Organizational Units

As defined in the RFC for the LDAP standard, organizational units (OUs) are containers that logically store directory information and provide a method of addressing Active Directory through LDAP. In Active Directory, OUs are the primary method for organizing user, computer, and other object information into a more easily understandable layout. As shown in Figure 4.8, the organization has a root organizational unit where three nested organizational units (marketing, IT, and research) have been placed. This nesting enables the organization to distribute users across multiple containers for easier viewing and administration of network resources.

As you can see, OUs can be further subdivided into resource OUs for easy organization and delegation of administration. Far-flung offices could have their own OUs for local administration as well. It is important to understand, however, that an OU should be created typically when the organization has a specific need to delegate administration to another set of administrators. If the same person or group of people administer the entire domain, there is no need to increase the complexity of the environment by adding OUs. In fact, too many OUs can affect group policies, logons, and other factors. Chapter 6, "Designing Organizational Unit and Group Structure," gives a detailed rundown of the design considerations encountered with organizational units.

Determining Domain Usage Versus OU Usage

As previously mentioned, some administrators tend to start applying the Active Directory domain structure to political boundaries within the organization. The dry-erase markers come out and very soon well-meaning managers get involved, organizing the Active Directory structure based on political boundaries. Subdomains start to become multiple layers deep, with each department taking its own subdomain. The problem with this strategy is that the Active Directory structure allows for this type of administrative granularity without division into multiple domains. In fact, the rule of thumb when designing domains is to start with a single domain and add additional domains only when necessary. In a nutshell, the type of administrative control required by many organizations can be realized by division of groups into separate organizational units rather than into separate domains.

OUs can therefore be structured to allow for separate departments to have various levels of administrative control over their own users. For example, a secretary in the Engineering department can be delegated control of resetting passwords for users within his own OU. Another advantage of OU use in these situations is that users can be easily dragged and dropped from one OU to another. For example, if users are moved from one department to another, moving them into their new department's OU is extremely simple.

It is important to keep in mind that OU structure can be modified on the fly any time an administrator feels fit to make structural changes. This gives Active Directory the added advantage of being forgiving for OU design flaws because changes can be made at any time.