An active directory container can be a site, a domain, or an organizational unit.
Show
Only Default OU (Organizational Units) when Active Directory is InstalledThe Default Domain Controllers OU is just one OU present when Active Directory is first installed. This OU is used to organize and administer the domain’s domain controllers. Over time, the domain administrator can create an infinite number of OUs for the domain, but having too many OUs might make management difficult. What is an OU & Container?
The following objects will be organized mostly using OUs:
Yes, OUs can be used to organize shared folders and printers, however, controlling these items from within an OU isn’t very popular or practical. Domain Controller OUDomain controllers’ computer objects are automatically added to the Domain Controller OU when they are added to the domain. This OU has a set of policies that are applied by default. We recommend that you do not move the domain controllers’ computer objects out of this OU to ensure that these policies are applied equally to all domain controllers. A domain controller’s ability to function properly can be jeopardized if the default policies are not followed. By default, the service administrators control this OU. Do not delegate control of this OU to individuals other than the service administrators. Other Built-in Containers in Active DirectoryA common set of containers and organizational units (OUs) are established during the installation of Active Directory Domain Services in every Active Directory domain (AD DS). The following are some of them:
These default containers and OUs are managed by the forest owner. Jonathan BlackwellView Profile Since 2012, Jonathan Blackwell, an engineer and innovator, has provided engineering leadership that has put GroupID at the forefront of group and user management for Active Directory and Azure AD environments. His experience in development, marketing, and sales allows Jonathan to fully understand the Identity market and how buyers think. Published on March 17, 2022 at 05:49 am Last updated on August 24, 2022 at 06:57 am Active Directory loves hierarchy. Domains, Organizational Units (OUs), groups, users, and so forth. Sometimes it can be confusing—how do I best structure my AD? We’ve written a bit about domains (How do I name my domain? What happens if I rename my domain?), but today our focus will be on the difference between OUs and groups. GroupsActive Directory groups are used to assign permissions to company resources. As a best practice, you place users into groups and then apply the groups to an access control list (ACL). It’s quite typical to have your AD groups mirror your company hierarchy (e.g., a group for Finance, Marketing, Legal, etc.). Organizational UnitsOrganizational Units are useful when you want to deploy group policy settings to a subset of users, groups, and computers within your domain. For example, a domain may have 2 sub-organizations (e.g., consumer and enterprise) with 2 separate IT teams managing them. Creating 2 OUs lets each IT team administer their own policies that affect only the users, computers, etc. that fall within their unit. Organizational Units also allow you to delegate admin tasks to users/groups without having to make him/her an administrator of the directory. Here’s an example: let’s assume that you have an organizational unit structure such that the top level OU is named Employees and the child OUs are Departments and HRUsers. Departments also includes child OUs such as SalesUsers, EngineeringUsers, FinanceUsers, and ExecutiveUsers. If you wanted someone from the IT department to have the ability to reset the password for all employees in all departments, you would establish that delegation of administration at the Departments OU level. If, however, you wanted a manager from the HR department to be able to reset the passwords for only the HR users, you would configure the delegation of administration on the HRUsers OU, giving them the ability to reset passwords exclusively for these users. What kind of common administrative tasks can you delegate via OUs?
The Difference Between…This isn’t the only “what’s the difference between” question that comes up over and over. Check out some of the other
ones:
Michael BuckbeeMichael has worked as a sysadmin and software developer for Silicon Valley startups, the US Navy, and everything in between. What is an Active Directory container?The Microsoft Windows Active Directory glossary defines an organizational unit as A type of container in an Active Directory domain. It can contain objects like users, computers, contacts, groups, or other OU's or containers. OU's can also have group policies applied.
What is the difference between a container and an Organizational Unit?The most common difference between a Container and an Organizational Unit is that an Organizational Unit can receive Group Policies. You cannot apply Group Policies to Container objects and you cannot deploy them to the builtinDomain folder.
What is an Organizational Unit in Active Directory?Organizational units (OUs) in an Active Directory Domain Services (AD DS) managed domain let you logically group objects such as user accounts, service accounts, or computer accounts. You can then assign administrators to specific OUs, and apply group policy to enforce targeted configuration settings.
Where are organizational units in Active Directory?Open the Active Directory Users and Computers mmc snap-in (Win + R > dsa. msc) and select the domain container in which you want to create a new OU (we will create a new OU in the root of the domain). Right-click on the domain name and select New > Organizational Unit. Specify the name of the OU to create.
|