  • The Domain Controllers OU, which is the default location for domain controllers computer accounts.

    The default containers are used by the operating system. They cannot be renamed, deleted, or have Group Policy applied to them.

An Organizational Unit (OU) is similar to a folder that subdivides and organizes network resources within a domain.

  • An OU can contain other OUs and any type of object type, such as users, computers, and printers.
  • OUs can be nested to logically organize network resources.
    • Parent OUs are OUs that contain other OUs.
    • Child OUs are OUs within other OUs.
    • The recommended maximum nested level of OU containers is five.
    • Too many levels of nested OUs can slow resource requests and complicate group policy application.
  • OUs are typically organized by the following:
    • Physical location, such as a country or city
    • Organizational structure, such as the HR, Sales, and IT departments
    • Object type, such as user accounts or computers
    • Hybrid of location, organizational structure, and object type

Be aware of the following considerations for managing OUs:

Feature Description
Group Policy One of the main reasons to use OUs to contain objects instead of containers is the application of Group Policy. Create OUs for each group of objects that need to have different Group Policy settings. Keep in mind:

  • Group Policy objects (GPOs) can be applied to OUs.
  • Policy settings apply to all objects within the OU.
  • Through inheritance, settings applied to the domain or parent OUs apply to all child OUs and objects within those OUs.

A generic container, a container created by default, is not an OU and cannot have group policy objects assigned to it. A good practice is to move objects out of generic containers and into an OU. For example, you can move computers out of the Computers container and into an OU, where group policy can be applied.
Preventing accidental deletion Objects in Active Directory can be accidentally deleted using Active Directory Users and Computers and other management tools. The following types of deletions are most common:

  • Leaf-node deletion is when a user selects and deletes a leaf object. A leaf object is an object without a child object, also referred to as a subordinate object.
  • Organizational Unit (OU) deletion is when a user selects and deletes an OU. Deleting the OU deletes all objects within the OU (including any child OUs and their objects).

When you create an OU using Active Directory Users and Computers, the Protect container from accidental deletion option is selected by default. You can turn the option on or off after the OU is created in one of the following ways:

  • On the Object tab of the OU in Active Directory Users and Computers. Select Advanced Features from the View menu before opening the Object tab.
  • On the Security tab, in Computers or Active Directory Sites and Services.
Delegating authority Delegating authority is the assignment of administrative tasks–such as resetting passwords or creating new users–to appropriate users and groups. You should set up the OU structure in a way that best facilitates your support plan. Be aware of the following facts about delegating control:

  • Using the Delegation of Control Wizard or the Authorization Manager console, you can delegate control of any part of an OU or object at any level.
  • An object-based design allows you to delegate control based on the types of objects in each OU. For example, you can delegate control over specific object types (such as user objects).
  • A task-based design allows you to delegate control based on the types of administrative tasks that need to be done. Some examples of administrative tasks are:
    • User account management, such as creation and deletion
    • Password management, such as resetting and forcing password changes
    • Group membership and permissions management
Coaching
© Data Coincide, LLC 2010-2019