5

So they are both objects that you use to organise other objects. You can add users, groups and computers to both of them.

  1. What is the difference between them?
  2. What is the best way to divide users and computers of different departments in a company (OU or Groups)?
redi
  • 75
  • 1
  • 1
  • 4

3 Answers3

3

Summary:

OUs contain user objects, groups have a list of user objects.

You put a user in a group to control that user's access to resources. You put a user in an OU to control who has administrative authority over that user.

They're like folders (OU) and files (groups) on a file server (your AD): it is easier to manage permissions/ACLs on whole folders instead of single files, and let them be applied to the files (groups) by inheritance automatically. This analogy is explained in detail in Access Denied: Understand the Difference Between AD OUs and Groups:

[...] because users and groups have ACLs, you can delegate portions of administrative authority to subadministrators. But, just as separately maintaining the ACL of every file is impractical, so is separately controlling administrative authority on each user or group object. Therefore, you can collect into an OU all the users and groups that you want to enable a particular subadministrator to manage, then grant the proper authority over the OU to that subadministrator. Permissions you define in an OU's ACL flow down to all the users and groups in that OU, just as folder ACLs flow down to all the files in a folder.

Differences:

  • You can link group policies to OUs, but not groups
  • You can give file/folder/share permissions to groups, but not OUs
  • Groups have a SID, OUs do not

Recommendations:

  • You should use OUs to organize your Active Directory, so it's easier to manage (for example to delegate administrative control over users & groups to other administrators)
  • You should use groups to give permission on resources (for example read permissions of a share on a file server)
  • From the linked resource:

    To help you keep OUs and groups straight, remember that a user can be a member of many groups but can reside in only one OU, just as a file can reside in only one folder.

So you should use them both to do different things.

user121391
  • 2,502
  • 13
  • 31
Mer
  • 991
  • 4
  • 9
  • by resources you mean resources on the server? – redi Aug 17 '16 at 14:56
  • 1
    Resources on any member of the Active Directory domain. Both client and servers.If you integrate your Active Directory with other systems (such as other domains,firewalls,etc.), you can use those groups on systems that are not members of your domain as well. – Mer Aug 17 '16 at 15:14
0

Generally use OUs to organise your active directory tree and apply group policies.

Use groups for security by giving them permissions to resources, and then add users to them.

JamesRyan
  • 8,166
  • 2
  • 25
  • 36
0

  1. Groups are for granting access to data and organizational units (OUs for short) are for organizing and controling objects (users and computers) via delegation and group policy settings.

  2. This depends on your organizational fancy. How you want to logically organize your network.

Art.Vandelay05
  • 1,354
  • 3
  • 13
  • 27