organizational unit ou active directory

Active Directory Organizational Unit (OU)


Organizational Unit (OU) is a container in Active Directory domain that can contain different objects from the same AD domain: other containers, groups, user and computer accounts. Active Directory OU is a simple administrative unit within a domain on which an administrator can link Group Policy objects and assign permissions to another user.

Thus, we can distinguish two main tasks when using OU, except for storing objects in Active Directory:

  • Delegation of management and administrative tasks within the domain to other administrators and users without granting them the domain administrator permissions;
  • Linking Group Policies (GPO) to all objects (users and computers) in this OU.

How to Create an Active Directory Organizational Unit Using the ADUC?

To create an Active Directory Organizational Unit, your account must have Domain Admins rights, or it must be delegated the permissions to create a new OU (in the entire domain or in a specific container).

Open the Active Directory Users and Computers snap-in and select the domain container in which you want to create a new OU (we will create a new OU in the root of the domain).

active directory organizational unit

Right click on domain name and select New > Organizational Unit.

active directory ou

Specify the name of the OU to be created.

By default, any created Organizational Unit is protected from accidental deletion. If you open the properties of the created OU, you will see that the option Protect object from accidental deletion is enabled on the Object tab. To delete this OU, you need to clear this checkbox. When you delete OU, you delete all other objects that it contains.

Active Directory OU Structure

In small Active Directory infrastructure (20-50 users) it is not necessary to create new OUs, you can add all objects to the default root containers (Users and Computers). In a large infrastructure it is desirable to divide all objects into different containers. Basically, the hierarchical design of the Organizational Unit in Active Directory is used, either geographically or functionally.

For example, your organization has branches worldwide in different countries and cities. It would be logical to create separate containers for each country at the top level of the domain, and also create separate containers inside the country for the city and/or state. Inside the latter, you can create separate containers for administrators, groups, computers, servers and users (see screenshot).

active directory ou structure

If necessary, you can add additional levels of the hierarchy (buildings, departments, etc.). With this hierarchy, you can flexibly delegate AD permissions and assign GPOs.

How to Create an Active Directory OU Using PowerShell

Previously, to create an AD OU, you could use the console utility dsadd. For example, to create an OU in a domain, you can run this command:

dsadd ou “ou=IT,dc=theitbros,dc=com”

In Windows Server 2008 R2 and newer OS a separate module for interact with AD appeared: Active Directory module for Windows PowerShell (is a part of RSAT). You can use the New-ADOrganizationalUnit cmdlet to create an Organizational Unit. For example, create a new OU named Canada in the root of the domain:

New-ADOrganizationalUnit -Name "Canada"

To create a new OU in an existing container, run the following command:

New-ADOrganizationalUnit -Name Toronto -Path "OU=Canada,DC=theitbros,DC=com" -Description "Toronto city" –PassThru

active directory ou powershell

How to Delegate Active Directory Permissions to the Organizational Units?

When delegating Active Directory permissions to OU to other users, it is desirable to grant permissions not directly to user accounts, but to administrative groups. Thus, in order to grant OU permissions to a new user, it is enough to add it to the security group.

To delegate, right-click on the OU and select Delegate Control.

ad ou delegate

In the Delegate Management Wizard, select the group of users which you want to grant access to.

ad organizational unit

Then, select the administrative tasks that you want to delegate.

active directory organizational unit ou

You may also like:

Installing Active Directory Users and Computers MM... One of the main Active Directory domain management tools is the MMC snap-in Active Directory Users and Computers (ADUC). The ADUC snap-in is used to p...
Change Default OU permissions in Active Directory By default, each newly created organizational unit (OU) in the access list includes read permission for the group Authenticated Users (built-in group)...
How to transfer FSMO Roles From a Failed Domain Co... In case domain controller, which owns FSMO (Flexible Single Master Operation) roles, is fail (virus attack, fatal software problems or catastrophic ha...
FSMO Role: Infrastructure Master We continue the series of articles about FSMO roles in the Active Directory domain. This time, we will take a closer look at the FSMO role — Infrastru...
How to hide specific OU in Active Directory The first thing you see while opening Active Directory Users and Computers (ADUC) snap-in is AD containers (Organization Unit, OU), in which user acco...

Add Your Comment