審查組織單位設計概念Reviewing OU Design Concepts

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

單位(組織單位)結構網域包括下列項目:The organizational unit (OU) structure for a domain includes the following:

  • 組織單位階層的簡圖A diagram of the OU hierarchy

  • 一份 OuA list of OUs

  • 針對每個組織單位:For each OU:

    • 組織單位的用途The purpose for the OU

    • 清單中的使用者或群組中組織單位有控制組織單位或物件A list of users or groups that have control over the OU or the objects in the OU

    • 使用者和群組可以透過在 [組織單位物件的控制項類型The type of control that users and groups have over the objects in the OU

不需要的組織單位階層不會反映部門階層組織或群組。The OU hierarchy does not need to reflect the departmental hierarchy of the organization or group. Ou 建立某特定用途,例如的管理委派或限制的物件可見性的群組原則、應用程式。OUs are created for a specific purpose, such as the delegation of administration, the application of Group Policy, or to limit the visibility of objects.

您可以設計組織單位結構管理委派個人或群組在組織中需要有自治以管理他們自己的資源和資料。You can design your OU structure to delegate administration to individuals or groups within your organization that require the autonomy to manage their own resources and data. Ou 代表管理範圍,以及讓您控制資料系統管理員權限的範圍。OUs represent administrative boundaries and enable you to control the scope of authority of data administrators.

例如,您可以建立組織單位稱為 ResourceOU 並使用它來儲存的檔案和由群組列印伺服器屬於所有電腦帳號。For example, you can create an OU called ResourceOU and use it to store all the computer accounts that belong to the file and print servers managed by a group. 然後,您可以設定安全性組織單位上,只有在群組中的資料系統管理員可以存取組織單位。Then, you can configure security on the OU so that only data administrators in the group have access to the OU. 如此可防止資料其他群組中的系統管理員的檔案和列印伺服器帳號竄改。This prevents data administrators in other groups from tampering with the file and print server accounts.

您可以建立特定用途,例如應用程式的群組原則,或限制的受保護的物件可見性特定的使用者可以看到他們的 Ou 子進一步改善您的組織單位結構。You can further refine your OU structure by creating subtrees of OUs for specific purposes, such as the application of Group Policy or to limit the visibility of protected objects so that only certain users can see them. 例如如果您需要套用群組原則來選取使用者或資源群組,您可以新增的使用者或資源到組織單位,並再該組織單位適用於群組原則。For example, if you need to apply Group Policy to a select group of users or resources, you can add those users or resources to an OU, and then apply Group Policy to that OU. 您也可以使用組織單位階層要進一步控制管理委派。You can also use the OU hierarchy to enable further delegation of administrative control.

在您的組織單位結構層級數目無技術限制時,性我們建議您限制您的組織單位結構深度不會超過 10 層級。While there is no technical limit to the number of levels in your OU structure, for manageability we recommend that you limit your OU structure to a depth of no more than 10 levels. 還有 Ou 在每個層級的數目無限制技術。There is no technical limit to the number of OUs on each level. 請注意該 Active Directory Domain Services (AD DS)-讓應用程式中可能會有數字字元分辨名稱(也就是在 directory 物件的完整輕量型 Directory 存取通訊協定 (LDAP) 路徑)中使用的限制或組織單位深度階層中。Note that Active Directory Domain Services (AD DS)-enabled applications might have restrictions on the number of characters used in the distinguished name (that is, the full Lightweight Directory Access Protocol (LDAP) path to the object in the directory) or on the OU depth within the hierarchy.

組織單位中的結構 AD DS 不是看到給使用者。The OU structure in AD DS is not intended to be visible to end users. 組織單位結構是服務管理員和資料的系統管理員,管理工具,很容易變更。The OU structure is an administrative tool for service administrators and for data administrators, and it is easy to change. 若要檢視和更新您的組織單位結構設計反映變更您的系統管理結構,並支援原則為主管理繼續。Continue to review and update your OU structure design to reflect changes in your administrative structure and to support policy-based administration.