What is an Organizational Unit?
In Active Directory, resources are organized in a logical structure which allows administrators to organize resources in a hierarchical manner. Forests form the top-level containers. Domains are contained within forests, and Organizational Units are contained within domains.
An Organizational Unit (OU) is a container that can hold different types of objects such as users, groups, computers and other containers. They are the smallest level of organization that can be administered in Active Directory.OUs are present within a single domain and they can be used to store similar objects. They make administration easier by grouping similar objects together within a domain.
Organizational Units can also be contained within each other and be scaled to any size, making it easy to manage users and accounts within the hierarchy.
Organizational Units Vs Groups
Organizational Units are not the same as groups and other containers in Active Directory. A generic Active Directory container cannot have a Group Policy Object (GPO) linked to it. Whereas, OUs can have Group Policy Objects linked to them which makes administration easier. However, generic AD containers can receive GPOs by means of inheritance. Groups are usually created to make application of security permissions easier.
What are the functions of Organizational Units?
Organizational Units are used to perform the following functions.
1. To organize objects together so that Group Policies can be applied to all objects within the OU.
For instance, consider an organization that has two different branches in the same city (A and B). Each branch has a separate IT team taking care of administration. These two branches can be managed as separate OUs for A and B. Hence each IT team can administer separate group policies for A and B, which affects only the users and computers within their organizational unit.
2. To group objects together so that administrative tasks can be delegated to other users and administrators within the domain.
Consider the same organization with branches in different cities- Chennai, Mumbai and Bangalore. The main IT team is located in Bangalore and has to manage administration for all three locations. This becomes a tedious routine. Hence the main IT team can delegate the control for Chennai and Mumbai to the respective IT administrators. This makes it easier to manage administration and reduces the workload of the main IT team. Managing users and groups, changing the group membership and managing group policies are some of the common administrative tasks that can be delegated through OUs.
How can Organizational Units be structured?
Organizational Units can be structured to reflect the physical or functional arrangement of an organization. For example, they can be organized based on the functions or divisions within an organization, based on the geographic locations or based on different types of objects.
The functional or divisional model allows objects to be grouped based on their functions such as HR, Sales, Marketing, Production and more. The geographical model allows objects to be grouped based on their geographical locations. For instance, an organization having branches in Chennai, Mumbai and Bangalore can have separate Organizational Units for each branch. Another way is to group objects based on their types such as users, computers and administrators. Any one of these models can be chosen according to the needs and requirements of the organization. In addition to these, OUs can also be nested within other OUs to reflect the organizational hierarchy.
Creating an Organizational Unit in Active Directory
An Organizational Unit can be created with the Active Directory Users and Computers console using the following steps.
1. Open the Active Directory Users and Computers.
2. Select the domain in which the new OU needs to be created.
3. Select New–> Organizational Unit by right clicking on the domain name.
4. A dialog box prompting for the name of the OU appears. Specify the name of the new OU.
5. Click OK to complete the process.
Accidental deletion of the OU is prevented by default in AD. This can be disabled by clearing the checkbox specifying “Protect object from accidental deletion”. This allows an Organizational Unit to be deleted.
Organizational Units can also be created using PowerShell commands.
Moving Objects into an OU
After creating an OU, it is necessary to move objects such as users and computers into it. This can be done using the following steps.
1. Open the folder containing the objects to be moved and select the required objects.
2. Choose the Move option from the context menu.
3. Select the destination OU to which the objects have to be moved.
4. The contents of the OU can be seen via the Active Directory Users and Computers (ADUC) console.
Objects can also be moved directly into an OU by dragging and dropping them into ADUC.
When objects are moved, they inherit the security settings of the destination OU.
How are permissions for an OU delegated to a User?
After creating an OU and populating it with users, its permissions and control need to be delegated to certain users within the OU. This can be done using the following steps.
1. Select the desired OU by means of the ADUC console.
2. Select the Delegate Control option from the context menu.
3. Click Next once the Delegation of Control wizard is launched.
4. Choose the users or group to whom the control has to be delegated.
5. Choose the rights that can be given to the delegated users or group.
6. Select the Finish option to complete the process.
The assigned permissions can be modified anytime by means of the Security and Effective Permissions tab.
What are the advantages of using Organizational Units?
Organizational Units offer the following advantages.
- They can be nested to support different levels of hierarchy and to manage objects within a domain efficiently. Since objects are grouped together based on certain criteria, it becomes easier to manage them by means of OUs. They are easily accessible and hence administration is made easier.
- They can be used to delegate administrative control of Active Directory objects. Since administrative control can be distributed, it is easier for large organizations to manage their resources efficiently. For organizations with branches in different geographical locations, delegation of authority helps things run smoothly.
They can be used to incorporate Group Policy Object settings. Specific GPOs can be linked to an OU containing certain users. For example, all the marketing trainees of a company can be placed in a specific OU and can be restricted access to a file containing sales transactions.