Active Directory Organizational Unit (OU): Ultimate Guide

An Organizational Unit (OU) is a container in the Active Directory domain that can contain different objects from the same AD domain: other containers, groups, users, and computer accounts. An Active Directory OU is a simple administrative unit within a domain on which an administrator can link Group Policy objects and assign permissions to other users/groups.

There are two main tasks when using OU, besides storing Active Directory objects:

  • Delegation of management and administrative tasks within the domain to other administrators and users without granting them the domain administrator privileges;
  • Linking Group Policies (GPO) to all objects (users and computers) in this OU.

How to Create an Organizational Unit in Active Directory Using the ADUC?

To create a new Organizational Unit in Active Directory, your account must have Domain Administrator permissions, or the permissions to create a new OU should be delegated (in the entire domain or in a specific container).

Open the Active Directory Users and Computers mmc snap-in (Win + R > dsa.msc) and select the domain container in which you want to create a new OU (we will create a new OU in the root of the domain).

ADVERTISEMENT

active directory ou

Right-click on the domain name and select New > Organizational Unit.

ad ou

Specify the name of the OU to create.

You can also use the Directory Administrative Center (dsac.exe) to create new OUs:

  1. Switch to tree view and expand the domain or container where you want to create a new OU;
  2. Right-click on the OU or domain, select New > Organizational Unit;
    ou active directory
  3. Specify the name of the OU. Additionally, you can specify a Description, assign a manager;
    ou in active directory
  4. Click OK, return to the Active Directory Administrative Center console and check if the new OU is now listed and is available for use.

Note that by default, when installing Active Directory, the domain contains several built-in containers and OUs:

  • Builtin — this container contains administrative and domain local security groups;
  • Computers — this container is where computer accounts are created by default when you join the device to an AD domain.

Note. You can change the default container for new computer accounts with the command:
redircmp “OU=Computers, OU=HQ,OU=USA,DC=THEITBROS,DC=COM”

  • Users — default container for new users and groups with several predefined user accounts and groups. You can also change the default OU for users and groups with the command:
    redirusr “OU=Users,OU=HQ,OU=USA,DC=THEITBROS,DC=COM”
  • Domain Controllers — this is the OU, which contains all the domain controllers. When a server is promoted to a domain controller, its account is placed in this OU. The Default Domain Controller Policy is linked to this OU.

By default, any created Organizational Unit is protected from accidental deletion. If you open the properties of the new OU, you will see the option Protect object from accidental deletion enabled on the Object tab. To delete this OU, you need to clear this checkbox.

ou ad

Right-click on the OU and select Delete.

If the OU you want to delete contains other objects, you will be prompted:

Confirm Subtree Deletion

Object Alaska contains other objects. Are you sure you want to delete object Alaska and all of the objects it contains?

ou in ad

ADVERTISEMENT

If you enable the Use Delete Subtree server control checkbox and confirm the removal, all nested objects in the subtree will be deleted, even if they are protected from deletion.

Hint. If you have enabled the Recycle Bin in your Active Directory domain, you can recover some deleted items. The link provides an example of how to restore a deleted user account in AD.

If you don’t uncheck this box, an error will occur when you try to delete such a protected OU from Active Directory:

You do not have sufficient privileges to delete OU, or this object is protected from accidental deletion.

You can hide some containers and Organizational Units from users in the Active Directory Users and Computers console.

    1. Open the properties of the OU in the ADUC snap-in;
    2. Go to the Attribute Editor tab;
    3. Change the value of showInAdvancedViewOnly to True; create ou in active directory
    4. Refresh the contents of the console (press F5). Now your OU is hidden from users. how to create ou in active directory
    5. Hidden OUs are only displayed in Advanced mode of the ADUC console. You can enable this mode through the menu View > Advanced Feature.
      domain ou

Active Directory OU Structure

In a small Active Directory infrastructure (20-50 users) it is not necessary to create a complex OU structure. You can add all objects to the default root containers (Users and Computers). In a large infrastructure, it is desirable to divide all objects into different containers. Basically, the hierarchical design of the Organizational Unit in Active Directory is used, either geographically, functionally, or organizationally.

For example, your organization has branches worldwide in different countries and cities. It would be logical to create separate containers for each country at the top level of the domain, and also create separate containers inside the country for the city and/or state. Within each location, you can create separate OUs for administrators, groups, computers, servers, and users (see the screenshot below).

active directory organizational unit

If necessary, you can add additional levels of the hierarchy (buildings, departments, etc.). In such an Active Directory hierarchy, you can flexibly delegate AD permissions and link GPOs.

ADVERTISEMENT

How to Create an Active Directory OU Using PowerShell?

Previously, to create an AD OU, you could use the console utility dsadd. For example, to create an OU in a domain, you can run this command:

dsadd ou “ou=IT,dc=theitbros,dc=com”

In Windows Server 2008 R2 and newer OS, a separate module for interacting with AD appeared: Active Directory module for Windows PowerShell (it is a part of RSAT). You can use the New-ADOrganizationalUnit cmdlet to create an Organizational Unit. For example, create a new OU named Canada in the root of the domain:

New-ADOrganizationalUnit -Name "Canada"

To create a new OU in an existing container, run the following command:

New-ADOrganizationalUnit -Name Toronto -Path "OU=Canada,DC=theitbros,DC=com" -Description "Toronto city" –PassThru

active directory ou structure example

If you need to create a specific OU structure, you can create it one at a time, but it’s much easier to use PowerShell.

Create a plain CSV file listing the OU names you want to create:

ou path

In order to create an OU structure according to this file, use the following PowerShell script:

ADVERTISEMENT
$targetOU=”OU=Nevada,OU=USA,DC=theitbros,DC=loc”

$OUs = Import-csv "C:\PS\new_ou.csv"

foreach ($ou in $OUs)

{

write-host $ou.name

New-ADOrganizationalUnit -Name $ou.name -path $targetOU

}

Run the script and check if your OU structure has been created in the specified AD container.

active directory ou structure

Managing Active Directory OU with PowerShell

You can use PowerShell to manage OUs in Active Directory and perform administrative tasks. The following cmdlets are available for you:

  • Get-ADOrganizationalUnit
  • New-ADOrganizationalUnit
  • Remove-ADOrganizationalUnit
  • Set-ADOrganizationalUnit

You can list all OUs in your domain with the command:

Get-ADOrganizationalUnit -Properties CanonicalName -Filter * | Format-Table CanonicalName, DistinguishedName

You can display the number of users or computers in each Active Directory OU:

Get-ADOrganizationalUnit -Properties CanonicalName -Filter * |

Sort-Object CanonicalName |

ForEach-Object {

[pscustomobject]@{

OUName = Split-Path $_.CanonicalName -Leaf

CN = $_.CanonicalName

UserCount = @(Get-AdUser -Filter * -SearchBase $_.DistinguishedName -SearchScope OneLevel).Count

}

}

create ou

You can rename an existing OU using the Rename-ADObject. You should specify the OU’s distinguished name (DN) or GUID as the -Identity parameter. For example, to rename the “HQ” OU to ”NewYork”:

Rename-ADObject -Identity "OU=HQ,DC=THEITBROS,DC=COM" -NewName NewYork

You can use the Set-ADOrganizationalUnit cmdlet to change the OU settings. In the following example, we will change the description and manager of the OU:

Set-ADOrganizationalUnit -Identity "OU=Test,OU=Nevada,OU=USA,DC=theitbros,DC=loc" -ManagedBy "CN=Alex Weber,CN=Users,DC=theitbros,DC=loc" –Description "Test OU for Alex Weber "

The Remove-ADOrganizationalUnit cmdlet is used to delete the OU from Active Directory. You can remove an OU “NewYork” as follows:

Get-ADOrganizationalUnit -filter "Name -eq 'NewYork'"| Remove-ADOrganizationalUnit

Hint. Also, you can remove OU using the dsrm.exe tool:

dsrm.exe "OU=TestOU,DC=theitbros,DC=com" -subtree

If you receive an error “Remove-ADOrganizationalUnit : Access is denied”, make sure the Protect object from accidental deletion option is not enabled. You can disable the ProtectedFromAccidentalDeletion using PowerShell:

Get-ADOrganizationalUnit -filter "Name -eq 'NewYork'"| Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $False

ad ou structure

If the OU contains objects, an error will appear on deletion. To remove the OU and all child objects, use the -Recursive option:

Get-ADOrganizationalUnit -filter "Name -eq 'NewYork'"| Remove-ADOrganizationalUnit –Recursive

To find all unprotected Organizational Units for which the ProtectedFromAccidentalDeletion option is disabled:

Get-ADOrganizationalUnit -filter * -Properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $false} | FT Name,DistinguishedName,ProtectedFromAccidentalDeletion

To enable the delete protection option for all OUs in an Active Directory domain:

Get-ADOrganizationalUnit -filter * -Properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $false} | Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $true

To move the OU, use the Move-ADObject cmdlet (the ProtectedFromAccidentalDeletion option should not be enabled on the source OU):

Move-ADObject -Identity "OU=Services,OU=NewYork,DC=THEITBROS,DC=Com" -TargetPath "OU=IT,OU=Enterprise,DC=THEITBROS,DC=Com"

The Move-ADObject can be also used to move other AD objects (users, computers, groups) between OUs. For example, you can move the computer to the new OU:

Move-ADObject –Identity “CN=pc-b11-23,OU=Computers,OU=NewYork,OU=USA,DC=theitbros,DC=com” -TargetPath "OU=Computers,OU=LA,OU=USA,DC=theitbros,DC=com"

You can use the following PowerShell script to change the OU for multiple computers whose names are specified in the plain .txt file:

$computers = Get-Content C:\PS\MoveComputerList.txt

$TargetOU = "OU=Computers,OU=LA,OU=USA,DC=theitbros,DC=com"

ForEach($computer in $computers){

Get-ADComputer $computer | Move-ADObject -TargetPath $TargetOU

}

The following PowerShell script allows you to count the number of enabled users in each OU of your domain.

Get-ADOrganizationalUnit -Properties CanonicalName -Filter * | Sort-Object CanonicalName |

ForEach-Object {

[pscustomobject]@{

CanonicalName = $_.CanonicalName

UserCount = @(Get-AdUser -Filter 'enabled -eq $true' -SearchBase $_.DistinguishedName -SearchScope OneLevel).Count

}

}

If you want to count the number of disabled AD users, replace the line with:

UserCount = @(Get-AdUser -Filter 'enabled -eq $false' -SearchBase $_.DistinguishedName -SearchScope OneLevel).Count

You can use the cmdlets in the built-in GroupPolicy module to link a Group Policy Object to an OU or to unlink it:

Get-Command -Module GroupPolicy

Hint. To install the GroupPolicy module on Windows Server, run the command:

Install-WindowsFeature GPMC -IncludeManagementTools

To assign a GPO with the name gpoEnableWinRM to the target OU, run the command:

Get-GPO gpoEnableWinRM | New-GPLink -Target "OU=Computers,OU=NewYork,OU=US,DC=contoso,DC=com" -LinkEnabled Yes -Enforced Yes

active directory organizational unit example

To remove a GPO link from an OU:

Remove-GPLink -Name gpoEnableWinRM -Target "OU=Computers,OU=NewYork,OU=US,DC=contoso,DC=com"

How to Delegate Active Directory Permissions to the Organizational Units?

When delegating Active Directory permissions to OU to other users, it is desirable to grant permissions not directly to user accounts, but to security groups. Thus, in order to grant OU permissions to a new user, it is enough to add it to the security group.

To delegate the permissions, right-click on the OU, and select Delegate Control.

what is ou in active directory

In the Delegate Management Wizard, select the group of users to which you want to grant access.

active directory ou path

Then, select the administrative tasks you want to delegate.

ou domain

You can delegate common administrative tasks using the OU:

Today you have learned how to use the ADUC console and PowerShell to create an organizational unit (OU), to manage and delete protected OUs, and to delegate OU control to AD users.

I enjoy technology and developing websites. Since 2012 I'm running a few of my own websites, and share useful content on gadgets, PC administration and website promotion.
Latest posts by Cyril Kardashevsky (see all)

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.