Windows Server for Qlik Sense Admins

01. What are Organizational Units Used For?

Organizational Units are used to help with organizing users, groups, service accounts, and other resources within a domain. OUs are also used to apply rules or policies to members of organizational units. These "rules/policies" are called Group Policy Objects (GPOs).

02. Organization Units and Qlik Sense

When it comes to Qlik Sense, we will see OUs when creating LDAP filters to import users into Qlik Sense. Being familiar with OUs will give you context for how to write and read LDAP filters and where in a domain a Qlik Sense server will be pulling its users from.

03. Organizational Units vs. Security Groups

Users and computers can be grouped into both Organizational Units (OUs) and Security Groups. OUs and security groups, however, serve different purposes.

Security Groups

Security groups largely deal with giving users access to things. We will be using security groups to give users access to streams and shared folders. We will be using security groups for license allocation. Security groups will also be used for setting various section access permissions within Qlik Sense apps.

Organizational Units (OUs)

Organizational Units, however, are used more for organizing resources within an organization and applying GPOs to members of organizational units.

Key thing to know about GPOs and OUs is that GPOs can only be applied to OUs. A GPO cannot be applied to a security group.

For example, there is no way to create a security group, place all of the admin accounts in that group, and apply admin account password requirement policy to the security group.

Membership Restrictions

Another important thing to know is that a user can be part of only one organizational unit. This restriction doesn't exist for security groups.

Think of an OU as a container for user accounts and security groups as labels. A user account can be placed only in a single container (OU), but it can have many labels (security groups) assigned to it.

This can help you troubleshoot access issues in Qlik Sense later on. You may come across a scenario where a user gets deactivated in Qlik Sense because they were moved to a new organizational unit. This can happen both in a lab and in production environment.

If system admins decide to restructure their OUs, a bunch of users may become deactivated in Qlik Sense when they are moved to new OUs. Users may remain in the same security groups, but if OUs are changed, the LDAP filter that is used to import users to Qlik Sense will lose sight of these users and will deactivate them as a result.

04. Will a Qlik Sense Admin Need to Create OUs?

Short answer is no. Creating and managing OUs as well as creating and managing users and security groups is one of those tasks that I will show you how to do to give you a behind-the-scenes, high-level look at what other teams do.

As a Qlik Sense admin, you likely will never need to create OUs in a corporate domain. The only real scenario where you might be creating OUs is when building a Qlik Sense lab environment to test Qlik Sense servers in. Otherwise, this is something that is handled by system or domain admins.