70-410 Objective 5.3 – Differences Between OUs and Groups on Windows Server 2012 R2



welcome back to another video in this video for objective five point three creating and managing organizational units and groups what I want to do is I want to contrast the differences between organizational units and groups so what we're gonna do first is look at organizational units what we can do at them in what we can't do with them then we're gonna look at groups and what we can do with them and what we can't do with them and then I'm gonna go back to organizational units and show you some of the benefits so let's begin here you see Active Directory users and computers and what I did was underneath contoso dot-com I created an organizational unit called contoso now I like doing this even though we have the domain up here I like creating another organizational unit called contoso because it gives us flexibility later in case per se we bring another organization into our company and merge it with our domain so more on planning in another video but what I did underneath contoso was I created three different oh use these are what we'd consider functional organizational units right because we can have either organizational units by function by geographic location or by object type or any hybrid thereof these are unfunctional arca ting department sales department in research department and again i i'd forego exact planning for another video but under the marketing department we have three users marketing one marketing two in marketing three under sales we have a similar setup and then under research we have a similar setup so i have my my users organized into these organizational units so let's go ahead and see what an organizational unit can't do so let's pretend that this is a share and we want to apply some permissions well if I go into edit and I add and I go ahead and I type marketing and mind you I have groups selected ok there is no uh no object type for organizational units and I click OK it's going to bring up only the security principles so this is a great classic demonstration of why organizational units are not security principles they're just not now let's go ahead and we're gonna cancel out of this and we're gonna go ahead and we're gonna create a group and I'm gonna right-click and create a brand new group and I'm gonna name this group Marketing Group and it's a global group we're just gonna leave the default sent security group and now that I have my group I'm gonna go ahead and double click it and I'm gonna add members so I'm gonna add my marketing members and again we're gonna see all three marketing principles or user principles come up and we're just gonna add all three of them now if I go back to that share and I right click on the share and go to properties and I go to security edit and then add and I type in marketing I now have the security principle of the Marketing Group so I hope this kind of explains the differences between organizational units and groups now I get it it's not that clear why are organizing users into OU's if we can't use them for security well because organizational units as you see here are used for a very different purpose they're used for polishing or putting policies down to a group of objects now in all of these instances we're dealing with basically user objects so let's go ahead and take a look at what we can do with it well if we go and we open up group policy management we can see this kind of well does it emulates or shadows what we have in our active directory but it leaves out the containers like users and managed service accounts and all the ones that you can't put policies on and then what we can do is we can go to one of these Oh use and we could basically link or create a GPO and link it so I'll just create a sales GPO and now we have a GPO linked to ourselves so now we can go into the GPO and we can actually set preferences or policies and policy the user so this is a great demonstration of the difference between groups and use now for the last thing the reason why we basically have a use is so that we can delegate administrative control and great example here I have marketing one marketing two and marketing three let's say that marketing one was the manager of the office and marketing one wants to be able to reset passwords well a normal user doesn't have permissions on the other users to reset passwords but what we can do is we can go to marketing we can right click on the marketing of you in we can say delegate control now I'm doing this in Active Directory users and computers so we'll go ahead and we'll add and I'm gonna go ahead and select marketing one because that is our manager and we've got marketing one in there we'll go ahead and we'll check recent user passwords and force password change at next login and then we'll go ahead and click finish now what we actually did and this is why I said in the lecture video I kind of lied to you was we set permissions with marketing one but we did it on the object of the oh you and if we go into marketing properties and we're not gonna be able to see it by default so we have to go to advanced features and I just got a drill back to the marketing on you and we go to properties and we click on security we can see that marketing one has been given permission to this oh you and this permission will actually falled follow itself down or inherit itself down to all of the objects underneath that so we'll just take a look at marketing 2 here and we'll notice that marketing ones permissions are on this account now if we go into advanced and we look at the actual permissions for further down here for marketing 1 we could see reset password and if we went in further we could see that you can actually set some flags or she so this is a great example of delegation of organizational units why we have this structure okay it's really for two reasons one is Paula seeing and – is delegation now really important stuff I hope you got something out of this video if if you like my videos please subscribe share my videos if you have any questions leave them down in the comment section below Google+ Facebook or Twitter and as always I thank you for watching

15 thoughts on “70-410 Objective 5.3 – Differences Between OUs and Groups on Windows Server 2012 R2

  1. After delegating the reset password permission to Marketing One user, I would like to know how the user performs the operation? Does the user need to log in the server with ADUC to do it? Thanks.

  2. I think my organization does this backwards. It's so confusing to me! They put the organizational units in the group policy, not the other way around.

  3. Thanks for the great video. Can you tell me, is it standard behavior that if I create an OU for computers in order to apply a GP to those computers that, when I attempt to place the computer in the new OU it will remove the computer from the "Computers" container? That is the behavior in my test lab and I'm concerned to try it on our production server. If that is standard behavior, is there any possibility that doing this will mess up anything for a computer that gets removed from the "Computers" container? Thanks for any response!

  4. definately best videos available, you can tell the passion of this guy. beats pluralsight videos where they stick completely to the objectives and dont really share real world tips and shows they dont really have experience but networkminds has experience and knowledge of the exams. bit shame about the video quality the resolution screen was too high and even at 1080p it can be hard to see sometimes!

Leave a Reply

Your email address will not be published. Required fields are marked *