Active Directory loves hierarchy. Domains, Organizational Units (OUs), groups, users, and so forth. Sometimes it can be confusing—how do I best structure my AD? We’ve written a bit about domains (How do I name my domain? What happens if I rename my domain?), but today our focus will be on the difference between OUs and groups.
Get a Free Data Risk Assessment
Groups
Active Directory groups are used to assign permissions to company resources. As a best practice, you place users into groups and then apply the groups to an access control list (ACL).
It’s quite typical to have your AD groups mirror your company hierarchy (e.g., a group for Finance, Marketing, Legal, etc.).
Organizational Units
Organizational Units are useful when you want to deploy group policy settings to a subset of users, groups, and computers within your domain.
For example, a domain may have 2 sub-organizations (e.g., consumer and enterprise) with 2 separate IT teams managing them. Creating 2 OUs lets each IT team administer their own policies that affect only the users, computers, etc. that fall within their unit.
Organizational Units also allow you to delegate admin tasks to users/groups without having to make him/her an administrator of the directory.
Here’s an example: let’s assume that you have an organizational unit structure such that the top level OU is named Employees and the child OUs are Departments and HRUsers. Departments also includes child OUs such as SalesUsers, EngineeringUsers, FinanceUsers, and ExecutiveUsers. If you wanted someone from the IT department to have the ability to reset the password for all employees in all departments, you would establish that delegation of administration at the Departments OU level. If, however, you wanted a manager from the HR department to be able to reset the passwords for only the HR users, you would configure the delegation of administration on the HRUsers OU, giving them the ability to reset passwords exclusively for these users.
What kind of common administrative tasks can you delegate via OUs?
- Managing users (create, delete, etc.)
- Managing groups
- Modifying group membership
- Managing group policy links
- Resetting passwords on user accounts
The Difference Between…
This isn’t the only “what’s the difference between” question that comes up over and over. Check out some of the other ones:
What you should do now
Below are three ways we can help you begin your journey to reducing data risk at your company:
- Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
- Download our free report and learn the risks associated with SaaS data exposure.
- Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.
Michael Buckbee
Michael has worked as a sysadmin and software developer for Silicon Valley startups, the US Navy, and everything in between.
