Active Directory Organizational Unit (OU)

Organizational Unit (OU) is a container in the Active Directory domain that can contain different objects from the same AD domain: other containers, groups, user and computer accounts. An Active Directory OU is a simple administrative unit within a domain on which an administrator can link Group Policy objects and assign permissions to other users/groups.

There are two main tasks when using OU, besides storing Active Directory objects:

  • Delegation of management and administrative tasks within the domain to other administrators and users without granting them the domain administrator privileges;
  • Linking Group Policies (GPO) to all objects (users and computers) in this OU.

How to Create an Active Directory Organizational Unit Using the ADUC?

To create a new Organizational Unit in Active Directory, your account must have Domain Administrator permissions, or the permissions to create a new OU should be delegated (in the entire domain or in a specific container).

Open the Active Directory Users and Computers mmc snap-in (Win + R > dsa.msc) and select the domain container in which you want to create a new OU (we will create a new OU in the root of the domain).

active directory ou

Right click on domain name and select New > Organizational Unit.

ad ou

Specify the name of the OU to create.

Note that by default, when installing Active Directory, the domain contains several built-in containers and OUs:

  • Builtin — this container contains administrative and domain local security groups;
  • Computers — in this container, by default, computer accounts are created through Computer Properties dialog after joining to the domain. Note. You can change the container in which computer accounts are created by default with the command:
    redircmp "OU=Computers, OU=HQ,OU=USA,DC=THEITBROS,DC=COM"
  • Users — default container for new users and groups. Also, there are several predefined user accounts and groups (besides those in the Built-in container) in this container. This includes security groups for domain and forest management tasks. You can also change the default OU for users and groups with the command:
    redirusr "OU=Users,OU=HQ,OU=USA,DC=THEITBROS,DC=COM"
  • Domain Controllers — this is the OU, which contains all the domain controllers. When a server is promoted to a domain controller, its account is placed in this OU. The Default Domain Controller Policy is linked to this OU.
READ ALSO  Migrating SYSVOL AD Replication from FRS to DFS

By default, any created Organizational Unit is protected from accidental deletion. If you open the properties of the created OU, you will see the option Protect object from accidental deletion is enabled on the Object tab. To delete this OU, you need to clear this checkbox. When you delete OU, you delete all other (nested) objects that it contains.

ou active directory

Note. You can specifically hide AD OU from users using.

Active Directory OU Structure

In small Active Directory infrastructure (20-50 users) it is not necessary to create a complex OU structure. You can add all objects to the default root containers (Users and Computers). In a large infrastructure, it is desirable to divide all objects into different containers. Basically, the hierarchical design of the Organizational Unit in Active Directory is used, either geographically, functionally, or organizational.

For example, your organization has branches worldwide in different countries and cities. It would be logical to create separate containers for each country at the top level of the domain, and also create separate containers inside the country for the city and/or state. Within each location, you can create separate OUs for administrators, groups, computers, servers, and users (see the screenshot below).

ou ad

If necessary, you can add additional levels of the hierarchy (buildings, departments, etc.). In such an Active Directory hierarchy, you can flexibly delegate AD permissions and link GPOs.

READ ALSO  Performing Active Directory Metadata Cleanup

How to Create an Active Directory OU Using PowerShell?

Previously, to create an AD OU, you could use the console utility dsadd. For example, to create an OU in a domain, you can run this command:

dsadd ou “ou=IT,dc=theitbros,dc=com”

In Windows Server 2008 R2 and newer OS a separate module for interact with AD appeared: Active Directory module for Windows PowerShell (is a part of RSAT). You can use the New-ADOrganizationalUnit cmdlet to create an Organizational Unit. For example, create a new OU named Canada in the root of the domain:

New-ADOrganizationalUnit -Name "Canada"

To create a new OU in an existing container, run the following command:

New-ADOrganizationalUnit -Name Toronto -Path "OU=Canada,DC=theitbros,DC=com" -Description "Toronto city" –PassThru

active directory organizational unit

Managing Active Directory OU with PowerShell

You can rename an existing OU using the Rename-ADObject. You should specify the OU’s distinguished name (DN) or GUID as the -Identity parameter. For example, to rename the “HQ” OU to ”NewYork”:

Rename-ADObject -Identity "OU=HQ,DC=THEITBROS,DC=COM" -NewName NewYork

To remove the OU from the Active Directory the Remove-ADOrganizationalUnit cmdlet is used. You can remove an OU “NewYork” as follows:

Get-ADOrganizationalUnit -filter "Name -eq 'NewYork'"| Remove-ADOrganizationalUnit

If you receive an error “Remove-ADOrganizationalUnit : Access is denied”, make sure the Protect object from accidental deletion option is not enabled. You can disable the ProtectedFromAccidentalDeletion using PowerShell:

Get-ADOrganizationalUnit -filter "Name -eq 'NewYork'"| Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $False

active directory ou structure

If the OU contains objects, an error will appear on deletion. To remove the OU and all child objects, use the –Recursive option:

Get-ADOrganizationalUnit -filter "Name -eq 'NewYork'"| Remove-ADOrganizationalUnit–Recursive

To move the OU, use the Move-ADObject cmdlet (the ProtectedFromAccidentalDeletion option should not be enabled on the original OU):

Move-ADObject -Identity "OU=Services,OU=NewYork,DC=THEITBROS,DC=Com" -TargetPath "OU=IT,OU=Enterprise,DC=THEITBROS,DC=Com"

The Move-ADObject can be also used to move other AD objects (users, computers, groups) between OUs. For example, you can move the computer to the new OU:

Move-ADObject –Identity “CN=pc-b11-23,OU=Computers,OU=NewYork,OU=USA,DC=theitbros,DC=com” -TargetPath "OU=Computers,OU=LA,OU=USA,DC=theitbros,DC=com"

To transfer several computers, which names are specified in the txt file, you can use the following PowerShell script:

$computers = Get-Content C:\PS\MoveComputerList.txt

$TargetOU = "OU=Computers,OU=LA,OU=USA,DC=theitbros,DC=com"

ForEach($computer in $computers){

Get-ADComputer $computer | Move-ADObject -TargetPath $TargetOU

}

How to Delegate Active Directory Permissions to the Organizational Units?

When delegating Active Directory permissions to OU to other users, it is desirable to grant permissions not directly to user accounts, but to security groups. Thus, in order to grant OU permissions to a new user, it is enough to add it to the security group.

READ ALSO  How to Check Active Directory Group Membership?

To delegate the permissions, right-click on the OU, and select Delegate Control.

active directory ou structure example

In the Delegate Management Wizard, select the group of users which you want to grant access to.

organizational unit active directory

Then, select the administrative tasks you want to delegate.

ou in active directory

Cyril Kardashevsky

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.