Information Technology Reference
In-Depth Information
business practices. The OU structure is extremely flexible and, as you will see later in this
chapter, can easily be rearranged to reflect business reorganizations.
Another advantage of OUs is that each can have its own set of policies. Administrators
can create individual and unique Group Policy objects (GPOs) for each OU. GPOs are rules
or policies that can apply to all of the objects within the OU. GPOs are discussed in detail
in Chapter 6 “Manage GPOs.”
Each type of object has its own purpose within the organization of Active Directory
domains. Later in this chapter, you'll look at the specifics of User, Computer, Group, and
Shared Folder objects. For now, let's focus on the purpose and benefits of using OUs.
The Purpose of OUs
OUs are mainly used to organize the objects within Active Directory. Before you dive into
the details of OUs, however, you must understand how OUs, users, and groups interact.
Most important, you should understand that OUs are simply containers that you can use to
group various objects logically. They are not, however, groups in the classical sense. That
is, they are not used for assigning security permissions. Another way of stating this is
that the user accounts, computer accounts, and group accounts that are contained in OUs
are considered security principals while the OUs themselves are not.
OUs do not take the place of standard user and group permissions. A good general prac-
tice is to assign users to groups and then place the groups within OUs. This enhances the
benefits of setting security permissions and of using the OU hierarchy for making settings.
Figure 5.1 illustrates this concept.
figure 5.1
Relationships of users, groups, and OUs
Security
Permissions
Delegation and
Group Policy
Settings
OU
OU
a
ssigne
d
to
placed
in
OU
User Accounts
Groups
OU Structure
Search WWH ::
Custom Search