Logo

OU and Shadow Groups

Organizational Units (OU) allow you to divide up objects in Active Directory into different locations, the same way that you would organize files into folders on your hard disk. Since OU’s cannot be used directly in security, a shadow group can be created with the object inside that OU. This shadow group can be used in security. This videos looks at how to create OU’s and use shadow groups.

Show lesson content
Organizational Units
Like the folders on your hard disk, Organizational Units allows Active Directory objects to be organized into separate folders. Most administrators will create an OU hierarchy that matches their company layout. A common layout out is geographical, department and than computers. Group Policy is applied to Organizational Units and thus places users and computers into separate OU’s can be beneficial when using Group Policy.

Shadow Groups
A shadow group is a regular Active Directory group that contains the objects under an Organizational Unit. Since a shadow group is a regular group it can be used for security, for example it can be used to assign NTFS permissions in a folder. A Shadow group effectively bridges the gap between not being able to use a OU with security. A shadow group needs to be manually updated or updates performed using a script. There is no automated method in Windows to do this.

An example script to keep shadow groups up to date can be found in Administration Resource Kit: Productivity Solutions for IT Professionals by Dan Holme (Microsoft Press, 2008).

None Microsoft version

http://www.sole.dk/active-directory-shadow-group-script-will-let-you-spend-less-time-on-updating-group-memberships

Default OU
When you promote your first Domain Controller and thus create your Active Directory environment, a number of OU’s are created automatically. These default OU cannot be deleted. Also these OU’s can’t have Group Policy applied to them expect for the Domain Controllers OU which can have Group Policy applied to it.

Builtin: When a server is promoted to a Domain Controller it local user database is no longer accessible. To make up for this, any users accounts that exist in Builtin are shared between all Domain Controllers.

Users: This is the default location for user accounts when a location is given. In most case, when creating a new user the administrator will decide which OU the user account will be created in.

Computers: This is the default location for computer accounts. When a computer is added to the Domain, the computer account for this computer is placed in this OU. Since Group Policy cannot be applied to this OU, and administrator will normal move computer accounts of the Computer OU to another OU.

Domain Controllers: This OU contains all the computer accounts for the Domain Controllers in your domain. Unlike the other OU’s, Group Policy can be applied to this OU. By default, the Default Domain Controller Group Policy is applied to this OU.

Demonstration
To perform administration of your OU’s this can be done using the Active Directory Users and Computers tools.

To create an OU, right click where you want it created, select new and than select new Organizational Unit.
When creating the Organizational Unit, you have the option to protect the container from accidental deletion.

In the properties of the OU, there are a lot of settings that can be configured. In a lot of case the information is informational only but does help.

What is an Organizational unit?
An organizational unit is effectively a container for storing Active Directory objects.

What is the difference between an OU and a group?
An OU is essentially used for Group Policy and delegation besides providing an infrastructure to sort and organize objects in Active Directory. Since an Active Directory object can only exist in one location at one time, OU’s are limited to what they can achieve.

A group is contains objects from anywhere in the domain. The main different is that a group can contain an object that is used in anther group. For example, a user that travels between New York and Washington Offices could not be a member of a multiple OU’s, however they could be a member of two groups called New_York_Users and Washington_users. With this extra flexibility that groups offer, group can be applied to resources like NTFS permissions which OU’s cannot.

References
“MCTS 70-640 Configuring Windows Server 2008 Active Directory” pg 11 46-48
“Organizational Units“ http://technet.microsoft.com/en-us/library/cc978003.aspx
“Organizational Unit“ http://en.wikipedia.org/wiki/Organizational_Unit

Credits

Lesson tags: 70-640-active-directory
Back to: 70-640 Introduction to Active Directory > Maintaining Active Directory Objects

Active Directory is a system which offers centralized control of your computers.

Modules

Active Directory Infrastructure

Lessons

Group Policy

Lessons