April 14, 2011, 5:13 p.m.
posted by trystan
An LDAP directory such as Active Directory stores data in a hierarchy of containers and leaf nodes called the directory information tree (DIT). Leaf nodes are end points in the tree, while containers can store other containers and leaf nodes. In Active Directory, the two most common types of containers are organizational units ( OUs) and container objects. The container objects are generic containers that do not have any special properties about them other than that they can contain objects. Organizational units, on the other hand, have some special properties, such as the ability to link a Group Policy Object (GPO) to an OU. In most cases when designing a hierarchy of objects in Active Directory, especially users and computers, you should use OUs instead of containers. There is nothing you can do with a container that you can't do with an OU, but the reverse is certainly not the case.
The Anatomy of an Organizational Unit
Organizational units can be created as a child of a domain object or another OU; by default, OUs cannot be added as a child of a container object. (See Recipe 5.13 for more on how to work around this.) OUs themselves are represented in Active Directory by organizationalUnit objects. Figure contains a list of some interesting attributes that are available on organizationalUnit objects.