1.4 Organizational units and objects

The AD is built from a collection of organizational units (OUs) and containers, which forms the base of the hierarchical representation of objects within a domain. An OU is a generic object container. It can contain any object in the domain, including other OUs.

OUs can be used to delegate administration control to a particular group of users without allowing them to have administrative permissions for other objects in the domain. Delegation of administration must not, however, beconfused with access control. OUs are not groups and must not be used to control access to resources within the domain.

AD objects include users, groups, computers, and printers to name but a few. Objects can be organized hierarchically using organizational units. Every object in the AD has a unique name referenced by an LDAP distinguished name (DN). Distinguished names are the fully qualified LDAP representation of an object and are composed of a sequence of relative DNs (RDNs). RDNs are a portion of a DN identifying all the ancestors or containers of the object and the object itself.

Figure 1.4 illustrates a domain composed of a number of organizational units. The user Jack is referenced by the RDN CN = Jack. User Jack belongs to a tree of organizational units. Each OU is identified by its own RDN in the hierarchical order in which it was created. The OUs belong to the compaq.com domain, which is referenced by the domain DC RDN. The full representation of...