The Difference Between Organizational Units and Active Directory Groups

Active Directory loves hierarchy. Domains, Organizational Units (OUs), groups, users, and so forth. Sometimes it can be confusing—how do I best structure my AD? We’ve written a bit about domains (How do I name my domain? What happens if I rename my domain?), but today our focus will be on the difference between OUs and groups.

Groups

Active Directory groups are used to assign permissions to company resources. As a best practice, you place users into groups and then apply the groups to an access control list (ACL).

It’s quite typical to have your AD groups mirror your company hierarchy (e.g., a group for Finance, Marketing, Legal, etc.).

Organizational Units

Organizational Units are useful when you want to deploy group policy settings to a subset of users, groups, and computers within your domain.

For example, a domain may have 2 sub-organizations (e.g., consumer and enterprise) with 2 separate IT teams managing them. Creating 2 OUs lets each IT team administer their own policies that affect only the users, computers, etc. that fall within their unit.

Organizational Units also allow you to delegate admin tasks to users/groups without having to make him/her an administrator of the directory.

Here’s an example: let’s assume that you have an organizational unit structure such that the top level OU is named Employees and the child OUs are Departments and HRUsers. Departments also includes child OUs such as SalesUsers, EngineeringUsers, FinanceUsers, and ExecutiveUsers. If you wanted someone from the IT department to have the ability to reset the password for all employees in all departments, you would establish that delegation of administration at the Departments OU level. If, however, you wanted a manager from the HR department to be able to reset the passwords for only the HR users, you would configure the delegation of administration on the HRUsers OU, giving them the ability to reset passwords exclusively for these users.

What kind of common administrative tasks can you delegate via OUs?

  • Managing users (create, delete, etc.)
  • Managing groups
  • Modifying group membership
  • Managing group policy links
  • Resetting passwords on user accounts

The Difference Between…

This isn’t the only “what’s the difference between” question that comes up over and over. Check out some of the other ones:

Get the latest security news in your inbox.