Overview of OUs

An organizational unit (OU) is a logical group of Active Directory objects, just as

the name
implies. OUs serve as containers within which Active Directory objects can be
created, but
they do not form part of the DNS namespace. They are used solely to create
organization
within a domain.

OUs can contain the following types of Active Directory objects:

■ Users
■ Groups
■ Computers
■ Shared Folder objects
■ Contacts
■ Printers
■ InetOrgPerson objects
■ Microsoft Message Queuing (MSMQ) Queue aliases
■ Other OUs

Another advantage of OUs is that each can have its own set of policies.
Administrators
can create individual and unique Group Policy objects (GPOs) for each OU. GPOs are
rules
or policies that can apply to all of the objects within the OU.

The Purpose of OUs

OUs are mainly used to organize the objects within Active Directory. OUs are simply
containers that you can use to
group various objects logically. They are not, however, groups in the classical
sense. That
is, they are not used for assigning security permissions. Another way of stating
this is
that the user accounts, computer accounts, and group accounts that are contained in
OUs
are considered security principals while the OUs themselves are not. An OU contains
objects only from within the domain in which it resides.

Benefits of OUs
There are many benefits to using OUs throughout your network environment.
■ OUs are the smallest unit to which you can assign directory permissions.
■ You can easily change the OU structure, and it is more flexible than the domain
structure.
■ The OU structure can support many different levels of hierarchy.
■ Child objects can inherit OU settings.
■ You can set Group Policy settings on OUs.
■ You can easily delegate the administration of OUs and the objects within them to
the
appropriate users and groups.
Now that you have a good idea of why you should use OUs, take a look at some
general
practices you can use to plan the OU structure.

Considerations While Creating OUZ

Keep the Names and Descriptions Simple: The purpose of OUs is to make administering
and using resources simple.
Pay Attention to Limitations: The maximum length for the name of an OU is 64
characters.

Pay Attention to the Hierarchical: Consistency The fundamental basis of an OU

structure
is its position in a hierarchy. From a design standpoint, this means you cannot
have two
OUs with the same name at the same level. However, you can have OUs with the same
name at different levels.

OU Inheritance
By default, OUs inherit the permissions of their new parent container when they are
moved.

OUzDelegation
OUs are the smallest component within a domain to which administrative permissions
and group policies can be assigned by administrators.
In its simplest definition, delegation allows a higher administrative authority to
grant specific administrative rights for
containers and subtrees to individuals and groups.

OUs can exist in a parent-child relationship, which means that permissions and
group policies set on OUs higher up in the
hierarchy (parents) can interact with objects in lower-level OUs (children). When
it comes
to delegating permissions, this is extremely important. You can allow child
containers to
inherit the permissions set on parent containers automatically.

Inheritance, the process in which child objects take on

the permissions of a parent container.

Group Policies
Simply defined, group policies are collections of rules that you can apply to
objects within Active Directory. Specifically, Group

Policy settings are assigned at the site, domain, and OU levels, and they can apply
to user
accounts and computer accounts

Active Directory Organization

When you are looking at your Active Directory structure, you will see objects that
look like
folders in Windows Explorer. These objects are containers, or organizational units
(OUs).
The difference is that an OU is a container to which you can link a GPO. Normal
containers cannot have a GPO linked to them. That’s what makes an OU a special
container.
By default, after you install and configure a domain controller, you will see the
following
organizational sections within the Active Directory Users and Computers tool (they
look
like folders):

Built-In The Built-In container includes all of the standard groups that are
installed by
default when you promote a domain controller. You can use these groups to
administer the
servers in your environment. Examples include the Administrators group, Backup
Operators group, and Print Operators group.

Computers By default, the Computers container contains a list of the workstations

in
your domain. From here, you can manage all of the computers in your domain.

Domain Controllers The Domain Controllers OU includes a list of all the domain
controllers for the domain.
Foreign Security Principals Foreign security principals containers are any objects
to
which security can be assigned and that are not part of the current domain.
Security principals are Active Directory objects to which permissions can be
applied, and they can be used
to manage permissions in Active Directory.

Managed Service Accounts The Managed Service Accounts container is a new Windows
Server 2012 R2 container. Service accounts are accounts created to run specific
services such
as Exchange and SQL Server. Having a Managed Service Accounts container allows you
to
control the service accounts better and thus allows for better service account
security.

Users The Users container includes all the security accounts that are part of the
domain.
When you first install the domain controller, there will be several groups in this
container.

Active Directory Objects

You can create and manage several different types of Active Directory objects. The
following are specific object types:

Computer Computer objects represent workstations that are part of the Active
Directory
domain. All computers within a domain share the same security database, including
user
and group information. Computer objects are useful for managing security
permissions and
enforcing Group Policy restrictions.

Contact Contact objects are usually used in OUs to specify the main administrative
contact. Contacts are not security principals like users. They are used to specify
information
about individuals outside the organization.

Group Group objects are logical collections of users primarily for assigning
security permissions to resources. When managing users, you should place them into
groups and then
assign permissions to the group. This allows for flexible management without the
need to
set permissions for individual users.

InetOrgPerson The InetOrgPerson object is an Active Directory object that defines

attributes of users in Lightweight Directory Access Protocol (LDAP) and X.500
directories.
MSIMaging-PSPs MSIMaging-PSPs is a container for all Enterprise Scan Post Scan
Process objects.

MSMQ Queue Alias An MSMQ Queue Alias object is an Active Directory object for the
MSMQ-Custom-Recipient class type. The Microsoft Message Queuing (MSMQ) Queue

Alias object associates an Active Directory path and a user-defined alias with a
public, private, or direct single-element format name. This allows a queue alias to
be used to reference
a queue that might not be listed in Active Directory Domain Services (AD DS).

Organizational Unit An OU object is created to build a hierarchy within the Active

Directory domain. It is the smallest unit that can be used to create administrative
groupings, and it can be used to assign group policies. Generally, the OU structure
within a
domain reflects a company’s business organization.

Printer Printer objects map to printers.

Shared Folder Shared Folder objects map to server shares. They are used to organize
the various file resources that may be available on file/print servers. Often,
Shared Folder
objects are used to give logical names to specific file collections.

User A User object is the fundamental security principal on which Active Directory
is
based. User accounts contain information about individuals as well as password and
other
permission information.

User templates allow an Active Directory

administrator to create a default account (for example, template_sales) and use
that account
to create all of the other users who match it (all the salespeople).

Importing Objects from a File

What if you need to bulk import accounts? There are two main applications for
doing bulk imports of accounts: the ldifde.exe utility and the csvde.exe utility.
Both
utilities import accounts from files.

The ldifde utility imports from line-delimited files. This utility allows an
administrator
to export and import data, thus allowing batch operations such as Add, Modify, and
Delete
to be performed in Active Directory. Windows Server 2012 R2 includes ldifde.exe to
help
support batch operations.

The csvde.exe utility performs the same export functions as ldifde.exe, but
csvde.exe
uses a comma-separated value file format. The csvde.exe utility does not allow
administrators to modify or delete objects. It only supports adding objects to
Active Directory

Active Directory Migration Tool

Another tool that administrators have used in the past is Active Directory
Migration Tool
(ADMT). ADMT allows an administrator to migrate users, groups, and computers from a
previous version of the server to a current version of the server.

Administrators also used the ADMT to migrate users, groups, and computers between
Active Directory domains in different forests (interforest migration) and between
Active
Directory domains in the same forest (intraforest migration).

Group Properties
When you are creating groups, it helps to understand some of the options
that you need to use.

1: Group Type: You can choose from two group types: security groups and
distribution
groups.

Security Groups: These groups can have rights and permissions placed on them. For
example, if you want to give a certain group of users access to a particular
printer, but
you want to control what they are allowed to do with this printer, you’d create a
security
group and then apply certain rights and permissions to this group.
Security groups can also receive emails. If someone sent an email to the group, all
users
within that group would receive it (as long as they have a mail system that allows
for
mail-enabled groups, like Exchange).

Distribution Groups: These groups are used for email only (as long as they have a
mail
system that allows for mail-enabled groups, like Exchange). You cannot place
permissions and rights for objects on this group type.

2: Group Scope: When it comes to group scopes, you have three choices.

Domain Local Groups: Domain local groups are groups that remain in the domain
in which they were created. You use these groups to grant permissions within a
single
domain. For example, if you create a domain local group named HPLaser, you cannot
use that group in any other domain, and it has to reside in the domain in which you
created it.

Global Group: Global groups can contain other groups and accounts from the domain
in which the group is created. In addition, you can give them permissions in anyss
domain in the forest.

Universal Groups: Universal groups can include other groups and accounts from any
domain in the domain tree or forest. You can give universal groups permissions in
any domain in the domain tree or forest.

Creating Group Strategies

When you are creating a group strategy, think of this acronym that Microsoft likes
to use
in the exam: AGDLP (or AGLP). This acronym stands for a series of actions you
should
perform. Here is how it expands:
A Accounts (Create your user accounts.)
G Global groups (Put user accounts into global groups.)
DL Domain local groups (Put global groups into domain local groups.)
P Permissions (Assign permissions such as Deny or Apply on the domain local group.)