none
What is the difference between Organizational Unit and Groups and container? RRS feed

  • Question

  • What is the difference between Organizational Unit and Groups and Container? If group policy objects can be applied to an OU, then why do we need groups for security settings?

    Thanks and Regards, Radhakrishnan

    Monday, June 4, 2012 2:23 AM

Answers

  • Review the following links:

    An organizational unit is the smallest scope or unit to which you can assign Group Policy settings or delegate administrative authority - http://technet.microsoft.com/en-us/library/cc758565(v=ws.10).aspx

    It is not possible to link a Group Policy object to a generic Active Directory container. (A generic Active Directory container is identifiable by its plain folder icon in the Active Directory Users and Computers console. The icon for an organizational unit is similar, except that a small book is superimposed on the folder.) However, users and computers in generic Active Directory containers do receive policy by inheritance from Group Policy objects linked at a higher level of Active Directory. For example, the Users and Computerscontainers you see in Active Directory Users and Computers cannot have Group Policy objects linked directly to them, but they do receive domain-linked Group Policy objects by means of inheritance. - http://technet.microsoft.com/en-us/library/cc978249.aspx

    Group – instead of applying security for individual users, you can use group to include multiple users.  A group can contain multiple users.


    Santhosh Sivarajan | Houston, TX
    http://www.sivarajan.com/

    FaceBook Twitter LinkedIn SS Tech Forum

    This posting is provided AS IS with no warranties,and confers no rights.

    Monday, June 4, 2012 3:26 AM
    Moderator
  • What is the difference between Organizational Unit and Groups and Container? If group policy objects can be applied to an OU, then why do we need groups for security settings?

    Thanks and Regards, Radhakrishnan

    OU can be used to segregate/filter department bases on the region or type of users/groups/computers. You can apply group policy on the OU.

    Groups can be used to group to be able to apply permission instead of doing it one by one. Its easy to manage group then individual. Consider, you need to add 1000 users in a folder but instead of adding one by one, you can add a security group & later on you can modify group to add or remove users instead of going to folder & adding or removing it manually.

    http://en.wikipedia.org/wiki/Active_Directory

    Container are different type & its a logical component. There are inbuilt container & you can create also.

    If group policy objects can be applied to an OU, then why do we need groups for security settings?

    The security filtering is used to exclude users/group getting group policy.

    http://www.techrepublic.com/blog/datacenter/group-policy-object-filtering-by-security-group/3260


    Awinish Vishwakarma - MVP - Directory Services

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Monday, June 4, 2012 5:26 AM
    Moderator
  • What is the difference between Organizational Unit and Groups and Container

       OU - Structures are included to make Administrator job easy. For eg- You have 2 office 1. Main office 2. Branch office ,

       You want to separte users and computer accounts for respective location so that you can go ahead and manage them easily , then you need to create OU structure in AD and move the user accounts or computer acccounts respectively according to your need.

     Groups - Groups are mainly defined to for assgining permission to shared folders. You can define security groups , add them in the ACL of Folder where you need to hand over the read / read-write permissions. This way you can maintain and track the permission easily in AD

     Contanier - http://www.brighthub.com/computing/windows-platform/articles/33795.aspx

    If group policy objects can be applied to an OU, then why do we need groups for security settings?

      Your statement is not clear to me , GPO and security groups are different things. Please let us know what are you trying to ask?

    Regards,

    _Prashant_


    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Monday, June 4, 2012 6:42 AM
  • NO , You can add individual user accounts as well, But it is not a good practice,.

    Regards,

    _Prashant_


    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Monday, June 4, 2012 6:51 AM

All replies

  • Review the following links:

    An organizational unit is the smallest scope or unit to which you can assign Group Policy settings or delegate administrative authority - http://technet.microsoft.com/en-us/library/cc758565(v=ws.10).aspx

    It is not possible to link a Group Policy object to a generic Active Directory container. (A generic Active Directory container is identifiable by its plain folder icon in the Active Directory Users and Computers console. The icon for an organizational unit is similar, except that a small book is superimposed on the folder.) However, users and computers in generic Active Directory containers do receive policy by inheritance from Group Policy objects linked at a higher level of Active Directory. For example, the Users and Computerscontainers you see in Active Directory Users and Computers cannot have Group Policy objects linked directly to them, but they do receive domain-linked Group Policy objects by means of inheritance. - http://technet.microsoft.com/en-us/library/cc978249.aspx

    Group – instead of applying security for individual users, you can use group to include multiple users.  A group can contain multiple users.


    Santhosh Sivarajan | Houston, TX
    http://www.sivarajan.com/

    FaceBook Twitter LinkedIn SS Tech Forum

    This posting is provided AS IS with no warranties,and confers no rights.

    Monday, June 4, 2012 3:26 AM
    Moderator
  • Plese refer below link

    http://technet.microsoft.com/en-us/library/cc728418(v=ws.10).aspx

    Yes you can fillter group policy application using security group and its MS recommended Best practise, by defualt GPO applys to authenticated users.

    http://technet.microsoft.com/en-us/library/cc779168(v=ws.10).aspx

    http://technet.microsoft.com/en-us/library/cc786636(v=ws.10).aspx

    Monday, June 4, 2012 5:22 AM
  • What is the difference between Organizational Unit and Groups and Container? If group policy objects can be applied to an OU, then why do we need groups for security settings?

    Thanks and Regards, Radhakrishnan

    OU can be used to segregate/filter department bases on the region or type of users/groups/computers. You can apply group policy on the OU.

    Groups can be used to group to be able to apply permission instead of doing it one by one. Its easy to manage group then individual. Consider, you need to add 1000 users in a folder but instead of adding one by one, you can add a security group & later on you can modify group to add or remove users instead of going to folder & adding or removing it manually.

    http://en.wikipedia.org/wiki/Active_Directory

    Container are different type & its a logical component. There are inbuilt container & you can create also.

    If group policy objects can be applied to an OU, then why do we need groups for security settings?

    The security filtering is used to exclude users/group getting group policy.

    http://www.techrepublic.com/blog/datacenter/group-policy-object-filtering-by-security-group/3260


    Awinish Vishwakarma - MVP - Directory Services

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Monday, June 4, 2012 5:26 AM
    Moderator
  • What is the difference between Organizational Unit and Groups and Container

       OU - Structures are included to make Administrator job easy. For eg- You have 2 office 1. Main office 2. Branch office ,

       You want to separte users and computer accounts for respective location so that you can go ahead and manage them easily , then you need to create OU structure in AD and move the user accounts or computer acccounts respectively according to your need.

     Groups - Groups are mainly defined to for assgining permission to shared folders. You can define security groups , add them in the ACL of Folder where you need to hand over the read / read-write permissions. This way you can maintain and track the permission easily in AD

     Contanier - http://www.brighthub.com/computing/windows-platform/articles/33795.aspx

    If group policy objects can be applied to an OU, then why do we need groups for security settings?

      Your statement is not clear to me , GPO and security groups are different things. Please let us know what are you trying to ask?

    Regards,

    _Prashant_


    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Monday, June 4, 2012 6:42 AM
  • So, only User rights and permissions for accessing Files and Folders can be assigned through Groups.

    Thanks and Regards, Radhakrishnan

    Monday, June 4, 2012 6:48 AM
  • NO , You can add individual user accounts as well, But it is not a good practice,.

    Regards,

    _Prashant_


    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Monday, June 4, 2012 6:51 AM
  • No, you can use users/groups or individual user account but it is recommendation as well as best practices to use groups to avoid administration overhead to manage individual users. It is difficult to add 10000 users to a file & assign them permission but its easy to add a group, assign them permission & add all the user to the group which will save lot of effort & time.


    Awinish Vishwakarma - MVP - Directory Services

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Monday, June 4, 2012 6:54 AM
    Moderator
  • Ok. Thanks.

    Thanks and Regards, Radhakrishnan

    Monday, June 4, 2012 6:55 AM
  • NO , You can add individual user accounts as well, But it is not a good practice,.

    Regards,

    _Prashant_


    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    I think he was referring to Organizational Units VS Groups. He was asking "User rights and permissions for accessing Files and Folders can be assigned through Groups/Users." while Organizational units are used for blocking access to Control Panel and what not?


    • Edited by Midicide Saturday, May 18, 2013 1:52 AM
    Saturday, May 18, 2013 1:51 AM