OU's and Groups

BigToneBigTone Member Posts: 283
If you have a company with one domain, would there be any reason to use groups for users instead of OU's?

We are planning on setting up our domain following the below structure (but not exact)

Users Accounts
| | |
IT Accounting Management

We're having a consultant come out and help us with a migration, but I was just wondering if anyone can give me any ideas beforehand.


  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    You'd use groups for securing access to resources like file shares and OUs for applying group policy, delegating authority, etc. It's not a case of one-or-the-other. You need both.

    For example, I'm at a small company, so we have a fairly basic setup. I have "desktop" and "laptop" OUs for computers and an "Employees" OU that contains all the company employees.

    I have security groups such as "Accounting" and "Management" that can only access certain resources.

    With your case, you'd only need to make OUs for accounting and management if you were going to do things like apply different policies to those users/computers or have different IT personnel manage those objects. If you're not doing that, you could get by with just one OU. Either way, you'll still create management and accounting security groups because (presumably) they'll require different levels of access for resources.

    It's probably a good idea to keep a separate IT OU since those users will likely not be subject to the same security restrictions (i.e. removing "run" from the start menu). However, if that's not the case, you wouldn't even need a separate IT OU. It depends on the size of your organization, security needs, etc.
Sign In or Register to comment.