Varonis debuts trailblazing features for securing Salesforce. Learn More

Varonis named a Leader in The Forrester Wave™: Data Security Platforms, Q1 2023

Read the report

Difference Between Organizational Units and Active Directory Groups

2 min read
Published June 25, 2015
Last updated June 2, 2023

Active Directory loves hierarchy. Domains, Organizational Units (OUs), groups, users, and so forth. Sometimes it can be confusing—how do I best structure my AD? We’ve written a bit about domains (How do I name my domain? What happens if I rename my domain?), but today our focus will be on the difference between OUs and groups.

Get a Free Data Risk Assessment


Active Directory groups are used to assign permissions to company resources. As a best practice, you place users into groups and then apply the groups to an access control list (ACL).

It’s quite typical to have your AD groups mirror your company hierarchy (e.g., a group for Finance, Marketing, Legal, etc.).

Organizational Units

Organizational Units are useful when you want to deploy group policy settings to a subset of users, groups, and computers within your domain.

For example, a domain may have 2 sub-organizations (e.g., consumer and enterprise) with 2 separate IT teams managing them. Creating 2 OUs lets each IT team administer their own policies that affect only the users, computers, etc. that fall within their unit.

Organizational Units also allow you to delegate admin tasks to users/groups without having to make him/her an administrator of the directory.

Here’s an example: let’s assume that you have an organizational unit structure such that the top level OU is named Employees and the child OUs are Departments and HRUsers. Departments also includes child OUs such as SalesUsers, EngineeringUsers, FinanceUsers, and ExecutiveUsers. If you wanted someone from the IT department to have the ability to reset the password for all employees in all departments, you would establish that delegation of administration at the Departments OU level. If, however, you wanted a manager from the HR department to be able to reset the passwords for only the HR users, you would configure the delegation of administration on the HRUsers OU, giving them the ability to reset passwords exclusively for these users.

What kind of common administrative tasks can you delegate via OUs?

  • Managing users (create, delete, etc.)
  • Managing groups
  • Modifying group membership
  • Managing group policy links
  • Resetting passwords on user accounts

The Difference Between…

This isn’t the only “what’s the difference between” question that comes up over and over. Check out some of the other ones:


What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

  1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
  2. Download our free report and learn the risks associated with SaaS data exposure.
  3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.
Try Varonis free.
Get a detailed data risk report based on your company’s data.
Deploys in minutes.
Keep reading
Azure Managed Identities: Definition, Types, Benefits + Demonstration
Use this guide to learn about Azure managed identities: What they are, how many types there are, and what benefits they offer, plus how they work.
Group Policy Objects (GPOs): How They Work & Configuration Steps
Group Policy Objects (GPOs) let system admins control and implement cybersecurity measures from a single location. Learn about GPOs and how they work here.
12 Group Policy Best Practices: Settings and Tips for Admins
Group Policy configures settings, behavior, and privileges for user and computers. In this article, you’ll learn best practices when working with Group Policy.
Securing Azure Blob Storage: Set-Up Guide
Security is vital in today’s cloud-first environment. Cloud services are often enabled to solve an issue quickly, but no one goes back to verify if security best practices have been…