Designing the Active Directory Structure |
An Organizational Unit (OU) is the container you use to create structure within a domain. The following characteristics of OUs are important to consider when creating structure in a domain.
OUs can be nested. An OU can contain child OUs, enabling you to create a hierarchical tree structure inside a domain.
OUs can be used to delegate administration and control access to directory objects. When you use a combination of OU nesting and access control lists, you can delegate the administration of objects in the directory in a very granular manner. For example, you could grant a group of Help desk technicians the right to reset passwords for a specific set of users, but not the right to create users or modify any other attribute of a user object.
OUs are not security principals. You cannot make OUs members of security groups, nor can you grant users permission to a resource because they reside in a particular OU. Because OUs are used for delegation of administration, the parent OU of a user object indicates who manages the user object, but it does not indicate the resources a user can access.
Group Policy can be associated with an OU. Group Policy enables you to define desktop configurations for users and computers. You can associate Group Policy with sites, domains, and OUs. Defining Group Policy on an OU basis allows you to use different policies within the same domain. For more information about Group Policy, see "Applying Change and Configuration Management"and "Defining Client Administration and Configuration Standards" in this book.
Users will not navigate the OU structure. It is not necessary to design an OU structure that will appeal to end users. Although it is possible for users to navigate the OU structure of a domain, it is not the most efficient way for a user to discover resources. The most efficient way to find resources in the directory is by querying the global catalog.