I have to grant some permissions to a certain user in Windows Server 2003 Active Directory that will only be active on a certain collection of users. The initial thought was to just have an OU that we would allow this particular user certain rights to (user creation, password reset, add users to groups, etc.). However, after reading further in to things, I'm not sure if an OU is needed or not, and I'm really not sure when an OU would ever be needed. This is bugging me and I would really like to better understand the purpose of OU's before using or not-using them.
I've searched the web quite a bit and results vary from the vague "Use organizational units to organize AD" to the somewhat specific "Add an OU to a domain if a completely separate group needs special administrative access to a segment of users." At this point, the later sounds the most appropriate here. Technically speaking, you can only use the Delegation of Control Wizard on an OU. However, I see nothing stopping me from manually assigning the permissions individually to a domain group and effectively having the same thing. What am I missing here? Thanks.
Best Answer
In general OUs are used for:
Keeping things clean and structured. Your users are kept away from groups, your groups are kept away from computers, objects in site A are kept away from objects in site B, and so on.
Delegation of control. Only really needed if you have multiple levels of access or multiple sites with different admins in each. Even so I would plan ahead and set things up to enable it anyway.
Group policies. Not totally necessary as policy application can be managed via either permissions or WMI filters, but all the same it helps to know that if a user is in OU X they get policy Y.
Note that in the above you cannot apply a GPO to a container, so if you don't create OUs you will have to set all of your GPOs at top (Domain) level and filter them using either WMI or security. It's easier for you and for everyone else to just use OUs except for if you have a scenario where the specific policies you want/need cannot be done (or can be done but are messy) using an OU model.
Aside from the obvious technical requirements in my last 2 points, I think that keeping things clean and tidy is reason enough. It's easier to find the object you want out of a list of 100 than it is to find it out of a list of 1500, for example. It also separates the objects you create (users, computers and groups, mostly) from builtin objects, which can help to prevent nasty accidents ("OK, who deleted the Administrator account?").