What is the function of OU?

This document describes the basic components in Active Directory (UMROOT) and how to work with them.

Nội dung chính Show

Organizational Units (OUs)
Managing Users
Managing Groups
How to Create an Active Directory Organizational Unit Using the ADUC?
Active Directory OU Structure
How to Create an Active Directory OU Using PowerShell?
Managing Active Directory OU with PowerShell
How to Delegate Active Directory Permissions to the Organizational Units?
What is an OU used for?
What is the function of OU quizlet?
What is the purpose of an OU in Active Directory?
What is OU and its benefits?

Organizational Units (OUs)

OUs are Active Directory (AD) containers that hold other AD objects. They have three main functions:

To visually organize objects
To group objects so Group Policies can be assigned to them
To group objects so permissions can be delegated to them so they can be managed by a subset of administrators

Unlike in some other systems, Active Directory OUs are not security principals; you cannot assign a common set of permissions to all the users in an OU. You can only assign permissions to users and groups.

UMROOT OUs

People OU

People with profiles in the MCommunity Directory are provisioned to the People OU, so you won't need to create any uniqname user accounts. There are several ways to manage these users (see Managing Users below).

Organizations OU

Each unit that joins the Active Directory will have an Organizations OU.

Unit administrators can create additional OUs, computers and server objects, groups, and non-uniqname users in their Organizations OU. All objects except OUs must conform to the naming conventions of dept-whatever.

You are not allowed to create user objects with uniqnames or using the uniqname naming convention of 3-8 alphabetic characters. You must create user objects that follow the above naming convention. For administrative accounts, there is an exception that allows you to add a number to the end of a uniqname to create a user name.

Group Policies can be applied to your Organizations OU or any of the sub OUs.

Accounts OU (Optional)

Each unit that joins Active Directory will have an Accounts OU. Using this OU is optional and many units will choose not to use it in order to simplify their administration. You may choose to fully manage your users and their attributes, but this is generally unnecessary. See the Active Directory Central Accounts Service page for an explanation.

Managing Users

All users with uniqnames are already provisioned in the People OU of Active Directory. You can manage many aspects of these users without needing to manage the users in your Accounts OU.

Users can be added by OU administrators to groups you create in your Organizations OU.
Permissions can be assigned by OU administrators to your resources for any users, although we recommend always applying permissions to groups.
Group Policies can be applied by OU administrators to any users logging onto your computers by using Loopback Policies.
ITS Exchange mailboxes can be assigned to any user by ITS Admins if you are a Full Serve Exchange unit.

Managing Groups

It is best to assign permissions to groups rather than to individuals. As an OU admin, you can create Security Groups, add users, and then assign permissions to resources.

To create groups:

Using Active Directory Users and Computers, navigate to your OU and then to the Groups OU.
Right-click and select New Group. The default Global Security Group is fine for most purposes.
Enter the group name, which must follow one of these two naming conventions:
- unit-anything
  (using the AD prefix assigned to your unit when you requested your OU)
  example: hsg-assistants
- UnitAnyThing
  example: HousingAssistants
  This type of group is more appropriate if you plan on using Exchange and want to use the group as a distribution list and have it show up in the Global Address List.
Don't mail enable the group unless you are using the ITS Exchange service. See the ITS Exchange Service website for more info.
Open the newly created group and add members.
Assign permissions to the group.

Organizational Unit (OU) is a container in the Active Directory domain that can contain different objects from the same AD domain: other containers, groups, user and computer accounts. An Active Directory OU is a simple administrative unit within a domain on which an administrator can link Group Policy objects and assign permissions to other users/groups.

There are two main tasks when using OU, besides storing Active Directory objects:

Delegation of management and administrative tasks within the domain to other administrators and users without granting them the domain administrator privileges;
Linking Group Policies (GPO) to all objects (users and computers) in this OU.

How to Create an Active Directory Organizational Unit Using the ADUC?

To create a new Organizational Unit in Active Directory, your account must have Domain Administrator permissions, or the permissions to create a new OU should be delegated (in the entire domain or in a specific container).

Open the Active Directory Users and Computers mmc snap-in (Win + R > dsa.msc) and select the domain container in which you want to create a new OU (we will create a new OU in the root of the domain).

Right-click on the domain name and select New > Organizational Unit.

Specify the name of the OU to create.

You can also use the Directory Administrative Center (dsac.exe) to create new OUs:

Switch to tree view and expand the domain or container where you want to create a new OU;
Right-click on the OU or domain, select New > Organizational Unit;
Specify the name of the OU. Additionally, you can specify a Description, assign a manager;
Click OK, return to the Active Directory Administrative Center console and check if the new OU is now listed and is available for use.

Note that by default, when installing Active Directory, the domain contains several built-in containers and OUs:

Builtin — this container contains administrative and domain local security groups;
Computers — in this container, by default, computer accounts are created through the Computer Properties dialog after joining Windows to the domain.
Note. You can change the container in which computer accounts are created by default with the command:
redircmp “OU=Computers, OU=HQ,OU=USA,DC=THEITBROS,DC=COM”

Users — default container for new users and groups. Also, there are several predefined user accounts and groups (besides those in the Built-in container) in this container. This includes security groups for domain and forest management tasks. You can also change the default OU for users and groups with the command:
redirusr “OU=Users,OU=HQ,OU=USA,DC=THEITBROS,DC=COM”

Domain Controllers — this is the OU, which contains all the domain controllers. When a server is promoted to a domain controller, its account is placed in this OU. The Default Domain Controller Policy is linked to this OU.

By default, any created Organizational Unit is protected from accidental deletion. If you open the properties of the created OU, you will see the option Protect object from accidental deletion is enabled on the Object tab. To delete this OU, you need to clear this checkbox. When you delete OU, you delete all other (nested) objects that it contains.

Note. You can specifically hide AD OU from users.

Active Directory OU Structure

In a small Active Directory infrastructure (20-50 users) it is not necessary to create a complex OU structure. You can add all objects to the default root containers (Users and Computers). In a large infrastructure, it is desirable to divide all objects into different containers. Basically, the hierarchical design of the Organizational Unit in Active Directory is used, either geographically, functionally, or organizationally.

For example, your organization has branches worldwide in different countries and cities. It would be logical to create separate containers for each country at the top level of the domain, and also create separate containers inside the country for the city and/or state. Within each location, you can create separate OUs for administrators, groups, computers, servers, and users (see the screenshot below).

If necessary, you can add additional levels of the hierarchy (buildings, departments, etc.). In such an Active Directory hierarchy, you can flexibly delegate AD permissions and link GPOs.

How to Create an Active Directory OU Using PowerShell?

Previously, to create an AD OU, you could use the console utility dsadd. For example, to create an OU in a domain, you can run this command:

dsadd ou “ou=IT,dc=theitbros,dc=com”

In Windows Server 2008 R2 and newer OS, a separate module for interacting with AD appeared: Active Directory module for Windows PowerShell (it is a part of RSAT). You can use the New-ADOrganizationalUnit cmdlet to create an Organizational Unit. For example, create a new OU named Canada in the root of the domain:

New-ADOrganizationalUnit -Name "Canada"

To create a new OU in an existing container, run the following command:

New-ADOrganizationalUnit -Name Toronto -Path "OU=Canada,DC=theitbros,DC=com" -Description "Toronto city" –PassThru

If you need to create a specific OU structure, you can create it one at a time, but it’s much easier to use PowerShell.

Create a plain CSV file listing the OU names you want to create:

In order to create an OU structure according to this file, use the following PowerShell script:

$targetOU=”OU=Nevada,OU=USA,DC=theitbros,DC=loc”

$OUs = Import-csv "C:\PS\new_ou.csv"

foreach ($ou in $OUs)

{

write-host $ou.name

New-ADOrganizationalUnit -Name $ou.name -path $targetOU

}

Run the script and check if your OU structure has been created in the specified AD container.

Managing Active Directory OU with PowerShell

You can rename an existing OU using the Rename-ADObject. You should specify the OU’s distinguished name (DN) or GUID as the -Identity parameter. For example, to rename the “HQ” OU to ”NewYork”:

Rename-ADObject -Identity "OU=HQ,DC=THEITBROS,DC=COM" -NewName NewYork

You can use the Set-ADOrganizationalUnit cmdlet to change the OU settings. In the following example, we will change the description and manager of the OU:

Set-ADOrganizationalUnit -Identity ”OU=Test,OU=Nevada,OU=USA,DC=theitbros,DC=loc”

-ManagedBy "CN=Alex Weber,CN=Users,DC=theitbros,DC=loc" – Description

“Test OU for Alex Weber”

To remove the OU from the Active Directory the Remove-ADOrganizationalUnit cmdlet is used. You can remove an OU “NewYork” as follows:

Get-ADOrganizationalUnit -filter "Name -eq 'NewYork'"| Remove-ADOrganizationalUnit

Hint. Also, you can remove OU using the dsrm.exe tool:
dsrm.exe "OU=TestOU,DC=theitbros,DC=com" -subtree

If you receive an error “Remove-ADOrganizationalUnit : Access is denied”, make sure the Protect object from accidental deletion option is not enabled. You can disable the ProtectedFromAccidentalDeletion using PowerShell:

Get-ADOrganizationalUnit -filter "Name -eq 'NewYork'"| Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $False

If the OU contains objects, an error will appear on deletion. To remove the OU and all child objects, use the –Recursive option:

Get-ADOrganizationalUnit -filter "Name -eq 'NewYork'"| Remove-ADOrganizationalUnit –Recursive

To find all unprotected Organizational Units for which the ProtectedFromAccidentalDeletion option is disabled:

Get-ADOrganizationalUnit -filter * -Properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $false} | FT Name,DistinguishedName,ProtectedFromAccidentalDeletion

To enable the delete protection option for all OUs in an Active Directory domain:

Get-ADOrganizationalUnit -filter * -Properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $false} | Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $true

To move the OU, use the Move-ADObject cmdlet (the ProtectedFromAccidentalDeletion option should not be enabled on the source OU):

Move-ADObject -Identity "OU=Services,OU=NewYork,DC=THEITBROS,DC=Com" -TargetPath "OU=IT,OU=Enterprise,DC=THEITBROS,DC=Com"

The Move-ADObject can be also used to move other AD objects (users, computers, groups) between OUs. For example, you can move the computer to the new OU:

Move-ADObject –Identity “CN=pc-b11-23,OU=Computers,OU=NewYork,OU=USA,DC=theitbros,DC=com” -TargetPath "OU=Computers,OU=LA,OU=USA,DC=theitbros,DC=com"

To transfer several computers, which names are specified in the txt file, you can use the following PowerShell script:

$computers = Get-Content C:\PS\MoveComputerList.txt

$TargetOU = "OU=Computers,OU=LA,OU=USA,DC=theitbros,DC=com"

ForEach($computer in $computers){

Get-ADComputer $computer | Move-ADObject -TargetPath $TargetOU

}

The following PowerShell script allows you to count the number of enabled users in each OU of your domain.

Get-ADOrganizationalUnit -Properties CanonicalName -Filter * | Sort-Object CanonicalName |

ForEach-Object {

[pscustomobject]@{

CanonicalName = $_.CanonicalName

UserCount = @(Get-AdUser -Filter 'enabled -eq $true' -SearchBase $_.DistinguishedName -SearchScope OneLevel).Count

}

}

If you want to count the number of disabled AD users, replace the line with:

UserCount = @(Get-AdUser -Filter 'enabled -eq $false' -SearchBase $_.DistinguishedName -SearchScope OneLevel).Count

How to Delegate Active Directory Permissions to the Organizational Units?

When delegating Active Directory permissions to OU to other users, it is desirable to grant permissions not directly to user accounts, but to security groups. Thus, in order to grant OU permissions to a new user, it is enough to add it to the security group.

To delegate the permissions, right-click on the OU, and select Delegate Control.

In the Delegate Management Wizard, select the group of users to which you want to grant access.

Then, select the administrative tasks you want to delegate.

You can delegate common administrative tasks using the OU:

AD user management (create, edit, delete, etc.);
AD Group management (creating, deleting groups, modifying group membership);
Manage GPOs links;
Change Active Directory user passwords.

About
Latest Posts

I enjoy technology and developing websites. Since 2012 I'm running a few of my own websites, and share useful content on gadgets, PC administration and website promotion.

What is an OU used for?

An organizational unit (OU) is a construct used to represent an organization whose resources are logically separate from those resources of other, similar organizations. You use OUs to control access to resources and to ensure data segregation.

What is the function of OU quizlet?

It is used to delegate the administration of objects. What is the function of OU? It creates containers within a domain that represent the hierarchical, logical structures within your organization.

What is the purpose of an OU in Active Directory?

Organizational units (OUs) in an Active Directory Domain Services (AD DS) managed domain let you logically group objects such as user accounts, service accounts, or computer accounts. You can then assign administrators to specific OUs, and apply group policy to enforce targeted configuration settings.

What is OU and its benefits?

An OU is a container within your domain that holds users, groups, computers, and other objects. You use an OU to store similar objects, making them easy to access and administer them. An OU will always be contained within a single domain.