Organizational units (OUs) are, as their name implies, organizing tools for collections of objects within a domain. An OU can contain any collection of Active Directory objects such as printers, computers, groups, and so forth.
In the past, a domain that became very complicated was usually sorted out by splitting the domain into multiple domains. Organizational units provide an alternative administrative substructure that is infinitely more flexible. They can be arranged hierarchically within a domain and administrative control can be delegated for functions in a single OU or an entire subtree of OUs. (An OU is the smallest entity to which you can delegate administrative control.) At the same time, organizational units can be modified, moved, renamed, and even deleted easily. Another plus is that, unlike a domain, a subtree of organizational units doesn't require a domain controller.
Organizational units are only containers; they don't confer membership and aren't security principals. Rights and permissions are granted to users through group membership. After your groups are constructed, use OUs or organize group objects and assign Group Policy settings. The use of Group Policy is covered in Chapter 9.
Real World
Organizational Units or New Domain?
Unfortunately, there's no firm rule that you can apply to decide when an expanding network should be divided into separate domains and when new OUs are called for. If any of the following applies, multiple domains might be the answer:
Situations that call for the use of OUs include the following:
So in general, when the situation calls for a flexible or even fluid structure, OUs are the answer.
Organizational units are easily created and appear as folders in a domain structure. To create an OU, follow these steps:
One of the most useful aspects of organizational units is that they can be moved from one container or even one domain to another. To move an OU, follow these steps:
Organizational units can also be deleted easily. However, exercise caution when deleting an OU because its contents will also be removed. That means you can inadvertently delete all the resources and user accounts contained in an OU if you act too hastily. Follow these steps to delete an organizational unit: