An LDAP directory such as Active Directory stores data in a hierarchy of containers and leaf nodes called the directory information tree (DIT). Leaf nodes are end points in the tree, while containers can store other containers and leaf nodes. In Active Directory, the two most common types of containers are organizational units ( OUs) and container objects. The container objects are generic containers that do not have any special properties about them other than that they can contain objects. Organizational units, on the other hand, have some special properties, such as the ability to link a Group Policy Object (GPO) to an OU. In most cases when designing a hierarchy of objects in Active Directory, especially users and computers, you should use OUs instead of containers. There is nothing you can do with a container that you can't do with an OU, but the reverse is certainly not the case.

The Anatomy of an Organizational Unit

Organizational units can be created as a child of a domain object or another OU; by default, OUs cannot be added as a child of a container object. (See Recipe 5.13 for more on how to work around this.) OUs themselves are represented in Active Directory by organizationalUnit objects. Figure contains a list of some interesting attributes that are available on organizationalUnit objects.

Attributes of organizationalUnit objects




Textual description of the OU.


List of GPOs that have been linked to the OU. See Recipe 5.14 for more information.


Contains 1 if GPO inheritance is blocked and 0 otherwise.


Approximate number of direct child objects in the OU. See Recipe 5.11 for more information.


DN bitwise of user or group that is in charge of managing the OU.


Relative distinguished name of the OU



Timestamp of when the OU was last modified.


Timestamp of when the OU was created.

 Python   SQL   Java   php   Perl 
 game development   web development   internet   *nix   graphics   hardware 
 telecommunications   C++ 
 Flash   Active Directory   Windows