Organizational units, or OUs, are the most flexible and forgiving Active Directory containers available. OUs can be abused far beyond what a domain or even a site can endure and still provide you with useful functionality. OUs are typically deployed in a multi-branched tree-like hierarchy within a domain. OUs can contain systems and/or user accounts. You can use one OU to contain just client systems, another to contain member servers, another to contain domain controllers and still yet other OUs to host user accounts. Or you can include both computers and users in the same OUs. You can apply one or more GPOs to OUs in order to fully customize the security and operations settings for the objects retained within.
In addition to these features OUs exude another unique quality: You can change them as needed with little or no impact on overall network traffic. Try that with a domain or a site, and you will be in a network-communications nightmare. So what changes can an OU endure so modestly? Why, just about anything from being created, moved, added to being deleted and even renamed. Objects within an OU can be created, moved, added, deleted, etc. just as easily as the OUs themselves.
Another interesting use of OUs is the ability to delegate administrative level activities over objects within an OU to non-administrator users. This in and of itself is a benefit no security manager could live without.
The flexibility and robustness of OUs along with the rigidness of domains has lead Microsoft to recommend creating domains for those groupings within your organization that are relatively static (such as location or primary departments) and use OUs to reflect the evolving detailed groupings within your organization.
James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.