User Groups and Organizational Units are two great ways of keeping your Active Directory organized and controlled.
Why would we want to do that? Well, let’s say for example that we have this one shared folder on our network that we want only our Sales Department to have access to.
Without groups in your Active Directory, you would have to go to each individual Sales Department user account and give that account access to that shared folder. That can take quite some time if you have, let’s say … 200 users in your Sales Department.
Instead, what we are going to do is, take all the Sales Department user accounts and put them in a Sales User Group. Now when I want to give access to all of my Sales Users to that shared folder, I just give the entire Sales Group access to it and voila! All Sales Users now have access to our shared folder!
That’s just so much easier, isn’t it? You can then take the Sales User Group and put it in a Sales Organizational Unit.
Organizational Unit is really just a folder for organizational purpose, to keep your Active Directory nice and clean. You can add different groups, computers and other resources to an Organizational Unit.
Enough talk, let me show you how you can accomplish all of this in your Windows Server 2008 Active Directory.
Creating an Organizational Unit
1. Start by opening up your Server Manager, then expand the Roles section.
2. Next expand the Active Directory Domain Services section and click on Active Directory Users and Computers.
3. At this point you should be able to see your domain. In our example we are using the Globomantics domain. Go ahead and expand your domain.
4. Now we need to create an Organizational Unit for a group to live in. In our example we are going to create an OU for our Ops Team.
To create a new Organization Unit, right-click on your domain name, point to the New option and then select Organizational Unit.
5. Type in the name of your OU and make sure that the box is checked next to Protect container from accidental deletion. When done, click OK.
6. We now have a new Organizational Unit in our Active Directory called OpsOU.
Creating a New Group
1. After you create an Organizational Unit in your Active Directory, you are ready to create your first group. Go ahead and select your OU and then right-click in the blank area.
2. Next, point to New and then select Group.
3. The next step is to name your Group, select the scope and then select the type.
In this example we are going to name our group OpsUSers. We are also going to leave the default selections for group scope, which is Global, and group type, which is Security. When you are ready, click OK.
4. Our new group has been created!
Moving Accounts Into a Group
1. In order to move pre-existing accounts into a group, you need to hold down the Control key and click on all the User or Computer accounts that you want to move into that group.
2. Then you need to right-click on any one of those accounts and select Add to a group.
3. Next, you need to type in the group name and let the machine find it.
In our example, I will type in OpsUsers and then click on the Check names button. Once the name is verified and group name is found, the text will become underlined and you can click the OK button. Since we know our group exists, we are going to click OK without verification.
4. Now all of these accounts are part of our OpsUsers group.
Note: Another way of accomplishing this would be to click on an account, hold it, then drag and drop it into a particular group. Depending on how much you like to use your mouse and how much time you have this may or may not be your preferred way of accomplishing this task.