Organizational units (OUs) are administrative containers
within Active Directory that are used
to collect objects that share common requirements for
administration, configuration, or visibility.
What this means will become clearer as you learn more about
OU design and management.
For now, just understand that OUs provide an administrative
hierarchy similar to the
folder hierarchy of a disk drive: OUs create collections of
objects that belong together for administration.
The term administration is emphasized here because OUs are
not used to assign permissions
to resources—that is what groups are for. Users are placed
into groups that are given
permission to resources. OUs are administrative containers
within which those users and
groups can be managed by administrators.
To create an organizational unit:
1. Open the Active Directory Users And Computers snap-in.
2. Right-click the Domain node or the OU node in which you
want to add the new OU,
choose New, and then select Organizational Unit.
Lesson 2: Creating Objects in Active Directory 47
3. Type the name of the organizational unit.
Be sure to follow the naming conventions of your
organization.
4. Select Protect Container From Accidental Deletion.
You’ll learn more about this option later in this section.
5. Click OK.
OUs have other properties that can be useful to configure.
These properties can be set
after the object has been created.
6. Right-click the OU and choose Properties.
Follow the naming conventions and other standards and
processes of your organization.
You can use the Description field to explain the purpose of
an OU.
If an OU represents a physical location, such as an office,
the OU’s address properties
can be useful.
The Managed By tab can be used to link to the user or group
that is responsible for the
OU. Click the Change button underneath the Name box. By default,
the Select User,
Contact, Or Group dialog box that appears does not, despite
its name, search for groups;
to search for groups, you must first click the Object Types
button and select Groups.
You’ll learn about the Select Users, Contacts, Or Groups
dialog box later in this lesson.
The remaining contact information on the Managed By tab is
populated from the
account specified in the Name box. The Managed By tab is
used solely for contact information—
the specified user or group does not gain any permissions or
access to the OU.
7. Click OK.
The Windows Server 2008 administrative tools add a new
option: the Protect Container From
Accidental Deletion. This option adds a safety switch to the
OU so that it cannot be accidentally
deleted. Two permissions are added to the OU:
Everyone::Deny::Delete and Everyone::
Deny::Delete Subtree. No user, not even an administrator,
will be able to delete the OU and its
contents accidentally. It is highly recommended that you
enable this protection for all new OUs.
If you want to delete the OU, you must first turn off the
safety switch. To delete a protected
OU, follow these steps:
1. In the Active Directory Users And Computers snap-in,
click the View menu and select
Advanced Features.
2. Right-click the OU and choose Properties.
3. Click the Object tab.
If you do not see the Object tab, you did not enable
Advanced Features in step 1.
4. Clear the check box labeled Protect Object From
Accidental Deletion.
5. Click OK.
6. Right-click the OU and choose Delete.
7. You will be prompted to confirm that you want to delete
the OU. Click Yes.
8. If the OU contains any other objects, you will be
prompted by the Confirm Subtree Deletion
dialog box to confirm that you want to delete the OU and all
the objects it contains. Click Yes.
Reference:
Configuring Windows Server 2008 Active Directory
Dan Holme, Danielle Ruest, Nelson
Ruest, Tony Northrup
No comments:
Post a Comment