Windows Server 2008 R2 : Administering groups and organizational units

Groups and Organizational Units allow administrators to better organize user and computer accounts within their respective domains. This section will describe aspects of planning and managing Groups and Organizational Units within your AD domains.

1. Administering groups

Groups were developed to provide a more simplified approach to organizing users and providing access to network resources. In this section, we will discuss the various types and options available for AD groups and how to implement them in your deployment.

Group types

AD uses two primary group types—Security Groups and Distribution Groups. These two group types provide very different features within your AD deployment:

• Distribution Groups—Distribution Groups are used solely for the purpose of nonsecurity-related functions such as sending e-mail to many people at the same time. Distribution Groups are used heavily by Exchange server and more recently, Office Communications Server.

• Security Groups—These groups are used to organize and assign permissions to users and computers. Security Groups can also provide the same functionality as a distribution group.

Group scopes

Group scopes determine whether membership and permissions can apply to only a single domain, a domain tree, or an entire forest. Three group scopes exist to provide access at different levels within your organization. Table 1 provides details on the three group scopes available in Windows Server 2008 R2 AD.

Table 1. Active Directory Group Scopes

Group Scope	Membership	Resource Permissions
Domain local group	Users or computers from any domain	Permissions assigned to resources in the local domain only.
Global group	Users or computer from local domain only	Permissions assigned to resources in any domain
Universal group	Users and computers from any domain	Permissions assigned to resources in any domain

Nesting groups

In addition to including users and computers within groups, you can also make group members of other groups. This is known as group nesting. Nesting can be beneficial when used in moderation, however, creating multiple levels of nesting can not only increase the complexity of your group management but also add additional load to your servers. Table 2 provides information about which groups can be nested into others.

Table 2. Active Directory Group Nesting

Group Scope	Groups that can be Nested Inside this Scope
Domain Local	Universal
	Global
Domain local
Global	Global
Universal	Global
Universal

2. Planning for groups

Before setting up groups in AD, you should properly plan and document how you want to use groups within your organization. Just like user accounts, you need a consistent naming convention and usage strategy. One of the more common group strategies involves creating domain local groups related to various resources such as file shares, printers, and internal applications. Then, global groups are created for various workgroups such as marketing, finance, and IT. Users are then assigned to the global groups. To give a specific workgroup permission to a resource, you simply add the global group to the local group. If a resource spans multiple domains, you may want to consider the usage of universal groups. As a best practice, use universal groups only when necessary as they create additional replication traffic across the forest when changes are made. Figure 1 depicts what a typical group configuration might look like.

Figure 1 Active Directory Groups.

Administering Organizational Units

OUs, like groups, are a way of organizing users, computers, and groups within AD. Unlike groups, OUs are not used to assign permissions to resources but only to organize and manage AD objects. In many ways, OUs are to AD as folders are to file systems. Additionally, OUs provide the ability to apply GPOs and to delegate administrative control over limited numbers of users, groups, and computers.

Planning for Organizational Units

When planning your OU hierarchy, you need to consider the best approach for organizing your users, groups, and computers. Some companies create OU structures based upon geography, others by business unit, and yet others by some other structure within their companies. The way you set up OUs really depends on your organization and how you plan on using the OUs. Things to consider when planning your OU structure are as follows:

• How do you want to manage users? By location? Business unit?

• Will separate administrators be responsible for specific business units or geographic locations?

• Do specific business units or geographic locations need similar desktop configurations?

• Try to prevent nesting OUs too deep. The deeper the OU structure, the more complexity you will be adding to your deployment.

Creating and managing Organizational Units

OUs are created within the ADUC console. To create a new OU, perform the following tasks:

1. Log on to a DC and Open Server Manager.

2. Expand the nodes Roles | Active Directory Domain Services | Active Directory Users and Computers.

3. Right-click on the domain name (e.g., Contoso.com) and select the option New → Organizational Unit. The New Object—Organizational Unit window will appear.

4. Give the OU a meaningful name and ensure that the option to Protect container from accidental deletion is selected (see Figure 2). This option prevents you from accidentally deleting OUs which may contain hundreds or thousands of users, computers, and groups. As a best practice, always choose to protect the OU when creating it.

   

   Figure 2 Creating a New Organizational Unit.

5. Click OK to create the OU.

6. The OU should now be displayed under the domain in ADUC. If you attempt to delete the OU, you will receive an error message, as seen in Figure 3, informing you that the OU is protected. To delete the OU, you will need to open the OU properties by right-clicking on it and then disabling the protection option selected during creation.

   

   Figure 3 Error deleting protected Organizational Unit.

Additionally, you can delegate the administrative functions of an OU to other users such as administrators who may be responsible for a specific business unit. Perform the following tasks to delegate permissions to an OU:

1. Log on to a DC and open Server Manager.

2. Expand the nodes Roles | Active Directory Domain Services | Active Directory Users and Computers | <your domain name>.

3. Right-click the OU that you want to delegate permissions to and choose the option Delegate Control. This will launch the Delegation of Control Wizard. Click Next to continue.

4. Add the administrator(s) whom you want to delegate permissions to (see Figure 4); Then click Next.

   

   Figure 4 Delegating Control over an Organizational Unit.

5. Select the permissions that you want to give the administrator over the OU (see Figure 5); then click Next.

   

   Figure 5 Select Permissions to Delegate.

6. Verify the delegation summary and click Finish to delegate permissions.

In the aforementioned example, the financeadmin1 account should have the ability to manage users and groups within the Finance OU. The financeadmin1 will not have rights to manage users and groups in other OUs within the domain.