Introduction
An LDAP directory, such as Active Directory, stores data in a
hierarchy of containers and leaf nodes called the directory
information tree (DIT). Leaf nodes are end points in the tree, while
containers can store other containers and leaf nodes. In Active
Directory, the two most common types of containers are organizational
units (OUs) and container objects. The container objects are generic
containers that do not have any special properties about them other
than that they can contain objects. Organizational units, on the
other hand, have some special properties, such as being able to be
linked to a group policy. In most cases, when designing a hierarchy
of objects in Active Directory, especially users and computers, you
should use OUs instead of containers. There is nothing you can do
with a container that you can't do with an OU, but
the reverse is not true.
The Anatomy of an Organizational Unit
Organizational units can be created anywhere
in a Domain naming context. The one exception is that by default OUs
cannot be added as a child of a container object.
See Recipe 5.10 for more on how to work
around this. OUs are represented in Active Directory by
organizationalUnit objects. Table 5-1 contains a list of some interesting attributes
that are available on organizationalUnit objects.
Table 5-1. Attributes of organizationalUnit objects|
description
|
Textual description of the OU.
|
gPLink
|
List of group policy objects (GPOs) that have been linked to the OU.
See Recipe 5.11 for more information.
|
gpOptions
|
Contains 1 if GPO inheritance is blocked and 0 otherwise.
|
msDS-Approx-Immed-Subordinates
|
Approximate number of direct child objects in the OU. See Recipe 5.8 for more information.
|
managedBy
|
Distinguished name (DN) of user or group that is in charge of
managing the OU.
|
ou
|
Relative distinguished name of the OU.
|
modifyTimestamp
|
Timestamp of when the OU was last modified.
|
createTimestamp
|
Timestamp of when the OU was created.
|
|