Organizational units (OUs)
When you deploy Active Directory (AD) in your company, you may decide to create multiple organizational units (OUs) within your domain. An OU is a container within your domain that holds users, groups, computers, and other objects. You use an OU to store similar objects, making them easy to access and administer them. An OU will always be contained within a single domain.
You can also place sub-OUs within an OU—in a process called nesting—to create a hierarchical structure. OUs are usually created in such a way that they mimic the company’s functional or business structure.
Creating the OU structure
Here are some OU models that you can implement in AD:
- Functional/divisional: Each division or function within your company will have its own OU. For example, there could be a marketing OU, sales OU, research OU, and so on. All objects that belong to a particular function are placed in its respective OU.
- Geographic: As the name suggests, these OUs are created to mirror your company’s business operations in different geographic locations. For example, if your company operates in three different locations (New York, London, and Mumbai), you could have a New York OU, London OU, and Mumbai OU.
- Object: In this type of OU model, you would have different OUs for different object types. For example, you could have a users OU, privileged users OU, computers OU, and so on.
You can also combine the above models in your OU design. Here’s an example:
Questions to answer when designing OUs
OU design is a critical task when deploying AD. Answers to the following questions will help you design the OU structure:
Benefits of using OUs
There are three main benefits of using OUs:
- Manage objects efficiently: You can think of an OU as a folder you create on your computer. You’d put similar files within a folder to find them easily. In a very similar way, putting similar objects together in an OU (especially in an OU that mirrors your business practices) helps you manage objects efficiently.
- Deploy Group Policy Object (GPO) settings: A GPO is a set of user and computer configuration settings that you can apply to (and thus impose on) users and computers within a domain, site, or OU. After creating an OU and placing relevant objects inside it, you can link specific GPOs to that OU. The GPO will be applied to all objects within the OU. Imagine all of your company’s call center employees are part of one OU. If you don’t want these employees to access the internet from their machines, you can simply deploy a GPO with this configuration and apply it to that OU.
- Delegate administrative control: OUs provide you with new opportunities for distributed administrative authority. Larger companies will find this particularly useful.Imagine your company has three offices, with its headquarters in New York and two more offices in London and Mumbai. Let’s assume that the primary IT team works out of the headquarters in New York, the marketing team works out of London, and the research team works out of Mumbai. If the primary IT team in New York is tasked with attending to password reset requests from all three locations, it may cause bottlenecks in IT operations and affect the IT team’s productivity. Instead, the primary IT team could enable the marketing manager in London and the research lead in Mumbai to take care of these kinds of password requests from any of their respective team members.