Implementing Organizational Units (OU) in Windows Server 2016

In the world of computing, an organizational unit (OU) provides the ability to classify objects in directories, or names in a digital certificate hierarchy, typically used to differentiate between objects with the same name (Example: Felicity Doe in OU “Sales” and Felicity Doe in OU “Customer service”). This functionality can be used to parcel out authority to create and manage objects such as giving rights for user-creation to local technicians instead of having to manage all user accounts from a single central group.

Organizational Units can be commonly found in X.500 directories, Active Directory (AD), X.509 certificates, Lightweight Directory Access Protocol (LDAP) directories, Lotus Notes or any modern directory or digital certificate container grouping system.

Organizational Units appear with a top-level organization grouping or organization certificate, called a Domain. One OU can be nested into an existing OU, creating a relationship where the contained OU is called the Child and the container OU is called the Parent. Thus, OUs are used to create hierarchy of containers within a domain. Only OUs within the same domain can have relationships. Organizational Units of the same name in different domains are independent of each other.

In Windows, Organizational Units can be described as a container object in AD DS which is primarily used to help with Group Policy application and the delegation of permissions of other AD DS objects.

Creating Organizational Units in Windows Server 2016

Before proceeding with this task, a network designer will have to plan a few things about the structure of the organization you are trying to build. It is entirely up to you which organizational structures you want to implement depending on how your Group Policies are intended for deployment.

Three main points can be considered before you start creating your Organizational Units in AD;

-Application of Group Policy Objects – Consider how your Group Policy Objects will be applied to resources such as data shares and printers. This will be explored further in later lessons.

-Delegation of Control – Which accounts have control permissions over network resources.

-Organization – They layout of the structure of the OU objects in AD for easy navigation.

1. Launch Active Directory Domains and Services (AD DS) and highlight the top-level domain which in our example is HyperVOneLab.local. Spend some time to examine the structure of this object tree and notice the Domain Controller label type as Organization Unit with a little icon as opposed to the rest of the objects in the tree, type labelled Containers.

2. Right click the top-level domain and navigate to New > Organizational Unit.

3. A dialogue box should open prompting for a name for your new OU. If you are designing your server infrastructure for organizations with multiple locations around the world, you could name your OU accordingly for easy identification and management. Tick the Protect containers from accidental deletion and click OK to create your OU. We shall discuss the importance of that checkbox and how to manipulate it further down the lesson.

4. The Organizational Unit should look like the shot below with the Users tab and newly created OUs below. Should you have users already created, you can move them to their respective OU folders by dragging and dropping user accounts.

Preventing Organizational Units from Accidental Deletion

In Step 3, we discussed the importance of leaving the tick box preventing the OU from accidental deletion checked. This is vital in the event an attempt is made to delete any of the Organizational Units, since user or even computer accounts could be stored in those locations.

To access and manipulate control of this feature, you’ll need to enable advanced features in Active Directory, Click View > Advanced Features.

You’ll notice your AD object structure has grown in options and this will enable editing of the properties of the OUs created. Right Click on the OU you want to delete and select Properties.

Once the dialogue box opens, you should be able to untick the protection in the objects tab which should now allow you to successfully delete an Organizational Unit.

Delegation of Control over Organizational Units (OU)

Microsoft Active Directory offers the Delegation Control Wizard to help administrators assign specific permissions to resources on the network. Various levels of delegated permissions could be assigned to any resource in the organization, for instance a managing director of a company may request access to special business critical data, while sharing some parts of that data set with the HR department.

A very common occurrence in organizations with very high number of users requesting password resets, very quickly poses an extremely critical security risk to company data because the helpdesk team will need to validate the employee requesting the password reset is actually who they claim to be, and not someone else trying to social engineer their way into the organizations’ network. It is sensible in this scenario to delegate the task of resetting passwords to the supervisor of a department purely from a security stand point. The helpdesk personnel is unlikely to know every employee in an organisation but a department supervisor will most likely have that knowledge. Let’s see how to implement the security feature of Delegation Control.

5. This step assumes that you have already created users and moved them to the designed OU. In this practice example I’ll be demonstrating the process over UK OU with a nested UK Users OU. Right Click the OU and select Delegate Control.

6. The delegation of control wizard dialogue box opens explaining how you can grant users’ permissions to manage other users, groups, computers, organizational units and other objects stored in Active Directory Domain Services.

7. You now get the option to add users or groups for which control delegation is intended. Click Add > enter and search the name of the user you want to delegate, in our example I’m using Jane Doe > Check Names and OK.

8. Ensure you double check this entry for the correct account especially in large organisations with employees having similar names. This delegation gives the user elevated powers once confirmed so make sure you have selected the right user and Click Next.

9. We are now ready to select tasks to delegate to the user. A lot of options are available which you can explore later but for this task, select ‘Reset user passwords and force password change at next logon’ and Click Next.

10. Confirm your settings in the final stage of the wizard. Notice the OU you want to assign delegation as well as the user who has been delegated are displayed in the summary. If you’re happy Click Finish.

11. Congratulations for implementing delegation control over an Organizational Unit. As we discussed above, this makes a lot of sense from security stand point to have a trusted manager in a company reset user passwords instead of the help desk team, ensuring any social engineers are kept at bay from your network. In advanced settings, right click and check the security tab for your delegated user.

Final Thoughts

I hope you found this article useful to help you create and manage Organizational Units. Further lessons in Group Policy Management will buttress your understanding of the concept and how security policies can be leveraged to better protect resources in organizations’ network infrastructure.

Do leave some comments on other ways to perform this task to help other students learn more.

Thank you for investing your time with us.