Paul Hill | itFlee.

com

The goal of this lecture is to help you understand Containers and Organizational Units.

Containers
Containers are structural objects that are included by default within Active Directory. The most important difference
between OUs and containers is that you cannot apply Group Policy Objects (GPOs) to containers. This will make more
sense to you when you get to the Group Policy section of this course. You also cannot create a container in Active
Directory although you can use ADSI Edit to create containers.

By default, the containers you will immediately see in Active Directory are Computers, ForeignSecurityPrincipals,
Managed Service Accounts and Users.

The Computers container is used as a default location for new computers who join your domain. When you join a
computer to your domain for the first time, a new Active Directory account will be created in this container for the
computer. This is important because you will want to move the computer out of the container and into an OU so you
apply appropriate Group Policy Objects which will enforce your company’s security policies.

The ForeignSecurityPrincipals container holds proxy objects for security principals from other trusted domains. A
security principal from another domain could be a user account or security group that resides in another domain. If you
do not establish a trust between your domain and another you will not be using this container.

An example of when you would want to use one of these proxy objects would be allowing a user from another domain
to also be part of the administrators group in your domain. In this case, you would add the proxy object that represents
the user from the other domain to your administrators group.

The Managed Service Accounts container holds accounts that are used to run services or applications that are run on
servers. Since a managed service account (or MSA) is supposed to be used for services and not by end users, you do not
create passwords for these accounts but they are instead handled automatically. The problem of expiring service
account passwords and security can be a huge headache for administrators, and this is what MSAs hope to solve.

To create an MSA you need to use the PowerShell command line. There is no interface to do so at this time although
Microsoft may later add this functionality.

The Users container contains the Administrator and Guest user accounts as well as several default security groups which
are used by your domain.

BuiltInDomain
The BuiltInDomain object contains the security groups that are required for your domain to operate. You cannot delete
any of these Security Groups as they are all required by the domain.

Organizational Units (OUs)

Organizational Units (commonly referred to as OUs) are used to organize and separate objects within active directory.
The objects could be anything that Active Directory could store like user accounts, computers, printers, file shares etc.

If your company had a marketing team, you might create a new OU called “Marketing” and store all your marketing
users accounts inside this OU.

Paul Hill | PaulH@itflee.com | itFlee.com

 Paul Hill | itFlee.com

So just like it sounds, OUs are used to help you organize your domain within Active Directory. But it is much more
important than just having a tidy Active Directory. A lot of times System Administrators will assign specific permissions
to OUs. For example, all users inside of the Marketing OU may have a special desktop background, and special
permissions to a file share that other uses may not have.

This is why its important that you insert Active Directory objects into the correct OU, as picking the wrong OU could lead
to some users having security privileges they are not supposed to have. This not only applies to user accounts, but every
object that is stored within Active Directory.

Within Active Directory you can look at the type to the determine whether you are looking at an OU or a container. By
default, you will see the only OU is the Domain Controllers OU which cannot be deleted. As the name suggests Domain
Controllers need to be placed within this OU because there are certain policies applied to this OU that the Domain
Controller needs to operate.

To create a new Organizational Unit, right-click on the desired location (in my case, itflee.com) and select Organizational
Unit. I am going to name this “Test OU”. Notice you have the option of disabling the Protect container from accidental
deletion checkbox, for most cases I recommend that you leave this option checked.

Paul Hill | PaulH@itflee.com | itFlee.com

 Paul Hill | itFlee.com

Click OK to create the OU. Now you can see that it has been created under the root domain itflee.com. You can now
right-click on the OU and you will see a similar set of options to right-clicking on the root domain except for the cut,
delete, rename and export list options.

The first three option act just like you would expect them to. The export list option will generate a document that lists
the objects that reside inside of this OU. This list will not be recursive so that means that if there is another OU inside of
the OU you are creating a list for, only the OU will be listed and not the objects within the sub OU.

Just like the root domain, you can delegate control of the OU by right-clicking on the OU, but primarily all you will be
doing with OUs is creating them in the correct location, naming them appropriately and then placing objects inside of
them.

Occasionally you will need to delete an OU, and unfortunately this is not as simple as it sounds. If you right-click on an
OU, select Delete and Yes, you will be presented with a message stating “You do not have sufficient privileges to delete
[the OU], or this object is protected from accidental deletion”.

Paul Hill | PaulH@itflee.com | itFlee.com

 Paul Hill | itFlee.com

If you remember when we created the OU we checked the Protect this OU from accidental deletion checkbox. In order
to remove the protection, we need to enable the advanced view within Active Directory and turn off the protection with
the OU’s properties. Click OK to close the warning message. Select View > Advanced Features.

Immediately you will notice that your view will refresh and you will have a lot more items listed under your domain. You
can ignore all of this for now, and simply right-click on the Test OU and choose Properties. Select the Object tab and
uncheck the Protect object from accidental deletion checkbox, then click OK.

Now right-click on the OU and choose Delete and select Yes when you are asked to confirm deletion. If there are objects
within this OU, you may be presented with another warning message stating that the Test OU contains other objects.

Paul Hill | PaulH@itflee.com | itFlee.com

 Paul Hill | itFlee.com

If you receive this message and are sure you want to delete the OU, go ahead and click Yes again to delete the OU. Feel
free to turn off the Advanced Features view if you would like, or leave it on. Sometimes makes everything less
complicated to turn it off while you do not need it.

Now you understand containers, builtin containers, and organizational units! Great job, see you in the next lecture!

Paul Hill | PaulH@itflee.com | itFlee.com