Section 11.4. Planning and Implementing Organizational Unit Structure

11.4. Planning and Implementing Organizational Unit Structure

The logical structure of Active Directory determines how accounts and resources are organized. In addition to forests and domains, Active Directory provides organizational units (OUs) as a way of logically organizing accounts and resources. You can think of organizational units as logical administrative units that are used to group accounts and resources together within domains.

11.4.1. Understanding Organizational Units

Within a domain, organizational units are used to:

• Delegate administrator privileges while limiting administrative access

• Create hierarchies that mirror business structure or functions

• Manage groups of objects as a single unit through Group Policy

Organizational units are used to contain objects within a domain and do not contain objects from other domains. Because a single domain can have many organizational units, and those organizational units can be organized into a hierarchy, you can use organizational units instead of domains to represent the structure of the organization or its business functions.

The ability to delegate administration is the primary reason for creating organizational units. To delegate administration for all objects stored in an organizational unit, grant administrators the necessary permissions on the organizational unit's access control list. In this way, you can give administrators limited or full control over only a part of a domain.

Within the Active Directory database, organizational units are represented as container objects that are part of a designated domain. For directory searches, the organizational units are referenced with the OU= identifier as part of their common name, such as OU=Engineering for an organizational unit named Engineering. The distinguished name of an organizational unit includes the full path to its parent as well as its relative name. For example, the Engineering OU in the domain.local domain has a DN of OU=Engineering OU,DC=domain,DC=local.

Organizational units are not a part of DNS structure. This means users don't have to reference organizational units when they log on or when they access resources. This makes organizational unit hierarchies much easier to work with than domain hierarchies. Additionally, while it is easy to change the names and structure of OUs, it is not easy to change the names of domains.

Most OU hierarchies are organized by:

Division or business unit within the company

Use organizational units to reflect the department structure within the organization. This structure is easy to understand and one most administrators will know. However, if the company restructures, you need to change the organizational unit structure.

Geographic or business location

Use organizational units to reflect the actual physical location of units within the company. This structure makes it easy to determine where accounts and resources are physically located. However, this structure doesn't reflect the business structure of the organization.

Areas of administrative control

Use organizational units to reflect the way resources and accounts are managed. This model can also reflect business structure, business location, or both of a company. However, the focus is on administrative control of accounts and on resources with enterprise administrators having full administrative control over the top-level OUs.

11.4.2. Analyzing the Administrative Requirements for an OU

Organizational units allow you to delegate administrative rights over a portion of a domain. You can delegate administrative rights in two key ways:

• Assign a user full administrative control

• Assign a user a specific set of administrative permissions

The permissions assigned depend on the way you configure delegation. When you delegate full administrative control over a particular OU, a local administrator is able to manage all accounts and resources in the OU. If you decide not to give an administrator full administrative control, you can grant permissions to:

• Create, delete, and manage accounts

• Reset user passwords and force password changed at next logon

• Read user account information

• Create, delete, and manage groups

• Modify the membership of a group

• Manage Group Policy links

• Generate Resultant Set of Policy

You should plan your organizational unit structure with delegation in mind. For example, you might want Help Desk technicians to have permission to reset user passwords in an OU. Or you might want a manager to be able to read user account information in an OU. If you have branch offices, you might want to create OUs for each branch office and grant local administrators full administrative control over their OU.

11.4.3. Analyzing the Group Policy Requirements for an OU Structure

Every site, domain, and OU has an associated Group Policy Object (GPO). Using Group Policy, you can specify a set of rules for computer and user configuration and security settings within that site, domain, or organizational unit. Manage policy settings using either the Group Policy Object Editor or the Group Policy Management console. You can use Group Policy to:

• Define default options for configuration and security settings

• Limit options for changing configuration and security settings

• Prevent changing certain configuration and security settings

You should plan your OU structure with Group Policy in mind. Do this by grouping objects together that require the same policy settings. For example, if a group of users and computers require the same stringent security settings, you can create an OU for these users and computers, and then configure the required security settings through Group Policy.

11.4.4. Creating an OU

Each domain has its own OU hierarchy. If your company uses multiple domains, you can create separate OU structures within each domain. To create an OU, you must be a member of the Administrators group in the domain.

You can create an organizational unit by following these steps:

1. Start Active Directory Users And Computers from the Administrative Tools menu.

   ---

   Tip: By default, you are connected to your logon domain. To connect to another domain, right-click the Active Directory Users And Computers node, and then select Connect To Domain. In the Connect To Domain dialog box, type the fully qualified domain name of the domain in which you want to create the OU, and then click OK.

   ---

2. Right-click the location where you want to create the OU, which can be either a domain node or an OU node, point to New, and then click Organizational Unit.

3. In the New Object - Organizational Unit dialog box, type a new name for the organizational unit as shown in Figure 11-13, and then click OK.

   Figure 11-13. Creating an organizational unit.

   

11.4.5. Moving Objects Within an OU Hierarchy

Once you create organizational units, you can add objects, such as user or computer accounts, into the organizational unit. To create a new object in an OU, follow these steps:

1. Start Active Directory Users And Computers from the Administrative Tools menu.

2. Right-click the organizational unit, point to New, and then select the type of object to create, such as Computer or User.

3. Provide the necessary information or follow the prompts to create the object.

You can move existing objects from one organizational unit or container to another by completing the following steps:

1. Start Active Directory Users And Computers from the Administrative Tools menu.

2. Select the objects in its existing container by clicking and holding the left mouse button.

3. Drag the object to the desired destination organizational unit.

4. When you release the mouse button, the object is moved to the desired organizational unit.

In Active Directory Users And Computers, you can also move an object by right-clicking it and selecting Move. In the Move dialog box, select the OU or container to which you want to move the object. To move multiple objects in this way, use Ctrl+click or Shift+click to select the objects to move before right-clicking.

When you move an object from one OU to another, the settings assigned directly to the object remain the same. The object inherits the policy settings from the GPO of the new OU and any high-level GPOs as may apply. The policy settings from the GPO of the previous OU no longer apply, unless of course you move the object from a top-level OU to a lower-level OU.