Active Directory introduced one of the most useful objects into the Windows realm; the organizational unit (OU). This versatile tool allows administrators not only to organize resources within the Active Directory structure, but to delegate administrative control to users who are not members of any administrative group. When OUs are used within a domain, users can be granted control to resources that they need to manage and at the same time, gain autonomy over those resources. Users who do not have administrative control over OUs or objects within those OUs will not be able to affect resources within the OUs.
To have complete control over an OU, you must first be delegated Full Control permission. This delegation is provided by the domain owner and can be granted to users or groups. For efficiency's sake, you should create a group that will manage the OU and then delegate permissions to this group. You can then add user accounts that need to manage the objects, otherwise known as the OU owners to the group with Full Control permissions.
OU owners control all aspects of the OU that they have been given authority over, as well as all of the objects that reside within the OU tree. Like the domain owner, they will not be isolated from outside influences, because the domain owner will have control if the need arises. However, this autonomy of control over the resources allows the OU owner to plan and implement the objects necessary to effectively administer their OU hierarchy. This includes delegating administrative control to those users who need to be OU administrators .
OU administrators are responsible for the specific objects within their OU. Usually they will not have the ability to create child OUs. Their control will more than likely be limited to working with a specific object type within the OU. For example, the OU owner could delegate the ability to work with computer accounts to the technical support staff. This would allow the technical support staff to create and delete computer objects within the OU, but they would not be able to control or modify user objects within the OU. Controlling user objects could be delegated to a Human Resources employee who is responsible for creating user objects when a person is hired, and disabling and deleting objects when a person is discharged.
In the following sections we take a look at some of the design options that are available when creating OUs. This includes the choices that should be made so that changes within the organization will not adversely affect the OU structure.
Was this article helpful?