Windows server. The difference between organisation units and groups? (Active directory)


OUs contain user objects, groups have a list of user objects.

You put a user in a group to control that user's access to resources. You put a user in an OU to control who has administrative authority over that user.

They're like folders (OU) and files (groups) on a file server (your AD): it is easier to manage permissions/ACLs on whole folders instead of single files, and let them be applied to the files (groups) by inheritance automatically. This analogy is explained in detail in Access Denied: Understand the Difference Between AD OUs and Groups:

[...] because users and groups have ACLs, you can delegate portions of administrative authority to subadministrators. But, just as separately maintaining the ACL of every file is impractical, so is separately controlling administrative authority on each user or group object. Therefore, you can collect into an OU all the users and groups that you want to enable a particular subadministrator to manage, then grant the proper authority over the OU to that subadministrator. Permissions you define in an OU's ACL flow down to all the users and groups in that OU, just as folder ACLs flow down to all the files in a folder.


  • You can link group policies to OUs, but not groups
  • You can give file/folder/share permissions to groups, but not OUs
  • Groups have a SID, OUs do not


  • You should use OUs to organize your Active Directory, so it's easier to manage (for example to delegate administrative control over users & groups to other administrators)
  • You should use groups to give permission on resources (for example read permissions of a share on a file server)
  • From the linked resource:

    To help you keep OUs and groups straight, remember that a user can be a member of many groups but can reside in only one OU, just as a file can reside in only one folder.

So you should use them both to do different things.