Groups vs. Organizational Units

Posted on Fri 07/28/06 in Technical Interleude

For days I’ve been searching for this explanation about using Groups vs. Organizational Units…

Thanks Scott!

There Are Groups, and There Are Groups

In Active Directory, groups and organizational units co-exist. A group is generally a member of an OU; but an OU can be a member of another OU, and an OU can be an equal member of another OU as a group. When Microsoft inherited the OU concept from LDAP, it had to reconstruct it into a more pliable metaphor, like a folder for files. As a result, the definitions of all these terms often fail to resound in the mind of a newcomer, until the point where she can see them altogether and the collective context begins to form:

  • A group is an assembly of objects (users, computers, and other resources) which are collected together for at least one of two functions: to distribute a set of access permissions among the group’s members, or to serve as a single gateway for the distribution of messages. There are several built-in groups in AD, and the scope of a group may be limited to a domain or a forest. Some groups have been predefined for security reasons, such as Account Operators; so some groups exist for the purpose of identifying users with specific, allowed capabilities outside of the realm of policy. In the System Registry, some security descriptors (SIDs) have been created exclusively for groups.
  • A container is a class of objects recognized by Active Directory. There are many such containers generated automatically, such as Computers, Domain Controllers, and Users.

An organizational unit is a container, with enhancements. A Group Policy Object (GPO) may be created for an OU, which specifies restrictions on the functions its members are permitted to perform. In this case, policy or “group policy” pertains to an OU, not to a group specifically. A policy determines whether a member is allowed to make even local changes to her system, such as changing the clock or her desktop wallpaper. A policy for an OU applies to all the members of that OU, and is inherited by the members of OUs contained within the OU, except where exceptions are written exclusively into the policy of the contained OU.

Excerpt from:
http://www.informit.com/guides/content.asp?g=windowsserver&seqNum=53

Commenting is closed

Commenting is closed for this article.