Active Directory Logical Structure

Organizational Unit

An organizational unit (commonly referred to as an OU) is a container object within Active Directory used to group objects for the purposes of delegating administrative authority and the application of group policy within a domain. OUs can be created to organize objects in a number of ways, including according to function, location, resources, and so forth. Example of objects that can be grouped into OUs would include user accounts, computer accounts, group accounts, and so forth. The diagram below outlines an example OU structure based on user location and resources:

Figure: OU Structure

Note that an OU can only contain objects from the same domain in which it exists. Also note that OU structures will vary widely from company to company. They are meant to be designed with administration of resources and the application of group policy settings in mind. Since complete administrative control can be granted (delegated) to a user over an OU and potentially nothing else, it makes it possible for a very large organization to have only a single domain, which each business unit having administrative control over their own OU only.

Author: Dan DiNicolo

Dan DiNicolo is a freelance author, consultant, trainer, and the managing editor of He is the author of the CCNA Study Guide found on this site, as well as many books including the PC Magazine titles Windows XP Security Solutions and Windows Vista Security Solutions. Click here to contact Dan.