Organizational Units (OUs) within Active Directory (AD) can be representative of departments in a company, each containing different types of resources relevant to their functions, including user accounts, groups, computers, and even other OUs. This blog post will explain the concept of OUs, help you understand their importance, guide you through creating your first OU and sub-OUs, and talk a little about OU protection.
Table of Contents
Terminology
Organizational Units (OUs): Hierarchical containers in Active Directory used to organize resources such as user accounts, groups, computers, and other OUs.
Active Directory (AD): Microsoft's directory service for Windows domain networks that stores information about objects on a network and makes it easy for administrators to manage the data and resources.
Group Policy Objects (GPOs): A collection of settings in the Microsoft Windows OS that controls what a system will look like and how it will behave for a defined group of users.
Domain: A collection of computers, users, and other resources under a single administration, typically representing an organization on a network.
Protect container from accidental deletion: A feature in AD that prevents OUs and other critical objects from being unintentionally deleted.
Sub-OUs: Child OUs nested within a parent OU to represent an organization's specific division, department, or category.
Containers: An object in AD where other directory objects, like user and computer accounts, are placed by default. Unlike OUs, group policies cannot be applied directly to these containers.
The Key Functions of Organizational Units
Building a Clear Structure: OUs organize your resources in a clear, logical hierarchy like an organizational chart. This makes it easy to manage your directory and aligns your IT efforts with the company's structure.
Delegating Tasks: OUs allow you to distribute control. You can delegate different tasks to various administrators or groups. This ensures efficient task management and strengthens security.
Implementing Policies: OUs are handy for applying Group Policy Objects (GPOs) - policies you can set for users or computers. By linking GPOs to OUs, you can better manage and set up user and computer environments.
Simplifying Resource Management: When you group related accounts or resources within an OU, management becomes more straightforward and efficient.
Creating Your First Organizational Unit
The first OU often represents your organization or the highest level in your organizational hierarchy. In our case, we'll create an OU for our fictitious coffee company, Caffeinated Coders Coffee Co.
Launch Active Directory: On the opening screen, you'll see your domain (e.g., "mydomain.com") and some default OUs.
Create the Top-Level OU: Right-click the domain and navigate to "New" > "Organizational Unit." In the "New Object" window, input your company's name as the new OU.
With our top-level OU set up for our coffee company, let's create sub-OUs to reflect our company structure.
Creating Sub-OUs (Departments)
For our company, we will create our Active Directory Organizational Unit (OU) using a department model structure. This involves dividing OUs based on the different departments within our organization.
Creating the IT Department: The process is the same as creating our first OU. Right-click the parent OU (the company OU), select "New" > "Organizational Unit," and type in the name of the department.
[Applied Learning] Complete the creation of two additional departments for our company: HR and Sales. Please feel free to expand the list for guidance if you require assistance.
After completion, your AD structure should look like the picture provided below:
Creating OUs for Users, Group, and Computer Objects
When you create user, group, and computer objects in AD, the system automatically places them in their respective containers. However, you cannot link group policy objects (GPOs) to these containers. To prepare for future GPO applications, we'll set up separate OUs for users, groups, and computers. This practice is recommended regardless of the OU model used by your organization.
Creating sub-OUs for Objects: Repeating creating OUs within the parent OU.
Right-click the parent OU (IT Department), select "New" > "Organizational Unit," and type in the name of the object. Repeat until you have created OUs for user, group, and computer objects.
[Applied Learning] Complete the creation of user, group, and computer sub-OUs for the other departments in our company: HR and Sales. Please feel free to expand the list for guidance if you require assistance.
The Protection Feature in Organizational Units
While creating your OU, you might have seen the "Protect container from accidental deletion" option.
This feature protects your OUs and other important objects in Active Directory. When enabled, it prevents accidental deletion by requiring an extra step for confirmation. If you try to delete a protected OU, you'll get an error message.
How to Delete a Protected Organizational Unit (OU)
To delete a protected OU, you'll need to disable the "Protect container from accidental deletion" setting. Here are the steps:
Navigate to "View" in the menu bar and ensure that "Advanced Features" is checked. This is necessary as it allows you to access more detailed properties of objects.
Find and right-click on the OU that you want to delete.
Click on "Properties".
Navigate to the "Object" tab (Note that this tab is only visible if "Advanced Features" is enabled).
Uncheck "Protect object from accidental deletion" and then click "OK".
You can now delete the OU by right-clicking it and selecting "Delete".
Remember, exercise extreme caution when deleting OUs, especially those containing vital user accounts, computer accounts, and other crucial resources. Deletion of an OU will also remove any sub-OUs or objects inside it.
The Importance of Protection in a Live Environment
In a real-world setup, this protective feature is vital. OUs usually contain critical user accounts, computer accounts, and security groups. Accidental deletion could cause serious issues. By default, this protection is enabled when creating new OUs in Active Directory and can be disabled by unchecking the box, if necessary.
In today's blog post, we dove into the fundamental aspects of Organizational Units (OUs) in Active Directory, understanding their structure and importance. We took practical steps in creating our first top-level OU, representing a fictitious company, and built a further hierarchy with sub-OUs. Finally, we learned about the essential 'Protect container from accidental deletion' feature, which helps maintain the security and integrity of our digital workspace by preventing accidental deletions.
Next, we'll learn how to create, manage, and organize user accounts efficiently within our OUs, further enhancing our understanding and mastery of Active Directory.