An Organizational Unit (OU) is a special container in the Active Directory domain that can contain different AD objects: other containers, groups, users, and computer accounts. In this guide, we’ll look at what Organizational Units are used for in Active Directory and how to manage them using the GUI and PowerShell.
What is Organizational Unit (OU) in Active Directory?
OUs are used to organize AD objects into logical administrative containers. The filesystem equivalent of OUs is folders. AD objects are stored in the OUs as files within the folders.
OUs can be organized into a hierarchy. Typically, the structure and hierarchy of OUs reflects the functional (business structure) or physical divisions within an organization.
Organizational Units are used for:
- Logical structuring of AD objects;
- Allows you to delegate administrative permissions to specific OUs to non-admin users and groups without granting them the domain administrator privileges;
- Allows you to assign Group Policy Objects (GPOs) to users and computers in an OU.
In a small Active Directory infrastructure (20-50 users), there is no need to create a complex OU structure. You can add all objects to the default root containers (Users and Computers).
In large companies with branches in different locations, it is convenient to organize the AD hierarchy according to the geographical structure of the organization. For example, if your departments are located in different states and cities, you might organize the following OU structure to reflect the physical location of your organization’s offices.
You can add more hierarchy levels (buildings, departments, etc.) if required.
A well-organized, structured hierarchy of OUs can make managing AD objects much easier.
How to Create, Rename, Move, or Delete an Organizational Unit in Active Directory
The Active Directory Users and Computer (ADUC) graphical MMC snap-in is typically used to manage OUs in Active Directory. To open the ADUC console, press Win + R > dsa.msc.
The ADUC console displays the hierarchical structure of your Active Directory OUs. You can expand any OU and see all the objects it contains.
Several default containers and OUs are created when you deploy new Active Directory domain:
- Builtin — container contains administrative and domain local security groups;
- Computers — a default container for the computer object joined to the AD domain;
- Users — contains built-in AD groups and users;
- Domain Controllers — contains the AD domain controllers objects (DCs). When you promote the server to domain controller, its account is placed in this OU. The Default Domain Controller Policy is linked to this OU.
Create an Organizational Unit in Active Directory
To create a new Organizational Unit in Active Directory, right-click the parent object and select New > Organizational Unit.
Specify the name of the OU to be created. By default, the “Protect containers from accidental deletion” option is enabled for all new OUs (it is recommended that you leave this option enabled).
Once created, you can open the properties of the new OU and set the description, location and assign manager (the user or group of users who are responsible for this OU).
In the same way, you can use the Active Directory Administrative Center console (dsac.exe) to create and manage OUs.
How to Rename and Move Organizational Unit in AD
You can rename any OU from the ADUC console. Right-click on the Organizational Unit name and select Rename. Enter a new OU name.
Note. Assigned GPOs and permissions are not affected by renaming an OU.
You can move OUs around the Active Directory structure. To do this, use the Move item on the context menu or drag and drop the OU to a new location.
When you move an OU, all the objects it contains are moved with it. Confirm the move.
Delete an Organizational OU in Active Directory
By default, each created Organizational Unit is protected from accidental deletion. If you open the properties of the OU, you will see that the option Protect object from accidental deletion enabled on the Object tab. To delete this OU, you need to clear this checkbox.
Now you can right-click on the OU and select Delete.
You will be prompted if the OU to be deleted contains other objects:
Confirm Subtree Deletion
Object Alaska contains other objects. Are you sure you want to delete object Alaska and all of the objects it contains?
If you enable the Use Delete Subtree server control checkbox, confirm the removal, all nested objects in the subtree will be deleted, except for those that are protected from deletion.
Hint. You can recover some deleted items if the AD Recycle Bin is in your domain. The link provides an example of how to restore a deleted AD user.
If you don’t uncheck this box, an error will occur when you try to delete protected OU from Active Directory:
You do not have sufficient privileges to delete OU, or this object is protected from accidental deletion.
How to Hide Specific OU in Active Directory Users and Computers Snap-In
You can hide OU from users in the Active Directory Users and Computers console.
-
- Open the properties of the OU in the ADUC snap-in;
- Go to the AD attribute Editor tab;
- Change the value of showInAdvancedViewOnly to True;
- Refresh the console (press F5). Now your OU is hidden from users.
- Hidden OUs are only displayed in Advanced mode of the ADUC console. You can enable this mode through the menu View > Advanced Feature.
How to Create an Active Directory OU using PowerShell
You can use the built PowerShell Active Directory module (it is a part of RSAT) to manage OUs. For example, use the New-ADO-OrganizationalUnit cmdlet to create a new OU named Canada in the root of the domain:
New-ADOrganizationalUnit -Name "Canada"
To create a new OU in an existing container, specify its Distinguished Name (DN) in the -Path parameter:
New-ADOrganizationalUnit -Name Toronto -Path "OU=Canada,DC=theitbros,DC=com" -Description "Toronto city" –PassThru
If you need to create a specific OU structure, you can create it one at a time, but it’s much easier to use PowerShell.
Create a CSV file containing the OU names you want to create:
In order to create an OU structure according to this file, use the following PowerShell script:
$targetOU=”OU=Nevada,OU=USA,DC=theitbros,DC=loc”
$OUs = Import-csv "C:\PS\new_ou.csv"
foreach ($ou in $OUs)
{
write-host $ou.name
New-ADOrganizationalUnit -Name $ou.name -path $targetOU
}
Managing Active Directory OUs with PowerShell
You can use PowerShell to manage OUs in Active Directory and perform administrative tasks. The following cmdlets are available for you:
- Get-ADOrganizationalUnit
- New-ADOrganizationalUnit
- Remove-ADOrganizationalUnit
- Set-ADOrganizationalUnit
List OUs in your domain:
Get-ADOrganizationalUnit -Properties CanonicalName -Filter * | Format-Table CanonicalName, DistinguishedName
Show the number of users objects in each Active Directory OU:
Get-ADOrganizationalUnit -Properties CanonicalName -Filter * |
Sort-Object CanonicalName |
ForEach-Object {
[pscustomobject]@{
OUName = Split-Path $_.CanonicalName -Leaf
CN = $_.CanonicalName
UserCount = @(Get-AdUser -Filter * -SearchBase $_.DistinguishedName -SearchScope OneLevel).Count
}
}
You can rename an existing OU using the Rename-ADObject. You should specify the OU’s distinguished name (DN) or GUID as the -Identity parameter. For example, to rename the “HQ” OU to ”NewYork”:
Rename-ADObject -Identity "OU=HQ,DC=THEITBROS,DC=COM" -NewName NewYork
You can use the Set-ADOrganizationalUnit cmdlet to change the OU settings. In this example, we will change the description and manager of the OU:
Set-ADOrganizationalUnit -Identity "OU=Test,OU=Nevada,OU=USA,DC=theitbros,DC=loc" -ManagedBy "CN=Alex Weber,CN=Users,DC=theitbros,DC=loc" –Description "Test OU for Alex Weber "
The Remove-ADOrganizationalUnit cmdlet is used to delete the OU from Active Directory:
Get-ADOrganizationalUnit -filter "Name -eq 'NewYork'"| Remove-ADOrganizationalUnit
If you receive an error “Remove-ADOrganizationalUnit : Access is denied”, make sure the Protect object from accidental deletion option is not enabled. You can disable the ProtectedFromAccidentalDeletion option using PowerShell:
Get-ADOrganizationalUnit -filter "Name -eq 'NewYork'"| Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $False
Remove the OU and all child objects, use the -Recursive option:
Get-ADOrganizationalUnit -filter "Name -eq 'NewYork'"| Remove-ADOrganizationalUnit –Recursive
Use the Move-ADObject cmdlet to move the OU (the ProtectedFromAccidentalDeletion option should not be enabled on the source OU):
Move-ADObject -Identity "OU=Services,OU=NewYork,DC=THEITBROS,DC=Com" -TargetPath "OU=IT,OU=Enterprise,DC=THEITBROS,DC=Com"
Note. The Move-ADObject can also be used to move other AD objects (users, computers, groups) between OUs.
You can use the cmdlets in the built-in GroupPolicy module to link or unlink a Group Policy Object with an OU. To assign a GPO with the name gpoEnableWinRM to the target OU, run the command:
Get-GPO gpoEnableWinRM | New-GPLink -Target "OU=Computers,OU=NewYork,OU=US,DC=contoso,DC=com" -LinkEnabled Yes -Enforced Yes
To remove a GPO link from an OU:
Remove-GPLink -Name gpoEnableWinRM -Target "OU=Computers,OU=NewYork,OU=US,DC=contoso,DC=com"
How to Delegate Active Directory Permissions to Organizational Units
When delegating OU administrative permissions to other users, it is desirable to grant permissions to Active Directory security groups rather than directly to user accounts. This allows you to grant OU permissions to a new user by simply adding them to the security group.
To delegate the permissions, right-click on the OU, and select Delegate Control.
In the Delegate Management Wizard, select the group of users to which you want to grant access to.
Then, select the administrative tasks you want to delegate.
You can delegate common administrative tasks for the OU:
- AD user management (create, edit, delete, etc.);
- AD Group management (creating, deleting groups, modifying AD group membership);
- Manage GPOs links;
- Change user password in Active Directory.
Today you have learned how to use the ADUC console and PowerShell to create an organizational unit (OU), to manage and delete protected OUs, and to delegate OU control to AD users.
