Planning and Implementing an OU Structure in Active Directory for Windows Server 2003
- Implementing an Organizational Unit (OU) Structure
- Analyzing the Administrative Requirements for an OU
- Creating an OU
- Planning an OU Structure Based on Delegation Requirements
- Exam Cram Questions
- Answers to Exam Cram Questions
- Need to Know More?
Terms you'll need to understand:
- ✓ Organizational Unit (OU)
- ✓ Delegation of control
- ✓ Group Policy
- ✓ Security group
- ✓ Linked policies
Techniques/concepts you'll need to master:
- ✓ Implementing an OU structure
- ✓ Analyzing administrative requirements for an OU
- ✓ Creating an OU
- ✓ Moving objects within an OU hierarchy
- ✓ Delegating permissions for an OU to a user or to a security group
- ✓ Planning an OU structure based on delegation requirements
- ✓ Analyzing the Group Policy requirements for an OU structure
Implementing an Organizational Unit (OU) Structure
One of the primary advantages of Windows Server 2003 and Active Directory over Windows NT is the capability to control administrative powers more discretely. Under Windows NT, the base unit of administrative power was the domain. There was no way to grant someone administrative power over a subsection of the domain, such as a sales division or geographical office. This limitation meant that either the administrator was forced to make every required change to user access rights or that administrative power was granted to a larger circle of people.
There were some workarounds to this problem, including the use of master domain/resource domain structures, but even these required careful planning and additional infrastructure to function correctly. Particularly annoying was the fact that competing network operating systems did offer the capability to segregate administrative roles to a particular element of the network.
Fortunately, Active Directory introduces the organizational unit, or OU, to the Windows networking environment. An OU is essentially a container that is a subset of a domain that can contain any Active Directory object. The network administrator can designate control of and access to each OU and the objects it contains. In addition, policies can be designated on the OUs to manage user policies and rights.
Essentially, OUs have two main uses:
- To allow subadministrators control over a selection of users, computers, or other objects—These are typically non-domain administrators who have been delegated administrative rights for a specific OU without being granted permissions over the whole domain. Conversely, user accounts and groups with elevated permissions, such as service accounts, can be placed in an OU that has tighter access permissions to make changes than do general user accounts.
- To control desktop systems through the use of Group Policy objects (GPOs) associated with an OU—Although we give an overview of using Group Policy with OUs, this topic is covered in more depth in Chapter 5, "Planning a Group Policy Implementation."
We will look at each of these uses in the following sections.