Keep secrets with Active Directory containers

You know that you need to plan out your AD container structure when you migrate from a Windows NT 4.00-based domain. But it's likely that most everyone out there already has done the migration, so you did the planning. Or if you didn't, you found out you should have, and proceeded to re-install after completing the planning. But planning doesn't stop there. Once you have your forests, trees and domains, don't forget that you can have sub containers, called Organizational Units (OUs) that offer a number of very nice features, not the least of which is keeping secrets.

OUs can serve four primary functions:

  • Delegation of administration
  • Applying unique group policies
  • Organizing objects logically
  • Hiding of objects

Using OUs to perform administration delegation typically happens in the venue of top-level OUs. Delegated administration flows down from a parent OU to all child OUs. However, you can fine-tune administration delegation on sub-levels of OUs when necessary. That's because each OU can be assigned one or more unique group policy objects (GPOs). Through clever organization and manipulation, you can fully customize the applicable GPO settings for each OU.

OUs give you the ability to mimic, or improve upon, the organization's hierarchical structure in your network implementation. Often, duplicating an existing authority structure into your IT environment simplifies management and administration. However, don't limit yourself

    Requires Free Membership to View

to these constructions. Many organizations have discovered that using a different network hierarchy has improved productivity and eased management overhead.

Finally, here's a real benefit: You can use OUs to hide objects. Simply place objects you want to hide in an OU, and then revoke or remove all permissions to the OU, especially the List Contents permission. You also need to disable the Inherit Permissions from Parent feature on the OU. Users may be able to see the name of the OU, but they will be unable to access its contents or even view a list of its contents. This effectively hides confidential, sensitive, or proprietary objects and resources from unauthorized users.

James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.

This was first published in September 2003

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.