- An Organisational unit (OU) is a container in the Active

Directory domain that can contain different objects from

the same AD domain: other containers, groups, users, and
computer accounts.
- An active directory OU is a simple administrative unit
within a domain on which an administrator can link group
policy objects and assign permissions to other user/group.
-
There are two main task when using OU, besides storing Active
Directory Objects:-
● Duplicating Organisational Divisions
● Assigning Group Policy settings
● Delegating Administration.

- When you assign Group Policy settings to a domain, the

settings apply to all of the objects in that domain, but not
to the sub-domains.
- When you assign Group Policy Settings to an OU, those
settings apply to all of the leaf objects in the OU and are
inherited by any Subordinates OUs it contains.
⇒Create a new Organisational Unit:-
To create a new organisational unit in Active Directory, your
account must have Domain Administrator Permissions.
Step:1:- Open the Active Directory Users and Computers
(Win + R → dsa.msc) and select the domain container in which
you want to create a new OU.

Step:2:- Right-click on the domain name and select New →

Organisational Unit.

Specify the name of the OU to create

 Working with Groups
- Groups are collections of user accounts
- Members receive permissions given to groups
- Groups can be members of other groups
A collection of Active Directory Objects is called an Active
Directory Groups.

⇒Types of Groups in Active Directory

The active directory groups can be classified into two types
- Security Groups
- Distribution Groups

→Security Groups
Active Directory Security groups enable the administrator to
grant permissions and user might to members of the group.
Security groups have two major functions. They are :-
- Assigning user rights
- Assigning permissions for resources.

→Distribution Groups
Active Directory Distribution groups are used with email
applications such as Microsoft Exchange server and are used
to send email messages to all the users of the groups.

⇒Active Directory Group Scopes

The scope of a group is used to define the extent to which the
group is applied in a domain tree or forest. It is also used to
identify which of the users can be included as members of the
group.
Types of Group: -
→Local Groups
Local groups are defined and available only on the specific
computer in which they were created. They are stored in the
local security Accounts Manager (SAM) databases of a domain
member computer.

→Domain Local Groups

Permission for resource access are provided using domain
local groups. These resources are located in the same domain
in which the domain local group was created.
Domain local groups can exist in all mixed, native
and interim functional levels of domains and forest.

→Global Groups
Users who share similar functions and network access
requirement can be organised using global groups

→Universal Groups
Universal Groups reside in the Global Catalog and are not
stored in the domain partition level.

→What is Nested Groups

Groups that have other groups as memebers are known as
nested groups. When a group is nested within another groups,
the user rights are inherited automatically.
Nested groups help reduces managemant
overhead.
 What is Group Policy
Group Policy is a microsoft window feature that allows It
administrators to centrally manage and configure the settings
on window computer. Group Policy can manage operating
system settings, applications, browsers and user settings

Group Policy Objects (GPO) ⇒ A group policy object is a

collection of policy settings. A GPO is applied to the domain, or
an OU to target users, computers or the entire domain.
Group Policy Management Console(GPMC) ⇒ This is the
management console used to manage group policy and GPOs.
Local Group Policy ⇒ Local Group policies are policies that
apply to a single computer and are managed locally on a
computer.
Domain Group Policy ⇒ Domain Group policies are managed
centrally and can be applied to multiple computers & users.
User Configuration Policies ⇒ Each GPO has a user
configuration and computer configuration section. The user
configuration policy only apply to users.
Computer Configuration Policies ⇒ The GPO computer
configuration policies apply to the computer not the user.
⇒Creating Security and distribution groups in AD
Step:1:- Open Active Directory Users and computers
console and select the container in which you want your new
group to be created.

Step:2:- Right click on left-corner→ New → Groups

Step:3:-Select New Group

Step:4:- Enter the name of the group in the Group Name field
and enter a description

Step:5:-Select the group scope from the available options

(Domain local, global or universal)

Step:6:-Select the Group type as either Security and

Distribution based on your requirements

Step:7:- Select Next and OK to create your group

Example:1:- Block Access to the control panel for all users
1. On the domain controller launch the Group Policy
Management tool. Right click Group Policy Objects and
click New. Provide a name to the GPO and click OK.

2. Right-click the GPO and click edit

3. In the Group Policy Management Editor navigate to

User Configuration Administrative Templates Control
Panel.
4. Right click the policy setting Prohibit access to Control
Panel and PC settings and click Edit. On the Policy
settings page click enabled. Click Apply and then Ok.
5. The policy settings has been configured. To apply the
policy, right click the OU and click Link an Existing GPO

6. Choose the group policy which should be applied to the

OU and click OK.
7. The group policy that we just linked to the OU can be seen
under the OU. Close the Group Policy Management Tool