Thursday, May 22, 2008

Windows Server 2008 Active Directory - Organizational Units

A domain can be an awfully big, comprehensive unit to manage, and most environments benefit from some mechanism to separate that large, unitary domain into smaller, more manageable chunks. An organizational unit is AD DS's way of doing that. Organizational units, or OUs, act like folders on a regular client's operating system, containing every type of object that AD DS supports. You might choose to separate your domain into OUs in one of these ways:

  • A university might create a domain with a name corresponding to the entire university (ncsu.edu, for example), with each college in that institution getting an OU (biology, physics, mathematics, etc.).

  • A medium-size business might use one domain for all of its AD DS needs, but segregate objects into their geographical locations—an OU for the Los Angeles office, an OU for the Birmingham office, and an OU for the Richmond office.

  • Larger corporations might want to divide their domain by department. Within business.com, for example, an OU could be created each for Sales, Support, Marketing, Development, and Q/A.

  • An administrator also could decide to create OUs based on the type of objects contained therein—for example, a Computers OU, a Printers OU, and so on.

A particularly interesting feature of OUs is the ability to delegate administrative control over them to a subset of users in AD DS. Take, for instance, the third example in the previous list. Perhaps you, as the domain administrator, want to designate one technically savvy person in each department as the official Password Change Administrator, to reduce your administrative load. You can delegate the authority to modify users' passwords to each user over only their respective OU, thereby both allowing them power but finely controlling it over certain areas of your AD DS infrastructure. This ability is called delegation, and you'll find an entire section devoted to it later in this chapter.

OUs are designed to be containers in AD DS—their purpose is to hold objects and to have contents. You can apply GPs to the objects within a specific OU, controlling users' desktops, locking them out of potentially dangerous system modification settings, and creating a consistent user experience across your domain.

*.* Source of Information : O'Reilly Windows Server 2008: The Definitive Guide

No comments: