In computing, an Organizational Unit (OU) provides a way of classifying objects located in directories, or names in a digital certificate hierarchy, typically used either to differentiate between objects with the same name (John Doe in OU "marketing" versus John Doe in OU "customer service"), or to parcel out authority to create and manage objects (for example: to give rights for user-creation to local technicians instead of having to manage all accounts from a single central group). Organizational Units most commonly appear in X.500 directories, X.509 certificates, Lightweight Directory Access Protocol (LDAP) directories, Active Directory (AD), and Lotus Notes directories and certificate trees, but they may feature in almost any modern directory or digital certificate container grouping system. Originally, the word computing was synonymous with counting and calculating, and a science that deals with the original sense of computing mathematical calculations. ... In computing, a directory, catalog, or folder, is an entity in a file system which contains a group of files and other directories. ... In cryptography, a public key certificate (or identity certificate) is a certificate which uses a digital signature to bind together a public key with an identity — information such as a the name of a person or an organisation, their address, and so forth. ... For the various types of hierarchy, see hierarchy (disambiguation) A hierarchy (in Greek: Ιεραρχία, it is derived from ιερός-hieros, sacred, and άρχω-arkho, rule) is a system of ranking and organizing things or people, where each element of the system (except for the top element) is subordinate to a single other element. ... X.500 is the set of ITU-T computer networking standards covering electronic directory services such as white pages, Knowbot and whois. ... In cryptography, X.509 is an ITU-T standard for public key infrastructure (PKI). ... In computer networking, the Lightweight Directory Access Protocol, or LDAP (ell-dap), is a networking protocol for querying and modifying directory services running over TCP/IP. An LDAP directory usually follows the X.500 model: It is a tree of entries, each of which consists of a set of named... Typically Active Directory is managed using the graphical Microsoft Management Console. ... IBM Lotus Notes 7 customized Welcome Page. ... In computing, a directory, catalog, or folder, is an entity in a file system which contains a group of files and other directories. ... In cryptography, a public key certificate (or identity certificate) is a certificate which uses a digital signature to bind together a public key with an identity — information such as a the name of a person or an organisation, their address, and so forth. ... Containers in the port of Kotka (Finland) on the Baltic Sea. ...

In most systems, Organizational Units appear within a top-level Organization grouping or Organization certificate, though in many systems one OU can also exist within another OU.

Specific uses

The nomenclature "Organizational Unit" assumes that the structure represents a single organization with multiple units (departments) within the main organization. However, the construction of OUs does not always follow this model. They might represent regions; job-functions separate from the corporate hierarchy (for example: union groupings or job-types that tend to run across all divisions of a [[company[[); or an association with an IT group supporting a group of users or objects; or the technology used in relation to the objects. [[[[[[Information technology]]]]]] (IT) or Information and communication(s) technology (ICT) (also Infocomm, esp. ...

However, OUs commonly represent job functions, so the structure of OUs tends to follow the structure of a company modelled in organizational or geographical terms. An OU features hierarchy in that it can contain other OUs. Indeed, a domain contains OUs, they function as containers in this sense, and can hold multiple nested OUs. For the various types of hierarchy, see hierarchy (disambiguation) A hierarchy (in Greek: Ιεραρχία, it is derived from ιερός-hieros, sacred, and άρχω-arkho, rule) is a system of ranking and organizing things or people, where each element of the system (except for the top element) is subordinate to a single other element. ...

For AD, Microsoft recommends as few domains as possible and a reliance on OUs to produce structure and policies. Group Policy settings apply most commonly to OUs and not to domains or to groups, which AD stores as Group Policy Objects (GPOs), although GPOs can also model domains or sites. The OU represents the lowest level to which AD can delegate administrative powers. OUs differ from Security Groups in that one can apply Group Policies to them and that they model hierarchies (one can put an OU in an OU.) Microsoft Corporation (NASDAQ: MSFT, HKSE: 4338) is an international computer technology corporation with 2005 global annual sales of US$42. ... Group Policy is part of Microsofts IntelliMirror technology which aims to reduce the overall cost of supporting users of Windows. ... In the Windows 2000 operating system, a Group Policy Object (GPO) is a collection of settings that define what a system will look like and how it will behave for a defined group of users. ...

In AD, OUs can contain any other unit, including other OUs and so on. OUs let an administrator group computers and users so as to apply a common policy to them.

OUs give a domain a hierarchical structure, and when well designed can ease administration. A Windows Server domain or Windows NT Domain is a logical group of computers running versions of the Microsoft Windows operating system that share a central directory database. ...

Origins with X.500, Novell, and Lotus Software

The idea of OUs started with X.500 directories. Before implementations of these became common, Novell and Lotus supplied the two largest software directory systems. Each of these companies started with flat account and directory structures, and encountered the support and name-conflict limitations inherent in their flat structures. They adopted the X.500 OU concept into their next-generation software around 1993 -- Novell with the release of Novell Directory Services (subsequently known as eDirectory), and Lotus with the release of the third version of Lotus Notes. Microsoft allegedly used Novell's directory as a blueprint for the first released versions of AD, but this claim appears suspect, given that X.500 served as the "granddaddy" of all directory systems. X.500 is the set of ITU-T computer networking standards covering electronic directory services such as white pages, Knowbot and whois. ... Novell, Inc. ... Lotus Software (called Lotus Development Corporation before its acquisition by IBM) is an American software company with its headquarters in Cambridge, Massachusetts. ... Novell eDirectory (formerly called Novell Directory Services) is an X.500 compatible directory service software product released in 1993 by Novell, Inc. ... IBM Lotus Notes 7 customized Welcome Page. ...

NDS/eDirectory features three classes of objects, namely: Roots, Containers, and Leafs. These make up the NDS/eDirectory database. The product supports three types of container objects: Country (C=), Organizations (O=), and Organizational Units (OU=).

Lotus Notes uses the same container classes (Country, Organization, and Organizational Unit). Typically, the form of these levels comes about by setting up a top-level Organization certifier, and then OU certifiers within the O certifier (or within another OU, up to four OUs deep). Any object created with an OU inherits its hierarchy, so for an O called "Acme," with two OUs, "Factory" and "Office" set up within it, the OUs automatically get named "Factory/Acme" and "Office/Acme." If regional OUs appear within these top OUs, they would further reflect the hierarchy as (for example) "East/Factory/Acme", etc. Users and servers created from the certifiers will inherit the OU certifier hierarchies as well, so that user "John Doe" set up within the second-level OU "East/Factory/Acme" will actually have the name "John Doe/East/Factory/Acme," or, canonically: "CN=John Doe/OU=East/OU=Factory/O=Acme" ("CN" stands for "common name"). The "C" (country) level remains optional, and most organizations do not use it within Lotus Notes. User IDs registered without a certifier, and with just a directory entry, can have an arbitrary containment hierarchy; only the certifier hierarchy limits an administrator's naming choices.

In most other directories, the containment hierarchy functions as a strict object-hierarchy, and the OUs actually live within an O, and leaf objects within the OUs; without creating the OU object one cannot create a lower level object utilizing an OU name.