MCSA 70-410

---

Hi,

Can you please explain me difference between Gropus and OU? And how we differentiate in real world?

Hi Inderpal!

Great question. I could see how this may cause confusion.

The way I think of it is as Groups, specifically Security Groups are used to apply permissions for administrative control to objects with SID's (Security Identifiers).

Whereas OU's are more of a logical grouping to which Policies can be applied. I like to think of OU's as like a basket bin that can hold other OU's, computers or users that help keep your organization stay organized.

A few groups are easy to manage however in an enterprise environment it can be a challenge to everything accounted for.

Hope that helps.

Take care,
Cherokee

Hello Inderpal,

Thanks for watching, hope you are enjoying the shows.

Organizational Units (OUs) are container objects in Active Directory (AD). They serve three main purposes:

1. Organize objects in AD
2. Delegate administrative control
3. Apply Group Policy

Think of an OU as folder in a filing cabinet. If you had a form for each employee, you could put all of your forms in one folder in the filing cabinet. The problem is when you need to find a particular employees form, you would have to dig through the whole stack. If you had separate folders for each department, it would be easier to find the employee you were looking for. Creating additional OUs in AD serves the same purpose, all of the sales user accounts in the sales OU, all of the marketing user accounts in the marketing OU, etc.

Now what if i wanted to give the sales administrator control over the sales user accounts? If all user accounts were in the same container, this would be difficult. If there is a sales OU that has only sales user accounts, it would be much easier to give the sales manager control over just the sales user accounts.

The third, and arguably the most important, is that we can apply Group Policy at the OU level. If there is a setting that should only apply to sales users, this becomes difficult if all users are in the same container. If there is an OU that contains only sales user accounts, the Group Policy can be linked there, and the setting would only apply to the sales users in that OU.

One thing to remember is you can move objects from one OU to another, but an object can only be in one OU. Think of the folders again. You can put a piece of paper in one folder. You can move that piece of paper from one folder to another. But you cannot put that piece of paper in two different folders.

Groups are used to gather objects so that they can be managed collectively, rather than individually. Lets say we have 1000 sales users and I need to give all sales users read and write (RW) permissions over a folder. I could add each sales user to the access control list for the folder, one at a time and assign the permissions. This would take forever and be an administrative nightmare. Alternatively, I could put all 1000 sales users in a group, and then assign RW permission once, to the group, and be done.

Groups are not containers, they are more like membership lists. Since they are not containers, a user account can belong to more than one group. The sales manager would be a member of the sales group, getting the same permissions as all sales users. The sales manager would also belong to the managers group, getting permissions only managers should have.

An important thing to remember is that you cannot assign group policy to groups. You can only link Group Policy to sites, domains, and OUs.

Hope this helps, if you have any additional questions, feel free to ask.

Thanks for in depth explanation. really appreciate it.

Hi,

Just to clear this, best practice is to make users > put them in groups > and in OU's ?

Thanks

Yes and no ;)

Groups and OUs serve two different purposes.

User accounts are put into OUs for organization, delegation of administration, and GPO application.

User accounts are put into groups to simplify the administration of permissions (access control)

So users get put into groups AND users get put into OUs, But users are not put into groups then groups into OUs. It's not a nesting process. In fact, many companies have an OU that contains all of the groups, because what OU a group is in doesn't matter. Since group policy not applied based on group membership, rather it is applied based where the object is in Active Directory, the location of groups in Active Directory, is not important.

For example, lets say you have two OUs, OU1 and OU2. Lets create a user account, Bob, and put his account in OU1. Lets create a group called SalesUsers, and put the group in OU2. Lets add Bob to the SalesUsers group. Lets create a GPO that restricts access to regedit and link the GPO to OU2. So the question is, can Bob access regedit? The answer would be yes! Even though Bob belongs to a group that is in OU2, and the GPO is linked to OU2, Bob's account is not in OU2, and the policy will not apply to Bob.

I know that is probably confusing at first. The key to remember is groups and OUs serve different purposes, and are independent of each other. When I add a user to a group(s), it does not matter what OU the user account is in, or what OU the group is in. When I move a user account from one OU to another, it does not matter what group(s) the user belongs to.

So again, just keep in mind that groups and OUs are used for completely different purposes.

Hope this helps, and if you have more questions, don't hesitate to ask!

@Mike-Rodrick Thanks again.. great help.