You know that you need to plan out your AD container structure when you migrate from a Windows NT 4.00-based domain. But it's likely that most everyone out there already has done the migration, so you did the planning. Or if you didn't, you found out you should have, and proceeded to re-install after completing the planning. But planning doesn't stop there. Once you have your forests, trees and domains, don't forget that you can have sub containers, called Organizational Units (OUs) that offer a number of very nice features, not the least of which is keeping secrets.
OUs can serve four primary functions:
- Delegation of administration
- Applying unique group policies
- Organizing objects logically
- Hiding of objects
Using OUs to perform administration delegation typically happens in the venue of top-level OUs. Delegated administration flows down from a parent OU to all child OUs. However, you can fine-tune administration delegation on sub-levels of OUs when necessary. That's because each OU can be assigned one or more unique group policy objects (GPOs). Through clever organization and manipulation, you can fully customize the applicable GPO settings for each OU.
OUs give you the ability to mimic, or improve upon, the organization's hierarchical structure in your network implementation. Often, duplicating an existing authority structure into your IT environment simplifies management and administration. However, don't limit yourself to these constructions. Many organizations have discovered that using a different network hierarchy has improved productivity and eased management overhead.
Finally, here's a real benefit: You can use OUs to hide objects. Simply place objects you want to hide in an OU, and then revoke or remove all permissions to the OU, especially the List Contents permission. You also need to disable the Inherit Permissions from Parent feature on the OU. Users may be able to see the name of the OU, but they will be unable to access its contents or even view a list of its contents. This effectively hides confidential, sensitive, or proprietary objects and resources from unauthorized users.
James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.