2. Active Directory is a directory service, and it is the role of a directory
service to maintain information about enterprise resources, including users,
groups, and computers. Resources are divided into OUs to facilitate
manageability and visibility—that is, they can make it easier to find
objects.
3. Creating an Organizational Unit
Organizational units (OUs) are administrative containers within Active Directory that are
used to collect objects that share common requirements for administration, configuration,
or visibility. What this means will become more clear as you learn more about OU design and
management. For now, just understand that OUs provide an administrative hierarchy similar
to the folder hierarchy of a disk drive: OUs create collections of objects that belong together
for administration. The term administration is emphasized here because OUs are not used to
assign permissions to resources—that is what groups are for. Users are placed into groups
that are given permission to resources. OUs are administrative containers within which those
users and groups can be managed by administrators.
4. To create an organizational unit:
Open the Active Directory Users And Computers snap-in.
Right-click the Domain node or the OU node in which you want to add the new OU, point to New,
and then click Organizational Unit.
Type the name of the organizational unit. Be sure to follow the naming conventions of your
organization.
Select Protect Container From Accidental Deletion.
5. Click OK.
OUs have other properties that can be useful to configure. These properties can be set after the object has been created.
Right-click the OU and click Properties.
Follow the naming conventions and other standards and processes of your organization.
You can use the Description field to explain the purpose of an OU.
If an OU represents a physical location, such as an office, the OU’s address properties can be useful. You can use the
Managed By tab to link to the user or group that is responsible for the OU. Click the Change button under the Name box.
You’ll learn about the Select
Users, Contacts, Or Groups dialog box later in this lesson. The remaining contact information on the Managed By tab is
populated from the account specified in the Name box. The Managed By tab is used solely for contact information—the
specified user or group does not gain any permissions or access to the OU.
Click OK
6. Windows Server 2008 introduced a new option when creating an OU: Protect Container From Accidental
Deletion. This option adds a safety switch to the OU so that it cannot be accidentally deleted. Two permissions
are added to the OU: Everyone::Deny::Delete and Everyone::Deny::Delete Subtree. No user, not even an
administrator, will be able to delete the OU and its contents accidentally. It is highly recommended that you
enable this protection for all new OUs.
If you want to delete the OU, you must first turn off the safety switch. To delete a protected OU, follow these
steps:
In the Active Directory Users And Computers snap-in, click the View menu and select Advanced Features.
Right-click the OU and click Properties
Click the Object tab.
If you do not see the Object tab, you did not enable Advanced Features in step 1.
7. Clear the check box labeled Protect Object From Accidental Deletion.
Click OK.
Right-click the OU and click Delete.
You are prompted to confirm that you want to delete the OU. Click Yes.
If the OU contains any other objects, you are prompted by the Confirm
Subtree Deletion dialog box to confirm that you want to delete the OU
and all the objects it contains. Click Yes.
