Organizational Units are containers. Groups are not. A user or computer account in AD can only be in one OU but it can be a member of many groups.
But more importantly the purpose of OUs and groups are very different. Primarily, groups are for giving an account access to resources and OUs are for managing objects within AD in terms of policy and privileged access.
OUs are a simple tree hierarchy much like folders in a file system, while groups are leaf objects. Groups however do support nesting, which when used correctly can allow you to do powerful things like role-based access control, but I frequently see careless group nesting creating nearly invisible vulnerabilities with privileged access. This could be an action made by a user who explicitly wants to control your Active Directory.
Once a User is given access he can perform anything on your Active Directory as the native tool does not wait for someone to review/approve the action and such activity may not happen in a day.
UEBA is specifically focused on a user-centric view of system activity with the goal of detecting when a user’s behavior departs from their norm. UEBA is enhanced by leveraging data collected and enriched by a SIEM, and SIEM capabilities are expanded by ingesting UEBA events for further correlation.
In this webinar, Andy, our product expert will help you thoroughly understand why UEBA is essential in terms of tracking your Active Directory changes.