Organizational Units

Active Directory allows administrators to create a hierarchy within a domain that meets the needs of their organization. The object class of choice for building these hierarchies is the class organizationalUnit , a general-purpose container that can be used to group most other object classes together for administrative purposes. An organizational unit in Active Directory is analogous to a directory in the file system; it is a container that can hold other objects.

Administrative Hierarchy

Organizational units can be nested to create a hierarchy within a domain and form logical administrative units for users, groups, and resource objects, such as printers, computers, applications, and file shares. The organizational unit hierarchy within a domain is independent of the structure of other domains; each domain can implement its own hierarchy. Likewise, domains that are managed by a central authority can implement similar organizational unit hierarchies. The structure is completely flexible, which allows organizations to create an environment that mirrors the administrative model, whether it is centralized or decentralized.

For information about planning and implementing an organizational unit hierarchy, see "Designing the Active Directory Structure" in the Deployment Planning Guide .

Group Policy

Group Policy can be applied to organizational units to define the abilities of groups of computers and users that are contained within the organizational units. Levels of control range from complete desktop lockdown to a relatively autonomous user experience. Group Policy can affect functionality, such as what applications are available to a group of users, what features within an application are accessible on a particular computer, where documents are saved, and access and user permissions. Group Policy also affects where, when, and how application and operating system updates or special scripts are applied.

Group Policy settings are stored as Group Policy objects in Active Directory. A Group Policy object can be associated with one or more Active Directory containers, such as a site, domain, or organizational unit.

For more information about Group Policy, see "Introduction to Desktop Management,""Software Installation and Maintenance," and "Group Policy" in this book.

Delegation of Control

The Windows 2000 object-based security model implements default access control that is propagated down a particular subtree of container objects. You use this technology to determine the security for an entire group of objects according to the security that you set on the organizational unit that contains the objects, which effectively delegates administrative control to individuals in the organization. The best way to take full advantage of delegation and inherited control on directory objects is to organize the hierarchy to match the way that the directory is administered.


Because Active Directory is indexed, there is no need to organize the tree for ease of browsing, which is likely to run counter to administrative objectives.

Administrative control over directory objects can be applied — or delegated — to organizational units through access control. (For more information about administrative control, see "Delegation of Administration" later in this chapter.)