Planning Organizational Units

Organizational units (OUs) are, as their name implies, organizing tools for collections of objects within a domain. An OU can contain any collection of Active Directory objects such as printers, computers, groups, and so forth.

In the past, a domain that became very complicated was usually sorted out by splitting the domain into multiple domains. Organizational units provide an alternative administrative substructure that is infinitely more flexible. They can be arranged hierarchically within a domain and administrative control can be delegated for functions in a single OU or an entire subtree of OUs. (An OU is the smallest entity to which you can delegate administrative control.) At the same time, organizational units can be modified, moved, renamed, and even deleted easily. Another plus is that, unlike a domain, a subtree of organizational units doesn't require a domain controller.

Organizational units are only containers; they don't confer membership and aren't security principals. Rights and permissions are granted to users through group membership. After your groups are constructed, use OUs or organize group objects and assign Group Policy settings. The use of Group Policy is covered in Chapter 9.

Real World

Organizational Units or New Domain?

Unfortunately, there's no firm rule that you can apply to decide when an expanding network should be divided into separate domains and when new OUs are called for. If any of the following applies, multiple domains might be the answer:

• Decentralized administration is needed.
• The network encompasses competing business units or joint ventures.
• Parts of the network are separated by very slow links, so complete replication would create severe traffic problems. (If the link is merely slow, you can use multiple sites within a single domain because replication is less frequent.)
• Different account policies are needed. Because account policies are applied at the domain level, greatly differing policies might call for separate domains.

Situations that call for the use of OUs include the following:

• Localized or tightly controlled administration is needed.
• Structure of the organization requires the arrangement of network objects into separate containers.
• The structure that you wish to separate is likely to change at some point.

So in general, when the situation calls for a flexible or even fluid structure, OUs are the answer.

Creating Organizational Units

Organizational units are easily created and appear as folders in a domain structure. To create an OU, follow these steps:

1. Launch Active Directory Users and Computers from the Administrative Tools folder.
2. Right-click the domain and choose New and then Organizational Unit from the shortcut menu.
3. In the Organizational Unit dialog box, enter the name for the unit and then click OK.

Moving Organizational Units

One of the most useful aspects of organizational units is that they can be moved from one container or even one domain to another. To move an OU, follow these steps:

1. Launch Active Directory Users and Computers from the Administrative Tools folder.
2. Right-click the OU to be moved and choose Move from the shortcut menu.
3. In the Move dialog box, select the new location for the OU and click OK.

Deleting Organizational Units

Organizational units can also be deleted easily. However, exercise caution when deleting an OU because its contents will also be removed. That means you can inadvertently delete all the resources and user accounts contained in an OU if you act too hastily. Follow these steps to delete an organizational unit:

1. Launch Active Directory Users and Computers from the Administrative Tools folder.
2. Right-click the OU you want to remove and choose Delete from the shortcut menu.
3. Confirm the deletion by clicking Yes twice.