Chapter 7. Managing organizational units


Imagine you have a domain with 6000 users, 6000 workstations, 700 groups, and 500 servers. If all of those objects are in a single container, you’ll have a hard time delegating administrative permissions and applying Group Policy. Organizational units (OUs) are used to give structure to your domain. You can put objects that are related by the rules you define, such as all the users in a specific business unit or location, into specific OUs and use those OUs to control the delegation of administrative permissions and the application of Group Policy. In a nutshell, OUs break the mass of objects in your domain into manageable sets.

In the preceding example, an OU may contain a few hundred users or computers, which is a more manageable proposition. OUs contain the objects you’ve read about in chapters 2 through 6. This chapter covers the OU lifecycle.

You might assume that managing OUs begins with creating them, but in this case you need to know why you’re creating them and for what you intend to use them. After a little bit of background, which explains the whys, you’ll learn how to create OUs.

One nightmare scenario for AD administrators is “I’ve just deleted an OU with hundreds of user accounts in it.” There’s a simple technique to protect your OUs and their contents from accidental deletion. It’ll be second nature to use it after you’ve finished this chapter.

7.1. OU concepts

7.2. Creating an OU with the GUI tools

7.3. Creating an OU with PowerShell

7.4. Protecting OUs from accidental deletion

7.5. Managing OUs

7.6. Moving objects between OUs

7.7. Lab

7.8. Ideas for on your own