OU's

I'm new to this Active Directory and have a few ?'s.
1.) Is this how it works. You create 'users' that go into 'groups' then you create 'OU's' to put users / groups into so that you can create 'policies/rules' for those users / groups. Which makes it easier to create 1 policy for a OU than to make the same policy over and over again for tons of users. Correct?

2.) I notice I can create a new user in the 'users' folder under AD Users & Computers. I can also create a new user under an "OU" also. BUT when the user is created under the OU that user doesn't appear in the main Users folder, why?

3.) Is it better to create the user's under the Users folder than under the OU. How can you keep track of the user's if they don't appear under the User's folder?

Thanks for the help.
Bill

 

IMO Organisational Units (OUs) in some ways are the most fustrating feature of Active Directory. Anyone who has used a decent Novell Netware system will understand what a near miss OUs are.

OUs allow you to organise users into containers. As you can assign group policies to individual OUs you can use membership of the OU to control behaviour of member users (and computers). For example, you can assign different log-on scripts to a number of group policies and assign each group policy to its own OU. Which log-on script the user get depends on which OU they are a member of.

So if the control of the user can be defined via a Group Policy, that control can be altered by changing which OU the user belongs to.

However, as you have found, you cannot tie an OU to a Global or Local group. This is an annoying omission. It means that you cannot easily set file and folder permissions based on OU membership. Instead you have to maintain independantly Gobal and Local groups as well as OUs.

So if you have a Sales OU, to group members of your sales team, you may well also have to maintain a Sales Local group to make it easy to set file and folder permissions.

Personally, I have a lot of systems that use AD as an LDAP directory. For this, grouping by OU is really useful as it means that the users can be listed by group via a simple LDAP look up. Also my main log-in script is assign to an OU I call "people ", with each department OU being a daughter of the people OU. This means it is easy for me to turn off a users log-in script by simply moving them to an OU outside of the people OU. I also have an ASP page on my intranet that generates a phone list by traversing the people OU and pulling out users phone numbers. Moving a user out of the people OU removes them from the phone list. So a very easy way of removing users from this and similar information pages when they leave the company.

Therefore, I find OUs really useful, but do wish you could easily set file permissions based on OU membership.