1
00:00:00,460 --> 00:00:07,600
Now when we've talked a bit about Adidas domain, let's switch over to overuse.

2
00:00:07,630 --> 00:00:17,740
What are overuse and organizational unit is a container object within a domain that you can use to consolidate

3
00:00:17,740 --> 00:00:22,150
users, computers, groups and other objects.

4
00:00:22,180 --> 00:00:27,520
Now, what is the difference between organizational unit and container?

5
00:00:27,550 --> 00:00:32,940
You have to remember that containers are not organizational units.

6
00:00:32,950 --> 00:00:43,120
Although containers can hold objects, they cannot have group policy objects or GPOs linked to them.

7
00:00:43,150 --> 00:00:52,000
Therefore, if you want to assign a group policy object other than a domain level GPO to an object,

8
00:00:52,000 --> 00:00:56,840
it must be located in an organizational unit.

9
00:00:56,860 --> 00:01:07,240
So as I said, you can link GPOs directly to an overview to manage the objects contained in the view.

10
00:01:07,300 --> 00:01:09,700
You can also assign an O.U.

11
00:01:09,700 --> 00:01:16,120
Manager and associate a comp plus partition within O.U.

12
00:01:16,210 --> 00:01:24,070
Of course, you can create new organizational units in Active Directory by using Active Directory Administrative

13
00:01:24,070 --> 00:01:29,200
Center or Active Directory users and computers.

14
00:01:29,230 --> 00:01:32,440
There are two reasons to create an overview.

15
00:01:32,470 --> 00:01:41,470
The first reason is to group objects together to make it easier to manage them by applying group policies

16
00:01:41,470 --> 00:01:43,150
to the whole group.

17
00:01:43,180 --> 00:01:50,800
When you assign group policy to an organizational unit, the settings apply to all the objects within

18
00:01:50,800 --> 00:02:00,550
the oh you GPOs are policies that administrators create to manage and configure settings for computers

19
00:02:00,550 --> 00:02:01,490
or users.

20
00:02:01,510 --> 00:02:07,190
You deploy the GPOs by linking them to all use domains and sites.

21
00:02:07,210 --> 00:02:14,790
Another reason is to delegate administrative control of objects within the organizational unit.

22
00:02:14,800 --> 00:02:19,300
You can assign management permissions on an O.U.

23
00:02:19,300 --> 00:02:28,540
You thereby delegating control of that over you to a user or group within Active Directory in addition

24
00:02:28,540 --> 00:02:30,880
to the Domain Admins group.

25
00:02:30,910 --> 00:02:39,880
Please know that you can use or use to represent the hierarchical logical structures within your organization.

26
00:02:39,880 --> 00:02:49,030
For example, you can create or use that represent the departments within your organization, the geographic

27
00:02:49,030 --> 00:02:58,350
regions within your organization, or a combination of both departmental and geographic regions.

28
00:02:58,360 --> 00:03:07,540
You can use or use to manage the configuration and use of user group and computer accounts based on

29
00:03:07,540 --> 00:03:09,640
your organizational model.

30
00:03:09,670 --> 00:03:12,790
Now some words about generic containers.

31
00:03:12,820 --> 00:03:21,390
Active Directory contains several built in containers or generic containers such as users and computers.

32
00:03:21,400 --> 00:03:29,740
These containers, store system objects or react as the default parent objects to new objects that you

33
00:03:29,740 --> 00:03:30,460
create.

34
00:03:30,520 --> 00:03:36,220
Do not confuse these generic container objects with organizational units.

35
00:03:36,250 --> 00:03:44,290
As I've said before, the primary difference between organizational units and containers is the management

36
00:03:44,290 --> 00:03:45,520
capabilities.

37
00:03:45,550 --> 00:03:49,230
Containers have limited management capabilities.

38
00:03:49,240 --> 00:03:54,880
For example, you cannot apply a group policy directly to a container.

39
00:03:54,880 --> 00:04:02,680
Install an Active Directory, creates the domain controllers, organizational unit and several generic

40
00:04:02,680 --> 00:04:05,440
container objects by default.

41
00:04:05,560 --> 00:04:13,930
Active Directory uses some of these default objects primarily, and they are hidden by default.

42
00:04:14,080 --> 00:04:20,810
The following objects are visible by default within the Active Directory Administrative Center.

43
00:04:20,830 --> 00:04:28,750
So let me open Active Directory Administrative Center and we'll take a look at generic containers.

44
00:04:28,750 --> 00:04:29,950
We've got domain.

45
00:04:29,950 --> 00:04:35,020
It is a top level of the domain organizational hierarchy.

46
00:04:35,110 --> 00:04:38,020
Next up, we've got built in container.

47
00:04:38,050 --> 00:04:42,250
This is a container that stores several default groups.

48
00:04:42,280 --> 00:04:46,750
We've got containers such as computers container.

49
00:04:46,780 --> 00:04:54,460
It's a default location for new computer accounts that you create in the domain foreign security principles

50
00:04:54,460 --> 00:04:55,450
container.

51
00:04:55,480 --> 00:04:59,920
This is the default location for trusted objects from domain.

52
00:05:00,260 --> 00:05:08,720
Outside the Active Directory forest that you add to a group in the Active Directory domain, there is

53
00:05:08,720 --> 00:05:11,670
managed service accounts container.

54
00:05:11,690 --> 00:05:21,020
It's the default location for managed service accounts and it provides automatic password management

55
00:05:21,020 --> 00:05:23,540
in managed service accounts.

56
00:05:23,570 --> 00:05:26,180
Next up is user's container.

57
00:05:26,210 --> 00:05:33,080
It's the default location for new user accounts and groups that you create in the domain.

58
00:05:33,110 --> 00:05:41,510
The user's container also holds the administrator and guest accounts for the domain and for some default

59
00:05:41,510 --> 00:05:42,260
groups.

60
00:05:42,290 --> 00:05:46,580
Next up is Domain Controllers Organizational Unit.

61
00:05:46,610 --> 00:05:51,110
It's the default location for domain controllers computer accounts.

62
00:05:51,140 --> 00:05:57,440
This is the only view that is present in a new installation of Active Directory.

63
00:05:57,530 --> 00:06:05,870
There are several containers that you can discover only when you click advanced features on the View

64
00:06:05,870 --> 00:06:06,590
menu.

65
00:06:06,620 --> 00:06:13,910
So let me click on Advanced Features and will see the following objects which are hidden by default,

66
00:06:14,000 --> 00:06:15,470
lost and found.

67
00:06:15,470 --> 00:06:20,750
This container holds or event objects program data.

68
00:06:20,780 --> 00:06:28,250
This container holds Active Directory data for Microsoft application, such as Active Directory for

69
00:06:28,250 --> 00:06:31,570
Duration Services or ADF.

70
00:06:31,670 --> 00:06:34,010
Next one is system.

71
00:06:34,040 --> 00:06:40,320
This container holds the built in sys settings and TDs quarters.

72
00:06:40,340 --> 00:06:46,820
This container holds directory service, quarter data and TPM devices.

73
00:06:46,820 --> 00:06:51,130
Container is new with Windows Server 2016.

74
00:06:51,140 --> 00:06:58,590
It stores the Recovery Information for Trusted Platform Module or TPM devices.

75
00:06:58,610 --> 00:07:08,120
I remind you once again, containers in Active Directory domain cannot have GPOs or group policy objects

76
00:07:08,150 --> 00:07:15,110
linked to them to link GPOs to apply configurations and restrictions.

77
00:07:15,140 --> 00:07:24,500
You have to create a hierarchy of all use or organizational units and then link the GPOs to them.

78
00:07:24,530 --> 00:07:27,680
Some words about hierarchy design.

79
00:07:27,680 --> 00:07:36,090
The administrative needs of the organization dictate the design of an overview hierarchy.

80
00:07:36,110 --> 00:07:46,760
It could be geographic, functional resource or user classifications that influence the design, whatever

81
00:07:46,760 --> 00:07:47,580
the order.

82
00:07:47,600 --> 00:07:56,930
The hierarchy should make it possible to administer Active Directory resources as effectively and flexibly

83
00:07:56,930 --> 00:07:58,110
as possible.

84
00:07:58,130 --> 00:08:06,440
For example, if you need to configure all IT administrators computers in a certain way, you can group

85
00:08:06,440 --> 00:08:14,180
all the computers in an overview and then assign a GPO to manage those computers.

86
00:08:14,210 --> 00:08:18,020
You can also create or use within other or use.

87
00:08:18,020 --> 00:08:26,660
For example, your organization might have multiple offices, each with its own IT administrator who

88
00:08:26,660 --> 00:08:30,800
is responsible for managing user and computer accounts.

89
00:08:30,830 --> 00:08:39,180
In addition, each office might have different departments with different computer configuration requirements.

90
00:08:39,200 --> 00:08:48,140
In this situation, you can create an overview for each office and then within each of those use, create

91
00:08:48,140 --> 00:08:57,000
an IOU for the IT administrators and an organizational unit for each of the other departments.

92
00:08:57,020 --> 00:09:06,350
Although there is no limit to the number of levels in your organizational unit structure, limit your

93
00:09:06,650 --> 00:09:13,700
use structure to a depth of no more than ten levels to ensure manageability.

94
00:09:13,730 --> 00:09:21,200
Most organizations use five levels or fewer to simplify administration.

95
00:09:21,230 --> 00:09:30,920
Note that applications that work with AIDS can impose restrictions on the YOU depth within the hierarchy

96
00:09:30,920 --> 00:09:35,570
for the parts of the hierarchy that they use.