Stands for organizational unit, a type of container in Active Directory used to group objects for administrative purposes.


OUs are a form of container object in Active Directory—that is, they can contain other objects. For example, they can contain users, computers, groups, printers, or even other OUs. OUs are the smallest units in Active Directory to which:

  • Permissions and tasks can be delegated (see delegation in this chapter)

  • Group Policies may be applied (see Group Policy in this chapter)

Using OUs

When Active Directory is installed on a computer (making the computer assume the role of domain controller for a domain), there are a number of default containers (some of them are OUs and some are other types) created within the domain container (see Active Directory Users and Computers for more information on these). In a small, single-domain implementation of Active Directory, you could simply use these default containers and create no additional ones. But in larger domains or in multidomain enterprises, it is useful to create additional OUs for delegating administration and applying Group Policy to specific collections of users, groups, computers, printers, and other objects.

The general strategy for using OUs within a domain is to create a hierarchical or tree-like structure at least two levels deep consisting of top-level OUs and lower-level OUs. (You can have more than one top-level OU—that is, you can have multiple trees in your structure.) The hierarchy ...

Get Windows 2000 Administration in a Nutshell now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.