Groups and Organizational Units allow
administrators to better organize user and computer accounts within
their respective domains. This section will describe aspects of
planning and managing Groups and Organizational Units within your AD
domains.
1. Administering groups
Groups were developed to provide a more
simplified approach to organizing users and providing access to network
resources. In this section, we will discuss the various types and
options available for AD groups and how to implement them in your
deployment.
Group types
AD uses two primary group types—Security
Groups and Distribution Groups. These two group types provide very
different features within your AD deployment:
-
Distribution Groups—Distribution
Groups are used solely for the purpose of nonsecurity-related functions
such as sending e-mail to many people at the same time. Distribution
Groups are used heavily by Exchange server and more recently, Office
Communications Server.
-
Security Groups—These
groups are used to organize and assign permissions to users and
computers. Security Groups can also provide the same functionality as a
distribution group.
Group scopes
Group scopes determine whether membership and
permissions can apply to only a single domain, a domain tree, or an
entire forest. Three group scopes exist to provide access at different
levels within your organization. Table 1 provides details on the three group scopes available in Windows Server 2008 R2 AD.
Table 1. Active Directory Group Scopes
| Group Scope |
Membership |
Resource Permissions |
| Domain local group |
Users or computers from any domain |
Permissions assigned to resources in the local domain only. |
| Global group |
Users or computer from local domain only |
Permissions assigned to resources in any domain |
| Universal group |
Users and computers from any domain |
Permissions assigned to resources in any domain |
Nesting groups
In addition to including users and computers
within groups, you can also make group members of other groups. This is
known as group nesting. Nesting can be beneficial when used in
moderation, however, creating multiple levels of nesting can not only
increase the complexity of your group management but also add
additional load to your servers. Table 2 provides information about which groups can be nested into others.
Table 2. Active Directory Group Nesting
| Group Scope |
Groups that can be Nested Inside this Scope |
| Domain Local |
Universal |
| Global |
| Domain local |
| Global |
Global |
| Universal |
Global |
| Universal |
2. Planning for groups
Before setting up groups in AD, you should
properly plan and document how you want to use groups within your
organization. Just like user accounts, you need a consistent naming
convention and usage strategy. One of the more common group strategies
involves creating domain local groups related to various resources such
as file shares, printers, and internal applications. Then, global
groups are created for various workgroups such as marketing, finance,
and IT. Users are then assigned to the global groups. To give a
specific workgroup permission to a resource, you simply add the global
group to the local group. If a resource spans multiple domains, you may
want to consider the usage of universal groups. As a best practice, use
universal groups only when necessary as they create additional
replication traffic across the forest when changes are made. Figure 1 depicts what a typical group configuration might look like.
Administering Organizational Units
OUs, like groups, are a way of organizing
users, computers, and groups within AD. Unlike groups, OUs are not used
to assign permissions to resources but only to organize and manage AD
objects. In many ways, OUs are to AD as folders are to file systems.
Additionally, OUs provide the ability to apply GPOs and to delegate
administrative control over limited numbers of users, groups, and
computers.
Planning for Organizational Units
When planning your OU hierarchy, you need to
consider the best approach for organizing your users, groups, and
computers. Some companies create OU structures based upon geography,
others by business unit, and yet others by some other structure within
their companies. The way you set up OUs really depends on your
organization and how you plan on using the OUs. Things to consider when
planning your OU structure are as follows:
-
How do you want to manage users? By location? Business unit?
-
Will separate administrators be responsible for specific business units or geographic locations?
-
Do specific business units or geographic locations need similar desktop configurations?
-
Try to prevent nesting OUs too deep. The deeper the OU structure, the more complexity you will be adding to your deployment.
Creating and managing Organizational Units
OUs are created within the ADUC console. To create a new OU, perform the following tasks:
-
Log on to a DC and Open Server Manager.
-
Expand the nodes Roles | Active Directory Domain Services | Active Directory Users and Computers.
-
Right-click on the domain name (e.g., Contoso.com) and select the option New → Organizational Unit. The New Object—Organizational Unit window will appear.
-
Give the OU a meaningful name and ensure that the option to Protect container from accidental deletion is selected (see Figure 2).
This option prevents you from accidentally deleting OUs which may
contain hundreds or thousands of users, computers, and groups. As a
best practice, always choose to protect the OU when creating it.
-
Click OK to create the OU.
-
The OU should now be displayed under the
domain in ADUC. If you attempt to delete the OU, you will receive an
error message, as seen in Figure 3,
informing you that the OU is protected. To delete the OU, you will need
to open the OU properties by right-clicking on it and then disabling
the protection option selected during creation.
Additionally, you can delegate the
administrative functions of an OU to other users such as administrators
who may be responsible for a specific business unit. Perform the
following tasks to delegate permissions to an OU:
-
Log on to a DC and open Server Manager.
-
Expand the nodes Roles | Active Directory Domain Services | Active Directory Users and Computers | <your domain name>.
-
Right-click the OU that you want to delegate permissions to and choose the option Delegate Control. This will launch the Delegation of Control Wizard. Click Next to continue.
-
Add the administrator(s) whom you want to delegate permissions to (see Figure 4); Then click Next.
-
Select the permissions that you want to give the administrator over the OU (see Figure 5); then click Next.
-
Verify the delegation summary and click Finish to delegate permissions.
In the aforementioned example,
the financeadmin1 account should have the ability to manage users and
groups within the Finance OU. The financeadmin1 will not have rights to manage users and groups in other OUs within the domain.
|
