Organizational Unit
Encyclopedia
In computing
, an Organizational Unit (OU) provides a way of classifying objects located in directories
, or names in a digital certificate hierarchy
, typically used either to differentiate between objects with the same name (John Doe in OU "marketing" versus John Doe in OU "customer service"), or to parcel out authority to create and manage objects (for example: to give rights for user-creation to local technicians instead of having to manage all accounts from a single central group). Organizational Units most commonly appear in X.500
directories, X.509
certificates, Lightweight Directory Access Protocol
(LDAP) directories, Active Directory
(AD), and Lotus Notes
directories and certificate trees, but they may feature in almost any modern directory or digital certificate container
grouping system.
In most systems, Organizational Units appear within a top-level Organization grouping or Organization certificate, called a Domain. In many systems one OU can also exist within another OU. When OUs are nested, as one OU contains another OU, this creates a relationship where the contained OU is called the child and the container is called the parent. Thus, OUs are used to create a hierarchy of containers within a domain. Only OUs within the same domain can have relationships. OUs of the same name in different domains are independent.
Examples would include:
To identify geographically distinct regions (e.g. Kansas City
) the X.521 standard recommends a "Locality" entry instead.
Job types or functions (e.g. Managers, Storage Servers) that runs across all divisions of a company should be represented by an "Organizational Role" entry.
and Microsoft
Active Directory
(AD), an Organizational Unit (OU) can contain any other unit, including other OUs, users, groups, and computers. OUs in separate Domains may have identical names but are independent of each other.
OUs let an administrator group computers and users so as to apply a common policy to them. OUs give a hierarchical structure, and when properly designed can ease administration.
and Lotus
supplied the two largest software directory systems. Each of these companies started with flat account and directory structures, and encountered the support and name-conflict limitations inherent in their flat structures. They adopted the X.500 OU concept into their next-generation software around 1993 -- Novell with the release of Novell Directory Services
(subsequently known as eDirectory), and Lotus with the release of the third version of Lotus Notes. Microsoft allegedly used Novell's directory as a blueprint for the first released versions of AD, but this claim appears suspect, given that X.500 served as the "granddaddy" of all directory systems.
Computing
Computing is usually defined as the activity of using and improving computer hardware and software. It is the computer-specific part of information technology...
, an Organizational Unit (OU) provides a way of classifying objects located in directories
Directory (databases)
Generally, a directory, as used in computing and telephony, refers to a repository or database of information which is heavily optimized for reading, under the assumption that data updates are very rare compared to data reads...
, or names in a digital certificate hierarchy
Hierarchy
A hierarchy is an arrangement of items in which the items are represented as being "above," "below," or "at the same level as" one another...
, typically used either to differentiate between objects with the same name (John Doe in OU "marketing" versus John Doe in OU "customer service"), or to parcel out authority to create and manage objects (for example: to give rights for user-creation to local technicians instead of having to manage all accounts from a single central group). Organizational Units most commonly appear in X.500
X.500
X.500 is a series of computer networking standards covering electronic directory services. The X.500 series was developed by ITU-T, formerly known as CCITT, and first approved in 1988. The directory services were developed in order to support the requirements of X.400 electronic mail exchange and...
directories, X.509
X.509
In cryptography, X.509 is an ITU-T standard for a public key infrastructure and Privilege Management Infrastructure . X.509 specifies, amongst other things, standard formats for public key certificates, certificate revocation lists, attribute certificates, and a certification path validation...
certificates, Lightweight Directory Access Protocol
Lightweight Directory Access Protocol
The Lightweight Directory Access Protocol is an application protocol for accessing and maintaining distributed directory information services over an Internet Protocol network...
(LDAP) directories, Active Directory
Active Directory
Active Directory is a directory service created by Microsoft for Windows domain networks. It is included in most Windows Server operating systems. Server computers on which Active Directory is running are called domain controllers....
(AD), and Lotus Notes
Lotus Notes
Lotus Notes is the client of a collaborative platform originally created by Lotus Development Corp. in 1989. In 1995 Lotus was acquired by IBM and became known as the Lotus Development division of IBM and is now part of the IBM Software Group...
directories and certificate trees, but they may feature in almost any modern directory or digital certificate container
Web container
Web container is the component of a web server that interacts with the servlets. A web container is responsible for managing the lifecycle of servlets, mapping a URL to a particular servlet and ensuring that the URL requester has the correct access rights...
grouping system.
In most systems, Organizational Units appear within a top-level Organization grouping or Organization certificate, called a Domain. In many systems one OU can also exist within another OU. When OUs are nested, as one OU contains another OU, this creates a relationship where the contained OU is called the child and the container is called the parent. Thus, OUs are used to create a hierarchy of containers within a domain. Only OUs within the same domain can have relationships. OUs of the same name in different domains are independent.
Specific uses
The name "Organizational Unit" appears to represent a single organization with multiple units (departments) within that organization. However, BIZOUs do not always follow this model. They might represent geographical regions, job-functions, associations with other (external) groups, or the technology used in relation to the objects.Examples would include:
- Department (e.g. Human Resources) within a corporation
- Division (e.g. LifeScan, Inc.) that is owned by but separate from a parent corporation (Johnson & JohnsonJohnson & JohnsonJohnson & Johnson is an American multinational pharmaceutical, medical devices and consumer packaged goods manufacturer founded in 1886. Its common stock is a component of the Dow Jones Industrial Average and the company is listed among the Fortune 500....
), although this would commonly be placed in a separate domain - Association (e.g. Contractors) that is external to the organization.
To identify geographically distinct regions (e.g. Kansas City
Kansas City, Missouri
Kansas City, Missouri is the largest city in the U.S. state of Missouri and is the anchor city of the Kansas City Metropolitan Area, the second largest metropolitan area in Missouri. It encompasses in parts of Jackson, Clay, Cass, and Platte counties...
) the X.521 standard recommends a "Locality" entry instead.
Job types or functions (e.g. Managers, Storage Servers) that runs across all divisions of a company should be represented by an "Organizational Role" entry.
Sun Enterprise Directory Server and Active Directory
In Sun Java System Directory ServerSun Java System Directory Server
The Sun Java System Directory Server is Sun Microsystems' scalable LDAP directory server and DSML server. The Java System Directory Server is a component of the Java Enterprise System...
and Microsoft
Microsoft
Microsoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...
Active Directory
Active Directory
Active Directory is a directory service created by Microsoft for Windows domain networks. It is included in most Windows Server operating systems. Server computers on which Active Directory is running are called domain controllers....
(AD), an Organizational Unit (OU) can contain any other unit, including other OUs, users, groups, and computers. OUs in separate Domains may have identical names but are independent of each other.
OUs let an administrator group computers and users so as to apply a common policy to them. OUs give a hierarchical structure, and when properly designed can ease administration.
Origins with X.500, Novell, and Lotus Software
NovellNovell
Novell, Inc. is a multinational software and services company. It is a wholly owned subsidiary of The Attachmate Group. It specializes in network operating systems, such as Novell NetWare; systems management solutions, such as Novell ZENworks; and collaboration solutions, such as Novell Groupwise...
and Lotus
Lotus Software
Lotus Software is a software company with headquarters in Westford, Massachusetts...
supplied the two largest software directory systems. Each of these companies started with flat account and directory structures, and encountered the support and name-conflict limitations inherent in their flat structures. They adopted the X.500 OU concept into their next-generation software around 1993 -- Novell with the release of Novell Directory Services
Novell eDirectory
Novell eDirectory is an X.500-compatible directory service software product initially released in 1993 by Novell for centrally managing access to resources on multiple servers and computers within a given network...
(subsequently known as eDirectory), and Lotus with the release of the third version of Lotus Notes. Microsoft allegedly used Novell's directory as a blueprint for the first released versions of AD, but this claim appears suspect, given that X.500 served as the "granddaddy" of all directory systems.