70-640 Groups vs. OUs

According to the MS Press guide, OUs are strictly for organizational purposes, and groups are used to manage groups of users and computers who may share access to resources.

In the TrainSignal video, he talks about using OUs to delegate administrative permissions and manage group policy application.

Can anyone explain the fundamental differences between the two? It seems like either having both if overkil or I am missing the boat. I would think managing group policy application would be through groups (as in group policy).

Not seeing all these two should work together, however I'm sure they do.

Thanks,

Neil

Find more posts tagged with

SAVE $250 on Your Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View Boot Camps

Comments

zombie fred

Try to think the OU on a more bigger scale. Say your own organization is over different countries and the world and this domain is used on those sites. You have OUs for IT support in specific areas and you would like to delegate some areas of that business to maintain the enviroment in that site for example. IE, OU = Boston, OU=Users, OU=Computers, and you delegate Boston to the usegroup IT support, and in the Bostons' IT department they can manage the information of those OUs and stuff delegated to them.

Chev Chellios

Hi Neil,It is an interesting question that you raise. My understanding (which may be wrong) from reading MS books is that groups are used to manage security access to resources across your network for users and groups whereas OU's are Organizational Units that you apply GPOs to which are more based on user/computer settings (such as whether users can run the 'run' command or such like) rather than what network resources they can access. I've not seen the train signal video so can't really comment on how they present or interpret it though.Craig

Lunchbocks

nmarlowe wrote: »

According to the MS Press guide, OUs are strictly for organizational purposes, and groups are used to manage groups of users and computers who may share access to resources.

In the TrainSignal video, he talks about using OUs to delegate administrative permissions and manage group policy application.

Thanks,

Neil

If the video said that, it is incorrect. An OU is a container used for organizational purposes only. The difference in an OU and a group is that you can apply group policy on an OU, but you cannot apply group policy on a group.

A group is used for security and distribution by granting/denying permissions and rights to users, computers, and other groups. You can apply security permissions on groups, but not OUs.

To put it simply, you put a user or computer in a group to control that user's access to resources. You put a user or computer in an OU to control who has administrative authority over that user.

Hope this helps.