An Organizational Unit (OU) is similar to a folder that subdivides and organizes network resources within a domain.
An OU can contain other OUs or any type of object type, such as users, computers, and printers.
OUs can be nested to logically organize network resources.
o Parent OUs are OUs that contain other OUs.
o Child OUs are OUs within other OUs.
OUs are typically organized by the following:
o Physical location, such as a country or city.
o Organizational structure, such as the HR, Sales, and IT departments.
o Object type, such as user accounts or computers.
o Hybrid of location, organizational structure, and object type.
Be aware of the following considerations for managing OUs:
One of the biggest reasons to use OUs is for the application of Group Policy. Create OUs for each group of objects that need to have different Group Policy settings.
Group Policy objects (GPOs) can be linked to OUs. Policy settings apply to all objects within the OU.
Through inheritance, settings applied to the domain or parent OUs apply to all child OUs and objects within those OUs.
Note: A generic container is not an OU and can’t have group policy objects assigned to it. A good practice is to move objects out of generic containers and into an OU. For example, you can move the computers out of the Computers container and into an OU where group policy can be applied.
Preventing accidental deletion
Objects in Active Directory can be accidentally deleted through Active Directory Users and Computers and other management tools. The following types of deletions are most common:
Leaf-node deletion is when a user selects and deletes a leaf object.
Organizational Unit (OU) deletion is when a user selects and deletes an OU that has subordinate objects. Deleting the OU deletes all objects within the OU (including any child OUs and their objects).
To protect objects from accidental deletion:
In Active Directory Users and Computers or Active Directory Sites and Services, edit the properties and do one of the following:
o On the Object tab, select the Protect object from accidental deletion check box. (This option is only seen with Advanced Features selected from the View menu.)
o On the Security tab, select the Deny Delete All Child Objects advanced permission for Everyone.
When you create an organizational unit, leave the Protect container from accidental deletion check box selected. This is the default. Other types of objects do not have this default setting and must be manually configured.
To delete an object that is protected, first clear the Protect container from accidental deletion setting, then delete the object.
Delegating authority is the assignment of administrative tasks, such as resetting passwords or creating new users, to appropriate users and groups. You should be aware of the following facts about delegating control:
You can delegate control of any part of an OU or object at any level with the Delegation of Control Wizard or through the Authorization Manager console.
An object-based design allows you to delegate control based on the types of objects in each OU. For example, you can delegate control over specific object types (such as user objects).
A task-based design allows you to delegate control based on the types of administrative tasks that need to be done. Some examples of administrative tasks are:
o User account management, such as creation and deletion.
o Password management, such as resetting and forcing password changes.
o Group membership and permissions management