• FAQs
• Articles
• Tutorials
• Web Tools
• Reference
• Blog
• Proxy
• Software
• Cell Phones

• Active Directory Articles
• Understanding Active Directory
• Active Directory Management Tools
• Active Directory Objects
• Active Directory replication
• Active Directory Security
• Active Directory Security Principal Accounts
• Active Directory Terminology and Concepts
• Backing Up and Restoring Active Directory
• Configuring and Troubleshooting Active Directory Replication
• Managing Active Directory Performance
• Publishing Resources in Active Directory
• Troubleshooting Active Directory availability
• What is New in Windows Server 2003 Active Directory
• Deploying Software through Group Policy
• Group Policy Terminology and Concepts
• Implementing and Managing Group Policy Objects
• Implementing Folder Redirection using Group Policy
• Planning a Group Policy
• Troubleshooting Group Policy
• Creating and Managing Domain Controllers
• Creating and Managing Forests and Domains
• Forest and Domain Functional Levels
• The Global Catalog Server
• Managing Recipient Objects Address List and Distribution and Administrative Groups
• Operations Master Roles
• Understanding Forests and Domains
• Understanding Group Types and Scopes
• Understanding Organizational Units
• Understanding Trust Relationship
• Articles Menu
• » Windows Server
• » Microsoft Networking
• » Microsoft Security
• » Active Directory
• » Microsoft IIS
• » Microsoft IPSec
• » Microsoft DNS
• » Microsoft DHCP
• » Microsoft WINS
• » Microsoft Filesystems
• » Remote Access
• » Microsoft Exchange
• » Microsoft SMS
• » Microsoft ISA Server
• » Microsoft Biztalk Server
• Main Menu
• » Networking
• » Physical Layer
• » Data Link Layer
• » Network Layer
• » Network Security
• » Wireless Networks
• » VoIP
• » Telephony
• » Mobile Telephony
• » Electronics
• » Radio
• » Television
• » Cryptology
• » Passwords
• » Smart Cards
• » Privacy
• » Malware
• » Vulnerabilities
• » Unix
• » Macintosh
• » Microsoft Windows
• » The Web
• » Web Publishing
• » E-mail
• » Instant Messaging
• » Databases
• » Computer Hardware
• » CPU's
• » Memory
• » Storage
• » Video
• » Audio
• » Multimedia
• » Satellite
• » Java
• » IT Management
• » Science
• » Miscellaneous

Understanding Organizational Units

An Overview of Organizational Units (OUs)

An organizational unit (OU) is a container that is used to logically organize and group Active Directory objects within domains. OUs are not part of the DNS namespace. They are used to organize Active Directory objects into logical administrative groups. OUs therefore serve as containers in which you can create and manage Active Directory objects. OUs are considered the smallest unit to which an Administrator can assign permissions to resources within Active Directory.

An OU enables you to apply security policies, deploy applications, delegate administrative control for Active Directory objects, and to run scripts. An important thing to understand is that OUs are not security principals. The user accounts, group accounts, and computer accounts within the OUs are security principals.

The Active Directory object types that can be located in OUs are listed below:

• User, group, and computer objects; shared folders, printers, applications, and other OUs from the same domain.

User objects are the main security principals used in Active Directory. A user object consists of the user name, password, group membership details, and other information that define the user. A group object prevents Administrators from setting individual user permissions. A set of users can be grouped, and then assigned the appropriate permission to Active Directory objects. A computer object contains information on a computer that is a member of the domain. Because OUs can contain other OUs, an Administrator can hierarchically group resources and other Active Directory objects to reflect the structure of the organization. The process of adding OUs to other OUs in a hierarchical manner is referred to as nesting OUs.

A few benefits of OUs are summarized below:

• OUs can be nested to support different levels of hierarchy
• Each domain in the Active Directory environment can have its own OU structure. The OU structure of one domain is independent of another domain's OU structure.
• It is fairly simple to change an OU structure. OU structures are much more flexible than domain structures.
• OU configuration settings can be inherited by objects in child OUs.
• Group Policy settings can also be applied to OUs
• You can delegate administrative control of Active Directory objects through OUs

OUs are typically used to delegate administrative control for Active Directory objects, to hide Active Directory objects and to administer Group Policy. When you delegate administrative control over an OU, you enable other users or groups to administer the OU. The actual delegation of administrative control is usually performed by higher-level Administrators. Delegation of control over OUs enables you to transfer management tasks to various users within the organization.

The administrative tasks that are usually delegated are listed below:

• Create, delete and manage user accounts
• Create, delete and manage groups
• Reset passwords on user accounts
• Read all user information
• Modify the membership of a group
• Manage Group Policy links

Administrators that are responsible for domain management activities have full control over all Active Directory objects within the domain. This is the default configuration setting. These Administrators therefore create domain controllers, domains, and also create the OU for the domain. If there is units within the organization that need to manage and define their own OU structure, you can delegate the Full Control permission for an OU to these individuals. This would enable those individuals to perform all the previously mentioned management activities for the particular OU. In other instances, you might need to only delegate control for specific object classes for an OU.

As mentioned before, OU can also be used to hide sensitive domain objects from particular users. This is done by creating an OU for those domain objects that you want to hide or do not want all users to view, and then assigning only those users that should be allowed to view these objects the necessary permissions. After the appropriate permissions are configured for the OU, all you have to do is move the sensitive Active Directory objects to the OU.

Group policies can be defined as a collection of permissions which you can apply to Active Directory objects. Group policy settings can be linked to sites, domains, and OUs; and can apply to user accounts, computer accounts, and group accounts. Group policy settings are applied to OUs in the form of Group Policy Objects (GPOs). The GPO contains the Group policy settings that can be applied to users and computers in an OU.

Group policy is applied in the following order:

• Local computer policy
• Site policy
• Domain policy
• OU policy, commencing with the parent OU

Active Directory does however include a No Override setting and a Block Inheritance setting that you can use to control how policies are applied. The No Override setting can be enabled to stop a policy setting of a child OU from overwriting the parent OU policy setting. The Block Inheritance setting can be enabled to prevent a child OU, and any objects that it contains, from inheriting group policy settings from its parent OU.

Planning an OU Structure

When planning an OU structure, you would need to identify and define the following:

• The manner in which the enterprise is managed
• The OU structure for each domain
• The OUs that need to be created
• The manner in which group policy needs to be applied.
• The OUs for which you are going to delegate administrative control, and the users that you going to delegate control to.
• The sensitive Active Directory objects that you want to hide from users.

The following strategy is generally recommended for an OU structure: You should create an OU with the end result being that the Active Directory objects within the OU are administrated by one group. This enables you to grant the particular group the identical rights to all Active Directory objects in the particular OU, and to the OU itself. You should generally avoid an OU structure that results in the same group needing to manage objects over many different OUs. This would mean that the appropriate rights would need to be individually granted in each OU.

It is also good practice to assign an owner to each OU. The owner of the OU would be responsible for performing the following management tasks:

• Create, delete, and manage child OUs
• Apply group policy
• Delegate administrative control over objects in the OU

You should also separate service admin objects from the remainder of domain objects. Hiding service admin objects prevents all domain users from viewing its properties and attributes, and it also enables you to effectively apply group policy so that only service admin users are able to perform certain administrative tasks.

Creating and Managing OUs

The Active Directory Users and Computers console in the Administrative Tools Menu is used to create OUs. When you create an OU, you would basically first be adding it to a particular domain, and then you would be adding Active Directory objects to it, delegating administrative control for the OU, or applying a GPO.

The Properties dialog box of an OU has a few tabs that are used to manage the properties of the particular OU:

• General tab: You can specify a description, street address, city, state or province, ZIP code or postal code, and country or region information for the OU on this tab.
• Managed By tab: This is the tab used to administer the settings of the owner of the OU. You can enter the following information for the owner of the OU: name, office location, street address, city, state or province, country or region, telephone number, fax number. The tab also contains the following buttons:
• Change: You would click the Change button if you want to set the user account that will be responsible for managing the OU.
• View: If you want to view or change the properties of the user account currently managing the OU, click the View button.
• Remove: If you want to remove a user account, click the Remove button.
• Group Policy tab: This tab contains the following buttons:
• New: If you want to create a new GPO for the OU, click this button.
• Edit: If you want to change the existing settings of the GPO, click the Edit button. The settings that can be specified for a GPO are categorized into Computer Configuration settings and User Configuration settings. Each of these is separated into the following categories: Software, Windows, Administrative Templates.
• Add: If you want to link a GPO to the OU, you would click this button to create the new GPO link.
• Options: If you want to disable the GPO, or ensure that the GPO of the parent OU is not overridden by the GPO of a child OU, click this button. The options available are the Disable option, and the No Override option.
• Delete: If you want to delete a GPO, click this button.
• Properties: If you want to manage the properties of the GPO, click this button. The properties dialog box of the GPO has a General tab, Links tab, and Security tab. The General tab has a Summary pane, and a Disable pane. You can view information such as the GPO name, and create and last modified date in the Summary pane. You can disable Computer Configuration settings and User Configuration settings in the Disable pane. The Link tab lists each site, domain and OU to which the particular GPO is applied. The Security tab is where you set permissions for the GPO: Full Control, Read, Write, Create Child Objects, Delete Child Objects, Apply Group Policy.

How to create an OU

1. Open the Active Directory Users and Computers console
2. In the console tree, locate and right-click the appropriate domain, click New, and then click Organizational Unit from the shortcut menu.
3. In the New Organizational Unit dialog box, enter a unique name for the OU in the Name box.
4. Click OK.
5. Proceed to right-click the new OU, and select Properties from the shortcut menu.
6. When the Properties dialog box of the OU opens, enter a description for the OU on the General tab.
7. Click the Managed by tab to specify an owner for the OU.
8. Click the Change button and choose the desired user account from the Users and Groups list box
9. Click the Group Policy tab.
10. Click the New button to create a new GPO for the OU.
11. Enter a name for the GPO
12. Proceed to configure all appropriate GPO settings for the OU using the remainder of the available buttons on the tab.

How to create an OU structure to hide sensitive Active Directory objects

1. Open the Active Directory Users and Computers console
2. In the console tree, locate and right-click the appropriate domain, and click New, and then Organizational Unit from the shortcut menu.
3. In the New Organizational Unit dialog box, enter a unique name for the OU in the Name box.
4. Click OK.
5. Proceed to right-click the new OU, and select Properties from the shortcut menu.
6. When the Properties dialog box for the OU opens, click the Security tab
7. Proceed to remove any existing permissions for the OU.
8. Click the Advanced button.
9. When the Advanced Security Settings dialog box for the OU opens, uncheck the Allow Inheritable Permissions From The Parent To Propagate To This Object And All Child Objects checkbox. Click OK.
10. In the Security tab, select and grant the appropriate group the Full Control permission. Grant the Read permission to those groups that should be able to read the contents of the OU.
11. Click OK
12. You can now move the sensitive Active Directory objects to this particular OU.

How to delete an OU

1. Open the Active Directory Users and Computers console
2. In the console tree, locate and expand the domain, and then right-click the OU that you want to delete and click Delete from the shortcut menu.
3. Click Yes in the message box to verify that you want to delete this particular OU.
4. Click Yes if another message box is displayed, prompting you to verify that all objects located in the OU should be deleted.

How to change the properties of an OU

1. Open the Active Directory Users and Computers console
2. In the console tree, locate and expand the domain, and then right-click the OU that you want to configure properties for, and click Properties from the shortcut menu.
3. Proceed to change the properties of the OU on the General tab, Managed By tab, and Group Policy tab.
4. You can also change the GPO that is linked to the OU or the settings of the existing GPO from the Group Policy tab.

How to rename an OU

1. Open the Active Directory Users and Computers console
2. In the console tree, locate and expand the domain, and then right-click the OU that you want to rename and click Rename from the shortcut menu.
3. Enter the new name for the OU

How to move an OU to a new location

1. Open the Active Directory Users and Computers console
2. In the console tree, locate and expand the domain that contains the OU that you want to move to a different location.
3. Click the OU and proceed to drag the OU to its new location.
4. Drop the OU in the new location.

How to move Active Directory objects between OUs using drag and drop

1. Open the Active Directory Users and Computers console
2. In the console tree, locate and expand the domain that contains the OU which holds the object that you want to move to a different OU.
3. Expand the OU
4. Click the object that you want to move and proceed to drag the object to the other OU.
5. Drop the object in the new OU location.

How to move Active Directory objects between OUs using ADUC Move Option

1. Open the Active Directory Users and Computers console
2. In the console tree, locate and expand the domain that contains the OU which holds the object that you want to move to a different OU.
3. Expand the OU, right-click the object and then click Move on the shortcut menu.
4. When the Move dialog box opens, choose the new OU location for the object.
5. Click OK.

How to move Active Directory objects between OUs using the Dsmove command-line tool

You can use the Dsmove command-line tool to move Active Directory objects between OUs, and to rename an Active Directory object.

To use the Dsmove command-line tool to move Active Directory objects from one OU location to a different OU location,

1. Click Start, and click Command Prompt.
2. Enter dsmove with the proper parameters, at the command prompt.

The command's syntax is:

dsmove ObjectDN [-newname NewName] [-newparent ParentDN] [{-s Server | -d Domain}] [-u UserName] [-p {Password|*}] [-q] {-uc | -uco | -uci}

• ObjectDN, the name of the Active Directory object which you want to move to a different OU.
• -newname NewName, to rename the Active Directory object
• -newparent ParentDN, for setting the new location to which you want to move the Active Directory object.
• {-s Server | -d Domain}, for connecting to a remote server, or domain.
• -u UserName, the user name that the user utilizes to access the remote server
• [-p {Password|*}, the password of the above specified user name.
• -q, for setting output to quiet mode
• -uc, uco, -uci, for setting the unicode format

How to delegate administrative control of an OU

1. Open the Active Directory Users and Computers console
2. In the console tree, locate and right-click the OU and choose Delegate Control from the shortcut menu.
3. The Delegation Of Control Wizard launches
4. Click Next on the Welcome To The Delegation Of Control Wizard page.
5. Click Add on the Users Or Groups page.
6. When the Select Users, Computers, Or Groups dialog box opens, in the Enter The Object Names To Select list box, enter the user/group to which you want to delegate control. Click OK. Click Next
7. When the Tasks To Delegate page opens, do one of the following
• Select the Delegate The Following Common Tasks option, and then choose the tasks that you want to delegate. Click Next. The Completing The Delegation Of Control Wizard page would be displayed. The tasks typically delegated are listed below:
• Create, Delete, and Manage user accounts
• Reset Passwords on User Accounts
• Read All User Information
• Create, Delete, and Manage Groups
• Modify the Membership of a Group
• Manage Group Policy Links
• Select the Create A Custom Task To Delegate option and click Next.
8. When the Active Directory Object Type page opens, perform one of the actions listed below:
• Select the This Folder, Existing Objects In This Folder, And Creation Of New Objects In This Folder option if you want to delegate administrative control for the OU, including all current objects in the OU, and if you want to delegate administrative control for all new objects that will be created in the OU.
• Select the Only The Following Objects In The Folder option if you want to delegate control for only certain objects in the OU. Proceed to choose these objects.
9. You can limit the user/group to creating the selected objects in the OU by enabling the Create Selected Objects In This Folder checkbox.
10. You can also limit the user/group to deleting the selected objects in the OU by enabling the Delete Selected Objects In This Folder checkbox. Click Next
11. When the Permissions page opens, enable one of the following checkboxes to display information in the Permissions: box:
• General, to list general permissions in the Permissions: box
• Property-Specific, to list property specific permissions in the Permissions: box
• Creation/Deletion Of Specific Child Objects, to list all permission that apply to the object in the Permissions: box
12. After you have populated the Permissions: box, set the permissions for the user/group for the OU in the Permissions: box. Click Next
13. Verify that you have selected the correct settings on the Completing The Delegation Of Control Wizard page.
14. Click Finish.

Troubleshooting an OU Structure

The common problems that occur with OU structures are noted below:

• When users that should not be allowed to perform administrative tasks on OUs, are able to perform administrative tasks, verify that you have delegated administrative control for the OU to the correct user or group. You should verify the user or group specified for administrative control for each OU within the domain.
• If an OU contains objects that have a set of permissions applied when none was defined for the particular OU, verify that the OU is not inheriting permission settings from a parent OU. The default configuration is that a child OU and any objects that the child OU contains, automatically inherits Group policy and other permission settings from its associated parent OU.

Bookmark Understanding Organizational Units

Latest Blog Posts

• Acai Berry Spam via MSN

• Obama Seeks Power to Shut Down the Internet

• Help Beta Test Tech-FAQ 2.0!

• Windows 7 Forum

• Boston College: Ability to Use a Command Line is a Sign of Criminal Activity

• Google Hacked?

• Recycle your old phone – Make some money, and save the environment too!

• SourceForge vs. Freshmeat

• Fastest Web Browser: Google Chrome

• New Webmaster Forum