Creating and managing AD users and groups
After creating your forest/domain and your DCs, you can begin to manage the core objects in AD, namely, users, groups, computers, and organizational units. User and computer accounts identify a specific user or computer. Windows uses these objects to enable the computer and the user to log on securely using passwords held in the AD.
AD groups enable you to collect users and computers into a single (group) account that simplifies setting access controls on resources such as files or file shares. As you saw in Testing an AD installation, when you create a new forest, the AD promotion process creates many potentially useful groups.
Organizational units enable you to partition users, computers, and groups into separate container OUs. OUs provide you with essential roles in your AD. The first is role delegation. You can delegate the management of any OU (and child OUs) to be carried out by different groups. For example, you could create...