OUs can be nested to create a design that enables administrators to take advantage of the natural inheritance of the Active Directory hierarchy. You should limit the number of OUs that are nested, because too many levels can slow the response time to resource requests and complicate the application of Group Policy settings.
When you first install Active Directory Domain Services, there is only one OU in the domain, by default: the Domain Controllers OU. All other OUs must be created by an AD administrator.
NOTE: OUS AND PERMISSIONS
OUs are not considered security principals. This means that you cannot assign access permissions to a resource based on membership to an OU. Herein lies the difference between OUs and global, domain local, and universal groups. Groups are used for assigning access permissions, whereas OUs are used for delegating permissions and Group Policy.
There is another type of container object found in a domain, which is actually called a container. For example, a newly created domain has several container objects in it, including one called Users, which contains the domain’s predefined users and groups, and another called Computers, which contains the computer objects for all the systems joined to the domain except for domain controllers.
Unlike with OUs, you cannot assign Group Policy settings to container objects. You also cannot create new container objects by using the standard Active Directory administration tools, such as the Active Directory Users And Computers console. You can create container objects by using scripts, but there is no compelling reason to do so. OUs are the preferred method of subdividing a domain.
OUs are the simplest type of object to create in the AD DS hierarchy. You only have to supply a name for the object and define its location in the Active Directory tree.
To create an OU object by using the Active Directory Administrative Center, use the following procedure.
1. In Server Manager, on the Tools menu, select Active Directory Administrative Center to open the Active Directory Administrative Center console.
2. In the left pane, right-click the object beneath which you want to create the new OU and, from the shortcut menu, select New, Organizational Unit. The Create Organizational Unit window opens, as shown in Figure 5-20.
FIGURE 5-20 The Create Organizational Unit window in Active Directory Administrative Center
3. In the Name field, type a name for the OU and add any optional information you desire.
4. Click OK. The OU object appears in the object you selected.
5. Close the Active Directory Administrative Center console.
Creating an OU in the Active Directory Users And Computers console works in roughly the same way, although the New Object – Organizational Unit dialog box looks different. Once you have created an OU, you can double-click it to open its Properties sheet, where you can modify its attributes, or right-click it and select Move to open the Move dialog box, as shown in Figure 5-21.
FIGURE 5-21 The Move dialog box in Active Directory Administrative Center
Using OUs to assign Group Policy settings
One of the main reasons for creating an OU is to assign different Group Policy settings to a particular collection of objects. When you assign Group Policy settings to an OU, every object contained in that OU receives those settings, including other OUs. This enables administrators to deploy Group Policy settings to only part of a domain, rather than the entire domain.
Using OUs to delegate Active Directory management tasks
Creating OUs enables you to implement a decentralized administration model, in which others manage portions of the AD DS hierarchy, without affecting the rest of the structure.
Delegating authority at a site level affects all domains and users within the site. Delegating authority at the domain level affects the entire domain. However, delegating authority at the OU level affects only that OU and its subordinate objects. By granting administrative authority over an OU structure, as opposed to an entire domain or site, you gain the following advantages:
– Minimal number of administrators with global privileges By creating a hierarchy of administrative levels, you limit the number of people who require global access.
– Limited scope of errors Administrative mistakes such as a container deletion or group object deletion affect only the respective OU structure.
The Delegation of Control Wizard provides a simple interface you can use to delegate permissions for domains, OUs, and containers. AD DS has its own system of permissions, much like those of NTFS and printers. The Delegation of Control Wizard is essentially a front-end interface that creates complex combinations of permissions based on specific administrative tasks.
The wizard interface enables you to specify the users or groups to which you want to delegate management permissions and the specific tasks you wish them to be able to perform.
You can delegate predefined tasks or create custom tasks that enable you to be more specific.
To delegate administrative control over an OU, use the following procedure.
1. From Server Manager, open the Active Directory Users And Computers console,right-click the object over which you want to delegate control and click Delegate Control. The Delegation of Control Wizard starts, displaying the Welcome page.
2. Click Next to move to the Users Or Groups page.
3. Click Add To open the Select Users, Computers, Or Groups dialog box.
4. Type the name of the user or group to which you want to delegate control of the object and click OK. The user or group appears in the Selected Users And Groups list.
5. Click Next. The Tasks To Delegate page opens, with the following options:
– Delegate The Following Common Tasks Enables you to choose from a list of predefined tasks
– Create A Custom Task To Delegate Enables you to be more specific about the task delegation
6. Select Create A Custom Task To Delegate and click Next. The Active Directory Object
Type page opens, displaying the following options:
– This Folder, Existing Objects In This Folder, And Creation Of New Objects In
This Folder Delegates control of the container, including all its current and future objects
– Only The Following Objects In The Folder Enables you to select specific objects to be controlled. You can select Create Selected Objects In This Folder to allow selected object types to be created, or select Delete Selected Objects In This Folder to allow selected object types to be deleted
7. Select This Folder, Existing Objects In This Folder, And Creation Of New Objects In This Folder and click Next. The Permissions page opens.
8. Set the delegated permissions according to your needs for the user or group to which you are delegating control. You can combine permissions from the following three options:
– General Displays general permissions, which are equal to those displayed on the Security tab in an object’s properties
– Property-specific Displays permissions that apply to specific attributes or properties of an object
– Creation/deletion of specific child objects Displays permissions that apply to creation and deletion permissions for specified object types
9. Click Next to open the Completing The Delegation of Control Wizard page.
10. Click Finish.
11. Close the Active Directory Users And Computers console.
In this procedure, you granted permissions over a portion of Active Directory to a specified administrator or group of administrators. Although you can use the Delegation of Control Wizard to grant permissions, you cannot use it to modify or remove permissions. To perform these tasks, you must use the interface provided on the Security tab in the AD DS object’s Properties sheet.
NOTE: ADVANCED VIEW
By default, the Security tab does not appear in an OU’s Properties sheet in the Active Directory Users And Computers console. To display the tab, you must select Advanced Features from the console’s View menu.
Following are points which will cover in coming sections