Can a user be a member of multiple Organization Units (OU) in Active Directory?

Can a user be a member of multiple Organization Units (OU) in Active Directory? Also, is there a standard format mentioned by Microsoft on how an OU should be created and what its attributes are?

I found this on Wikipedia:

However, Organizational Units are just an abstraction for the administrator, and do not function as true containers; the underlying domain operates as if objects were al开发者_如何学Cl created in a simple flat-file structure, without any OUs. It is not possible for example to create two user accounts with an identical username in two separate OUs, such as "fred.staff-ou.domain" and "fred.student-ou.domain".

Can a user be a member of multiple Organization Units (OU) in Active Directory ?

No.

No.

As you mention yourself:

However, Organizational Units are just an abstraction for the administrator, and do not function as true containers; the underlying domain operates as if objects were all created in a simple flat-file structure, without any OUs.

You can copy a file to another location in your file structure, however you can only have a given user only once in the directory forest. Therefore you can't add it to multiple OUs.

And in my opinion there is no use in adding a user to multiple OUs, since they don't serve as real AD groups. If you really want some hierarchy then you should build a hierarchy of OUs.

An object can and always does exist in only ONE location in the Active Directory.

By that assertion, NO, a user cannot exist in two different OUs in an Active Directory domain at the same time. A user can be moved from one OU to another, but at any one point in time, it only resides in ONE location.

So, NO, a user cannot be a member of two OUs in Active Directory.

A user can belong to two groups, and the groups can be in two different OUs, but its membership in the groups does not make reside in two different OUs. Group memberships are represented by links.

Yes.

If you make your user a member of 2 different groups, and you put those two group into two different Organisational Units, the user is in two different Organisational Units. But there's no point of doing that because it'll be a mess with policies, permissions etc.

So in AD terms, a user account has a single-value attribute in the OU, and a multi-value attribute in groups. It is handy for us to extend the metaphor of folders and so forth, but not at the expense of understanding the structure.