You put a user in a group to control that user’s access to resources. You put a user in an OU to control who has administrative authority over that user.
它们就像文件服务器(您的AD)上的文件夹(OU)和文件(组):更容易管理整个文件夹而不是单个文件的权限/ ACL,并让它们应用于文件(组)继承自动.这个类比在Access Denied: Understand the Difference Between AD OUs and Groups中有详细解释:
[…] because users and groups have ACLs,you can delegate portions of administrative authority to subadministrators. But,just as separately maintaining the ACL of every file is impractical,so is separately controlling administrative authority on each user or group object. Therefore,you can collect into an OU all the users and groups that you want to enable a particular subadministrator to manage,then grant the proper authority over the OU to that subadministrator. Permissions you define in an OU’s ACL flow down to all the users and groups in that OU,just as folder ACLs flow down to all the files in a folder.
区别:
>您可以将组策略链接到OU,但不能链接到组
>您可以为组提供文件/文件夹/共享权限,但不能为OU提供权限
>组有SID,OU没有
建议:
>您应该使用OU来组织Active Directory,以便更容易管理(例如,将用户和组的管理控制委派给其他管理员)
>您应该使用组来授予资源权限(例如,在文件服务器上读取共享权限)
>来自链接资源:
To help you keep OUs and groups straight,remember that a user can be a member of many groups but can reside in only one OU,just as a file can reside in only one folder.
所以你应该用它们来做不同的事情.
