70-410 Objective 5.3 – Differences Between OUs and Groups on Windows Server 2012 R2
In this video for Objective 5.3 Creating and Managing Organizational Units and Groups we will learn the differences between OUs and Groups. Organizational Units are often confused with Security Groups, because we are organizing users or computers into OUs or groups. So the act of putting the objects into the various containers seem to be similar, but OUs and Groups are not the same and cannot be used for the same purposes.
We start by examining what OUs cannot be used for, which is ACLs on a file or folder. They are not security principals like a security group. I demonstrate by creating a folder and trying add an OU as an ACL. It simply does not exist, because they are not used for security on ACLs. We then create a group and add members. We then go back to the folder and apply the security of the group.
We then ask the question, “Why are we organizing users into folder… If we can’t use them for security?”. Which is a valid question, but OUs are used for a very different purpose. Which is apply policies from GPO (Group Policy Objects) and allowing delegation of an OU to an average user. We then open the GPMC or the Group Policy Management Console and examine the structure of the OUs, which is along identical to the domain structure. We then create a GPO and link it to an OU. Lastly we discuss delegation of an OU to an average use for purposes of password resets. I use the example of an office manager being able to reset his or her employee’s passwords with an administrator. We also discuss the “Principal of Least Privilege”, which state only to give the user the necessary privileges they need to perform their duties. We then examine the permissions that were applied to the OU during the Delegation Wizard.
Introduction – 0:10
Explanation of the structure – 0:43
Explanation of OU types – 1:15
What OUs cannot do – 2:10
Creating a group – 3:04
Adding a group on an ACL – 3:45
What OUs are used for – 4:30
Opening Group Policy Management Console – 4:50
Creating a GPO and linking it – 5:20
Delegation of an OU – 5:56
Examining the permissions on an OU – 7:15