What is the difference between group and organizational units in Active Directory?
|
An organizational unit is the smallest scope or unit to which you can assign Group Policy settings or delegate administrative authority - http://technet.microsoft.com/en-us/library/cc758565(v=ws.10).aspx Show It is not possible to link a Group Policy object to a generic Active Directory container. (A generic Active Directory container is identifiable by its plain folder icon in the Active Directory Users and Computers console. The icon for an organizational unit is similar, except that a small book is superimposed on the folder.) However, users and computers in generic Active Directory containers do receive policy by inheritance from Group Policy objects linked at a higher level of Active Directory. For example, the Users and Computerscontainers you see in Active Directory Users and Computers cannot have Group Policy objects linked directly to them, but they do receive domain-linked Group Policy objects by means of inheritance. - http://technet.microsoft.com/en-us/library/cc978249.aspx Group – instead of applying security for individual users, you can use group to include multiple users. A group can contain multiple users. Santhosh Sivarajan | Houston, TX  This posting is provided AS IS with no warranties,and confers no rights. What is the difference between Organizational Unit and Groups and Container? If group policy objects can be applied to an OU, then why do we need groups for security settings? OU can be used to segregate/filter department bases on the region or type of users/groups/computers. You can apply group policy on the OU. Groups can be used to group to be able to apply permission instead of doing it one by one. Its easy to manage group then individual. Consider, you need to add 1000 users in a folder but instead of adding one by one, you can add a security group & later on you can modify group to add or remove users instead of going to folder & adding or removing it manually. http://en.wikipedia.org/wiki/Active_Directory Container are different type & its a logical component. There are inbuilt container & you can create also.If group policy objects can be applied to an OU, then why do we need groups for security settings? The security filtering is used to exclude users/group getting group policy. http://www.techrepublic.com/blog/datacenter/group-policy-object-filtering-by-security-group/3260 Awinish Vishwakarma - MVP - Directory Services What is the difference between Organizational Unit and Groups and Container? OU - Structures are included to make Administrator job easy. For eg- You have 2 office 1. Main office 2. Branch office , You want to separte users and computer accounts for respective location so that you can go ahead and manage them easily , then you need to create OU structure in AD and move the user accounts or computer acccounts respectively according to your need. Groups - Groups are mainly defined to for assgining permission to shared folders. You can define security groups , add them in the ACL of Folder where you need to hand over the read / read-write permissions. This way you can maintain and track the permission easily in AD Contanier - http://www.brighthub.com/computing/windows-platform/articles/33795.aspx If group policy objects can be applied to an OU, then why do we need groups for security settings? Your statement is not clear to me , GPO and security groups are different things. Please let us know what are you trying to ask? Regards, _Prashant_ MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights. What's the difference between organizational units (OUs) and groups in Active Directory (AD)? I need to understand the difference between putting a user in the Human Resources OU and putting the user in the Human Resources group. In Windows 2000 and AD, groups have the same function that they have in Windows NT or other OSs: You put a user in a group to control that user's access to resources. You put a user in an OU to control who has administrative authority over that user. To understand the difference between groups and OUs, consider this: Objects with SIDs (i.e., users, groups, and computers) can act on objects and be granted authority. Groups have a SID, and OUs don't. For example, in Figure 1, Harry is a member of the Human Resources group and is contained in the Human Resources OU. The Human Resources group has Change access to the HRData folder. Therefore, Harry has Change access to HRData because he's a member of the Human Resources group. The Human Resources OU ACL grants Alice, the departmental administrator, Full Control of user objects, which means that Alice can administer Harry's user account because it's in the Human Resources OU. An analogy might help you understand OUs. OUs are to AD as folders are to a file server. You no doubt know that each file on a file server has its own ACL but that, by default, files inherit the same permissions their parent folders have. Administrators believe best practice is to avoid maintaining file access on individual file ACLs and to instead use folder-level ACLs to manage access in the same way for all the files in the folder. In AD, like files on a file server, each user and group object has its own ACL that governs not what that user or group can access but who can view or edit that user's or group object's properties. In AD, because users and groups have ACLs, you can delegate portions of administrative authority to subadministrators. But, just as separately maintaining the ACL of every file is impractical, so is separately controlling administrative authority on each user or group object. Therefore, you can collect into an OU all the users and groups that you want to enable a particular subadministrator to manage, then grant the proper authority over the OU to that subadministrator. Permissions you define in an OU's ACL flow down to all the users and groups in that OU, just as folder ACLs flow down to all the files in a folder. To help you keep OUs and groups straight, remember that a user can be a member of many groups but can reside in only one OU, just as a file can reside in only one folder. What is the difference between OU and a group in Active Directory?To understand the difference between groups and OUs, consider this: Objects with SIDs (i.e., users, groups, and computers) can act on objects and be granted authority. Groups have a SID, and OUs don't. For example, in Figure 1, Harry is a member of the Human Resources group and is contained in the Human Resources OU.
What is an important difference between groups and OUs?Groups are generally used for security purposes, like giving permissions on a resource or granting privileges in an application. An OU is usually used to organize your organizational structure in AD and to apply Group Policy to the user\computer objects inside it and it's child OUs.
What is organizational unit in Active Directory?An organizational unit (OU) is a subdivision within an Active Directory into which you can place users, groups, computers, and other organizational units. You can create organizational units to mirror your organization's functional or business structure. Each domain can implement its own organizational unit hierarchy.
Is organizational unit a group?Organizational units are dramatically different from groups. Here are just a few ways they are different from groups: Organizational units don't have SIDs. Organizational units can't be placed on an access control list.
|
