An object is a set of attributes that represents a network resource, say a user, a computer, a group policy, etc and object attributes are characteristics of that object stored in the directory. For example, some of the attributes of a user object might include the user's first name, last name, department, and e-mail address in addition to others.
Organizational units act as a container for objects. Objects can be arranged according to security and administrative requirement in an organization. You can easily manage and locate objects after arranging them into organizational units. Administrator can delegate the authority to manage different organizational units and it can be nested to other organizational units. Create an OU if you want to:
- Create a company's structure and organization within a domain – Without OUs, all users are maintained and displayed in a single list, the Users container, regardless of a user's department, location, or role.
- Delegate administrative control – Grant administrative permissions to users or groups of users at the OU level.
- Accommodate potential changes in a company's organizational structure – Users can easily be reorganized between OUs, while reorganizing users between domains generally requires more time and effort.
- Group objects with similar network resources – This way it is easy to perform any administrative tasks. For example, all user accounts for temporary employees can be grouped in an OU.
- Restrict visibility – Users can view only the objects for which they have access.