What are OUs and Containers?
OUs group AD DS objects
An organizational unit (OU) is an object in a domain that you can use to store user objects, computer objects, group objects, and other objects. With OUs you can link GPOs directly and delegate an OU manager.
Containers have limited functionality
Containers are used for system objects and as the default locations for new objects. Containers have limited management capabilities. You cannot link a GPO to a container. You cannot create an OU in a container.
When to create more OUs?
Although you can manage a small organization without creating additional OUs, even small organizations typically create an OU hierarchy. An OU hierarchy lets you subdivide the administration of your domain for management purposes. There are basically two reasons to create OUs.
- Application of GPOs. To group objects together to make it easier to manage them by applying Group Policy Objects (GPOs) to the whole group. You can link GPOs to the OU, and the settings apply to all objects within the OU. For example, you create an OU for contractors who have different security requirements than full-time employees.
- Delegation of control. To delegate administrative control of objects within the OU. You can assign management permissions on an OU, thereby delegating control of that OU to an AD DS user or group. For example, you create an OU to manage a satellite office in a different geographical location. Then, you delegate control of the OU to a group.
How to Design the OU Hierarchy
Create OUs based on your organization
When you design an OU hierarchy, you can follow many strategies. You can create a flat, wide structure that has only one or two levels of OUs. You can create a deep, narrow structure that has five or more levels of nesting OUs; or you can create anything in between. The key factor in designing your OU hierarchy is that it should help you manage your organization.
- Geographic location. There might be local IT staff for delegating management, local regulations that require specific policies, or many other factors.
- Departmental characteristics. Typically, different departments are managed differently and have unique requirements.
- Resource type. Some organizations create separate OUs for different resources. File servers are typically managed differently than computers that are running SQL Server and require different policies applied to them.
- Management structure. Some organizations want their OU hierarchy to mirror their management structure.
Are there default OUs and containers?
Every AD DS domain has a standard set of containers and OUs that are created when you install AD DS.
- Builtin container. Stores several default groups.
- Computers container. The default location for new computer accounts that you create in the domain.
- Domain Controllers OU. The default location for domain controllers' computer accounts. This is the only OU that's present in a new installation of AD DS.
- Foreign Security Principals container. The default location for trusted objects from domains outside the AD DS forest. Typically, these are created when an object from an external domain is added to a group in the AD DS domain.
- Managed Service Accounts. The default location for managed service accounts. AD DS provides automatic password management in managed service accounts.
- Users container. The default location for new user accounts and groups that you create in the domain. The Users container also holds the administrator and guest accounts for the domain, and some default groups.
Are there any hidden containers?
Some containers are hidden in Active Directory Users and Computers.
There are several containers that you can see only when you select Advanced Features on the View menu.
By default, the following objects are hidden.
- LostAndFound. This container holds orphaned objects.
- Program Data. This container holds Active Directory data for Microsoft applications, such as Active Directory Federation Services (AD FS).
- System. This container holds the built-in system settings.
- NTDS Quotas. This container holds directory service quota data.
- TPM Devices. This container is new with Windows Server 2012. It stores the recovery information for Trusted Platform Module (TPM) devices.
No comments:
Post a Comment