Organizational Unit (OU) Flashcards
OU's
OU Facts
An Organizational Unit (OU) is similar to a folder that subdivides and organizes network resources within a domain.
An OU can contain other OUs or any type of object type, such as users, computers, and printers.
OUs can be nested to logically organize network resources.
Parent OUs are OUs that contain other OUs.
Child OUs are OUs within other OUs.
OUs are typically organized by the following:
Physical location, such as a country or city.
Organizational structure, such as the HR, Sales, and IT departments.
Object type, such as user accounts or computers.
Hybrid of location, organizational structure, and object type.
Group Policy in OU
One of the biggest reasons to use OUs is for the application of Group Policy. Create OUs for each group of objects that need to have different Group Policy settings.
Group Policy objects (GPOs) can be linked to OUs. Policy settings apply to all objects within the OU.
Through inheritance, settings applied to the domain or parent OUs apply to all child OUs and objects within those OUs.
Note: A generic container is not an OU and can’t have group policy objects assigned to it. A good practice is to move objects out of generic containers and into an OU. For example, you can move the computers out of the Computers container and into an OU where group policy can be applied.
Preventing accidental deletion
Objects in Active Directory can be accidentally deleted through Active Directory Users and Computers and other management tools. The following types of deletions are most common: Leaf-node deletion is when a user selects and deletes a leaf object. Organizational Unit (OU) deletion is when a user selects and deletes an OU that has subordinate objects. Deleting the OU deletes all objects within the OU (including any child OUs and their objects). To protect objects from accidental deletion:
In Active Directory Users and Computers or Active Directory Sites and Services, edit the properties and do one of the following:
On the Object tab, select the Protect object from accidental deletion check box. (This option is only seen with Advanced Features selected from the View menu.)
On the Security tab, select the Deny Delete All Child Objects advanced permission for Everyone.
When you create an organizational unit, leave the Protect container from accidental deletion check box selected. This is the default. Other types of objects do not have this default setting and must be manually configured.
To delete on abject that is protected, first clear the Protect container from accidental deletion setting, then delete the object.
Delegating authority
Delegating authority is the assignment of administrative tasks, such as resetting passwords or creating new users, to appropriate users and groups. You should be aware of the following facts about delegating control:
You can delegate control of any part of an OU or object at any level with the Delegation of Control Wizard or through the Authorization Manager console.
An object-based design allows you to delegate control based on the types of objects in each OU. For example, you can delegate control over specific object types (such as user objects).
A task-based design allows you to delegate control based on the types of administrative tasks that need to be done. Some examples of administrative tasks are:
User account management, such as creation and deletion.
Password management, such as resetting and forcing password changes.
Group membership and permissions management
Default Containers
Default Containers
When you install Active Directory, several default containers and Organizational Units (OUs) are automatically created. The following table lists the default containers and their contents:
Container or OU Contents
The Builtin container holds default service administrator accounts and domain local security groups. These groups are pre-assigned permissions needed to perform domain management tasks.
The Computers container holds all computers joined to the domain without a computer account. It is the default location for new computer accounts created in the domain.
The Domain Controllers OU is the default location for the computer accounts for domain controllers.
ForeignSecurityPrincipals container holds proxy objects for security principals in NT 4.0 domains or domains outside of the forest.
LostAndFound container holds objects moved or created at the same time an Organizational Unit is deleted. Because of Active Directory replication, the parent OU can be deleted on one domain controller while administrators at other domain controllers can add or move objects to the deleted OU before the change has been replicated. During replication, new objects are placed in the LostAndFound container.
NTDS Quotas container holds objects that contain limits on the number of objects users and groups can own.
Program Data container holds application-specific data created by other programs. This container is empty until a program designed to store information in Active Directory uses it.
The System container holds configuration information about the domain including security groups and permissions, the domain SYSVOL share, DFS configuration information, and IP security policies.
The Users container holds additional predefined user and group accounts (besides those in the Builtin container). Users and groups are pre-assigned membership and permissions for completing domain and forest management tasks.
Be aware of the following when managing the default containers:
Default containers are automatically created and cannot be deleted.
The Domain Controllers OU is the only default organizational unit object. All other containers are just containers, not OUs. As such, you cannot apply a GPO to any default container except for the Domain Controllers OU.
To apply Group Policy specifically to objects within a default container (except for the Domain Controllers OU), move the objects into an OU that you create, then link the GPO.
The LostAndFound, NTDS Quotas, Program Data, and System containers are hidden in Active Directory Users and Computers. To view these containers, click Advanced Features from the View menu.
