Organizational unit


In computing, an organizational unit provides a way of classifying objects located in directories, or names in a digital certificate hierarchy, typically used either to differentiate between objects with the same name, or to parcel out authority to create and manage objects. Organizational units most commonly appear in X.500 directories, X.509 certificates, Lightweight Directory Access Protocol directories, Active Directory, and Lotus Notes directories and certificate trees, but they may feature in almost any modern directory or digital certificate container grouping system.
In most systems, organizational units appear within a top-level organization grouping or organization certificate, called a domain. In many systems one OU can also exist within another OU. When OUs are nested, as one OU contains another OU, this creates a relationship where the contained OU is called the child and the container is called the parent. Thus, OUs are used to create a hierarchy of containers within a domain. Only OUs within the same domain can have relationships. OUs of the same name in different domains are independent.

Specific uses

The name organizational unit appears to represent a single organization with multiple units within that organization. However, OUs do not always follow this model. They might represent geographical regions, job-functions, associations with other groups, or the technology used in relation to the objects.
Examples would include:
  • Department within a corporation
  • Division that is owned by but separate from a parent corporation, although this would commonly be placed in a separate domain
  • Association that is external to the organization.
  • To identify geographically distinct regions the X.521 standard recommends a "locality" entry instead.
  • Job types or functions that runs across all divisions of a company should be represented by an "organizational role" entry.

Sun Enterprise Directory Server and Active Directory

In Sun Java System Directory Server and Microsoft Active Directory, an organizational unit can contain any other unit, including other OUs, users, groups, and computers. Organizational units in separate domains may have identical names but are independent of each other.
OUs let an administrator group computers and users so as to apply a common policy to them. Organizational Units give a hierarchical structure, and when properly designed can ease administration.

Origins with X.500, Novell, and Lotus software

Novell and Lotus supplied the two largest software directory systems. Each of these companies started with flat account and directory structures, and encountered the support and name-conflict limitations inherent in their flat structures. They adopted the X.500 OU concept into their next-generation software around 1993 – Novell with the release of Novell Directory Services, and Lotus with the release of the third version of Lotus Notes. Microsoft allegedly used Novell's directory as a blueprint for the first released versions of AD, but this claim appears suspect, given that X.500 served as the "granddaddy" of all directory systems.