Home / server / Questions / 797398
Accepted
redi
Asked: 2016-08-18 06:44:10 +0800 CST

Windows server. The difference between organisation units and groups? (Active directory)

  • 772

So they are both objects that you use to organise other objects. You can add users, groups and computers to both of them.

  1. What is the difference between them?
  2. What is the best way to divide users and computers of different departments in a company (OU or Groups)?
windows-server-2003 active-directory groups organizational-unit

3 Answers

  1. Best Answer

    Summary:

    OUs contain user objects, groups have a list of user objects.

    You put a user in a group to control that user's access to resources. You put a user in an OU to control who has administrative authority over that user.

    They're like folders (OU) and files (groups) on a file server (your AD): it is easier to manage permissions/ACLs on whole folders instead of single files, and let them be applied to the files (groups) by inheritance automatically. This analogy is explained in detail in Access Denied: Understand the Difference Between AD OUs and Groups:

    [...] because users and groups have ACLs, you can delegate portions of administrative authority to subadministrators. But, just as separately maintaining the ACL of every file is impractical, so is separately controlling administrative authority on each user or group object. Therefore, you can collect into an OU all the users and groups that you want to enable a particular subadministrator to manage, then grant the proper authority over the OU to that subadministrator. Permissions you define in an OU's ACL flow down to all the users and groups in that OU, just as folder ACLs flow down to all the files in a folder.

    Differences:

    • You can link group policies to OUs, but not groups
    • You can give file/folder/share permissions to groups, but not OUs
    • Groups have a SID, OUs do not

    Recommendations:

    • You should use OUs to organize your Active Directory, so it's easier to manage (for example to delegate administrative control over users & groups to other administrators)
    • You should use groups to give permission on resources (for example read permissions of a share on a file server)
    • From the linked resource:

      To help you keep OUs and groups straight, remember that a user can be a member of many groups but can reside in only one OU, just as a file can reside in only one folder.

    So you should use them both to do different things.

    • 3

  2. Generally use OUs to organise your active directory tree and apply group policies.

    Use groups for security by giving them permissions to resources, and then add users to them.

    • 0

    1. Groups are for granting access to data and organizational units (OUs for short) are for organizing and controling objects (users and computers) via delegation and group policy settings.

    2. This depends on your organizational fancy. How you want to logically organize your network.

    • 0