[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Active Directory 101 - OU, Branches, Containers

Posted on 2008-11-18
9
Medium Priority
?
1,684 Views
Last Modified: 2012-05-05
I need some quick help differentiating between a few key concepts within Active Directory.

1) Is a branch essentially the last OU in the hierarchy?  For example, let's say we have an OU called "Office", then a child OU called "North East", then a child OU of North East called "Boston" - WOULD this be considered a branch?

2) What about the difference between an "OU" and a "Container"...is there one, or are they two of the same?

3)  Can a user (or printer or other resource) belong to MORE THAN ONE OU (I'm guessing the answer is "No" - but would like an expert explanation of this)

Concise and succinct answers would be appreciated.

 
0
Comment
Question by:drewberrylicious
  • 5
  • 3
9 Comments
 

Author Comment

by:drewberrylicious
ID: 22990564
One additional question...if I search and locate a user within Active Directory Users and Computers, how can I quickly find out what OU they belong to?
0
 

Author Comment

by:drewberrylicious
ID: 22990574
Also (promise this is my last suffix to this question) can you tell me why I can't add a sub-folder to the default 'Users' folder within ADUC?  In our PROD environment, we have multiple folders under USERS (which is the out of the box folder - Not an OU from my understanding) - but when I try to create sub "folders" in another test environment, I can't....any suggestions?
0
 
LVL 23

Accepted Solution

by:
Malli Boppe earned 1125 total points
ID: 22990670
1.)Its not you can sub OUs depends on your company and what group policies you wan to apply.
2.)OU is something admins create group similar ad objects  to apply group policies.Container are something that are are prebuilt when you install a domain.I don't think  you can create them and you can't apply group policies.Example of container is computers in AD.
3.)No you can't have 2 obects in more then one OU.Its not logical.
0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 

Author Comment

by:drewberrylicious
ID: 22990789
Thanks for the quick response.

Regarding answer one, I'm not so interested in permissions or delegation - I'm really trying to find out whether my understanding of the terminology is correct.  Using the example I provided initially, would it be correct to call the Office > North East > Boston a "AD Branch"?

Regarding answer two, please view this additional question (http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_23916461.html) I've posted where you can see that sub-containers can be created....now I just need to find out how.

Regarding answer three - that's what i thought, but needed to hear it from someone else.  With thanks mboppe!
0
 
LVL 23

Assisted Solution

by:Malli Boppe
Malli Boppe earned 1125 total points
ID: 22990850
Their isn't any thing like AD branch its just something we use to make things clear and it not somthing technicl as said above their isn't any AD term like branch.You can have as many sub OU as you like, it all depends on your AD design.
regarding containers MS doesn't let you create them from GUI. But I read somewhere that you can do by using ADSIedit I wouldn't recommend doing  and I can't find a need for that.
0
 
LVL 16

Assisted Solution

by:robrandon
robrandon earned 375 total points
ID: 22995016
1) Is a branch essentially the last OU in the hierarchy?  For example, let's say we have an OU called "Office", then a child OU called "North East", then a child OU of North East called "Boston" - WOULD this be considered a branch?
-- Never heard the "branch" terminology before.  We just refer to them as OU's and sub-OU's.

2.)OU is something admins create group similar ad objects  to apply group policies.Container are something that are are prebuilt when you install a domain.I don't think  you can create them and you can't apply group policies.Example of container is computers in AD.
-- You can't apply GPO's directly to containers, but they do filter down to them. (I think)

3)  Can a user (or printer or other resource) belong to MORE THAN ONE OU (I'm guessing the answer is "No" - but would like an expert explanation of this)
-- Nope.

4)  One additional question...if I search and locate a user within Active Directory Users and Computers, how can I quickly find out what OU they belong to?
-- Go to the Properties of the Object - On the Object tab there is a field called Canonical name of object.


5)  Also (promise this is my last suffix to this question) can you tell me why I can't add a sub-folder to the default 'Users' folder within ADUC?  In our PROD environment, we have multiple folders under USERS (which is the out of the box folder - Not an OU from my understanding) - but when I try to create sub "folders" in another test environment, I can't....any suggestions?
-- I don't think you can do this in ADUC.  Probably need to import with LDIFDE or use ADSIEdit


0
 

Author Comment

by:drewberrylicious
ID: 23017479
Thanks Rob.  

I think I'm now clear about what a branch is..."any OU container which contains sub-OUs" - or at least the way I look at it anyway.

One thing I've not been able to do from your answer to question 4 - is see the OBJECT tab (see image below).  This is in my test environment WITHOUT MS Exchange Installed.  Can I assume this is the reason I cannot see it?

Regarding your answer to question 5, we have a whole sub-container structure under 'Users' which is apparently a legacy from when we moved from Exchange 2000 to Exchange 2003.

objecttab.png
0
 
LVL 23

Assisted Solution

by:Malli Boppe
Malli Boppe earned 1125 total points
ID: 23026353
question 4.. IN ADUC go to view and tick the option advanced features then you would be able to see object tab in the user properties.
0
 

Author Closing Comment

by:drewberrylicious
ID: 31518076
Thanks
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question