Active Directory Basics: OUs, Groups, Users, and Controlling Access

Active Directory (AD) is not just a user database — it is a powerful access-control system. When designed correctly, it lets you control who can log in, which apps they can use, and even how much internet bandwidth they get.

This post explains:

• What OUs and Groups are

• How to set up users

• How to control access to applications, internet, and resources

---

1. What Is an Organizational Unit (OU)?

An Organizational Unit (OU) is a container used to organize objects in Active Directory.

OUs can contain:

• Users

• Computers

• Groups

• Other OUs

Why OUs matter

• Apply Group Policies (GPOs) to specific users or computers

• Delegate admin control

• Keep AD clean and scalable

Example OU structure:

---

2. Groups in Active Directory (Very Important)

Groups control access.

Common Group Types:

• Security Groups → Used for permissions

• Distribution Groups → Email only (Exchange)

Best Practice Rule:

Users go into Groups. Groups get permissions.

Never assign permissions directly to users.

---

3. Setting Up Users in Active Directory

Step-by-Step:

1. Open Active Directory Users and Computers

2. Navigate to the correct OU

3. Right-click → New → User

4. Enter:

   • Username

   • Full name

   • Password

5. Add user to appropriate security groups

---

4. Controlling Access to Applications

Method 1: Group Policy (GPO)

Use GPOs to:

• Block specific applications

• Allow only approved software

• Control desktop settings

Example:

Apply this GPO to an OU (e.g. Students or Sales).

---

Method 2: Software Deployment

• Use GPO to install applications automatically

• Assign software based on OU or group

Example:

• IT OU → Admin tools

• Accounting OU → Finance software

---

5. Controlling Internet Access & Speed

Active Directory itself does not control internet speed, but it integrates with network tools.

Common Methods:

1. Firewall or Proxy + AD Groups

• Firewall (FortiGate, Sophos, pfSense)

• Proxy (Squid)

Use AD groups:

• Internet_Full

• Internet_Limited

• Internet_Block

The firewall applies:

• Website filtering

• Bandwidth limits

• Time-based access

---

2. Group Policy Restrictions

• Block browser settings

• Disable downloads

• Enforce proxy settings

Example:

---

6. Controlling Wi-Fi and Network Access

Using NPS (RADIUS) with AD:

• Users authenticate using domain credentials

• Access depends on group membership

Example:

• WiFi_Staff → Full network

• WiFi_Guests → Internet only

---

7. Putting It All Together (Real Example)

Scenario: Office Environment

OUs

Groups

• App_Accounting

• App_CRM

• Internet_Limited

• WiFi_Staff

Rules

• Interns:

  • No admin rights

  • Limited internet speed

  • No access to accounting app

• Management:

  • Full access

  • Priority bandwidth

  • VPN access

---

8. Best Practices

✅ Use OUs for policy application
✅ Use groups for access control
✅ Keep OU structure simple
✅ Name groups clearly (App_, WiFi_, VPN_)
❌ Don’t assign permissions directly to users
❌ Don’t overcomplicate OU design

---

9. Common Mistakes

---

Conclusion

A well-designed Active Directory structure using OUs and Groups gives you:

• Centralized control

• Strong security

• Easy scalability

• Clean access management

Active Directory becomes the control center for users, apps, network, and internet access.