Organizational Unit (OU) is a container in the Active Directory domain that can contain dissimilar objects from the same Ad domain: other containers, groups, user and reckoner accounts. An Active Directory OU is a uncomplicated administrative unit within a domain on which an administrator can link Grouping Policy objects and assign permissions to other users/groups.

There are ii main tasks when using OU, besides storing Agile Directory objects:

  • Delegation of direction and administrative tasks within the domain to other administrators and users without granting them the domain administrator privileges;
  • Linking Group Policies (GPO) to all objects (users and computers) in this OU.

How to Create an Active Directory Organizational Unit Using the ADUC?

To create a new Organizational Unit in Agile Directory, your account must have Domain Ambassador permissions, or the permissions to create a new OU should exist delegated (in the unabridged domain or in a specific container).

Open the Active Directory Users and Computers mmc snap-in (Win + R > dsa.msc) and select the domain container in which you want to create a new OU (we will create a new OU in the root of the domain).

active directory ou

Correct-click on the domain name and select New > Organizational Unit.

ad ou

Specify the proper noun of the OU to create.

Yous can also employ the Directory Administrative Center (dsac.exe) to create new OUs:

  1. Switch to tree view and expand the domain or container where you want to create a new OU;
  2. Right-click on the OU or domain, select New > Organizational Unit;
    ou active directory
  3. Specify the proper noun of the OU. Additionally, you can specify a Description, assign a manager;
    ou ad
  4. Click OK, render to the Active Directory Administrative Middle console and bank check if the new OU is now listed and is available for use.

Annotation that by default, when installing Active Directory, the domain contains several built-in containers and OUs:

  • Builtin — this container contains administrative and domain local security groups;
  • Computers — in this container, by default, computer accounts are created through the Figurer Properties dialog after joining Windows to the domain.

    Note. You can change the container in which computer accounts are created by default with the control:
    redircmp "OU=Computers, OU=HQ,OU=U.s.,DC=THEITBROS,DC=COM"

  • Users — default container for new users and groups. Also, there are several predefined user accounts and groups (likewise those in the Built-in container) in this container. This includes security groups for domain and forest direction tasks. You tin can also change the default OU for users and groups with the command:
    redirusr "OU=Users,OU=HQ,OU=USA,DC=THEITBROS,DC=COM"
  • Domain Controllers — this is the OU, which contains all the domain controllers. When a server is promoted to a domain controller, its account is placed in this OU. The Default Domain Controller Policy is linked to this OU.

By default, any created Organizational Unit is protected from adventitious deletion. If you open the properties of the created OU, you will run across the pick Protect object from accidental deletion is enabled on the Object tab. To delete this OU, you need to clear this checkbox. When you delete OU, you delete all other (nested) objects that it contains.

create ou

Notation. You tin can specifically hide Advertizement OU from users.

Agile Directory OU Structure

In a small-scale Active Directory infrastructure (twenty-50 users) it is not necessary to create a complex OU construction. You can add all objects to the default root containers (Users and Computers). In a big infrastructure, it is desirable to divide all objects into different containers. Basically, the hierarchical blueprint of the Organizational Unit in Active Directory is used, either geographically, functionally, or organizationally.

For example, your organization has branches worldwide in different countries and cities. It would be logical to create split containers for each state at the top level of the domain, and besides create separate containers inside the country for the city and/or state. Within each location, you tin can create carve up OUs for administrators, groups, computers, servers, and users (see the screenshot beneath).

ou in ad

If necessary, you tin can add boosted levels of the hierarchy (buildings, departments, etc.). In such an Agile Directory bureaucracy, you can flexibly delegate Ad permissions and link GPOs.

How to Create an Active Directory OU Using PowerShell?

Previously, to create an AD OU, yous could use the console utility dsadd. For example, to create an OU in a domain, you can run this control:

dsadd ou "ou=Information technology,dc=theitbros,dc=com"

In Windows Server 2008 R2 and newer OS, a separate module for interacting with Advertizement appeared: Active Directory module for Windows PowerShell (information technology is a part of RSAT). You lot can utilise the New-ADOrganizationalUnit cmdlet to create an Organizational Unit of measurement. For example, create a new OU named Canada in the root of the domain:

New-ADOrganizationalUnit -Name "Canada"

To create a new OU in an existing container, run the following command:

New-ADOrganizationalUnit -Name Toronto -Path "OU=Canada,DC=theitbros,DC=com" -Description "Toronto city" –PassThru

domain ou

If you lot need to create a specific OU structure, y'all tin create it one at a time, but it's much easier to utilize PowerShell.

Create a evidently CSV file listing the OU names you want to create:

create ou in active directory

In order to create an OU structure co-ordinate to this file, use the following PowerShell script:

$targetOU="OU=Nevada,OU=Us,DC=theitbros,DC=loc"  $OUs = Import-csv "C:\PS\new_ou.csv"  foreach ($ou in $OUs)  {  write-host $ou.name  New-ADOrganizationalUnit -Name $ou.name -path $targetOU  }

Run the script and check if your OU construction has been created in the specified AD container.

windows server ou

Managing Active Directory OU with PowerShell

Y'all tin rename an existing OU using the Rename-ADObject. You should specify the OU's distinguished name (DN) or GUID equally the -Identity parameter. For example, to rename the "HQ" OU to "NewYork":

Rename-ADObject -Identity "OU=HQ,DC=THEITBROS,DC=COM" -NewName NewYork

You tin can use the Set-ADOrganizationalUnit cmdlet to change the OU settings. In the following example, we will change the description and managing director of the OU:

Prepare-ADOrganizationalUnit -Identity "OU=Examination,OU=Nevada,OU=United states of america,DC=theitbros,DC=loc"  -ManagedBy "CN=Alex Weber,CN=Users,DC=theitbros,DC=loc" – Clarification  "Test OU for Alex Weber"

To remove the OU from the Active Directory the Remove-ADOrganizationalUnit cmdlet is used. Y'all can remove an OU "NewYork" as follows:

Go-ADOrganizationalUnit -filter "Name -eq 'NewYork'"| Remove-ADOrganizationalUnit

Hint. Likewise, you lot tin can remove OU using the dsrm.exe tool:

dsrm.exe "OU=TestOU,DC=theitbros,DC=com" -subtree

If you lot receive an fault "Remove-ADOrganizationalUnit : Access is denied", make certain the Protect object from accidental deletion pick is not enabled. Yous can disable the ProtectedFromAccidentalDeletion using PowerShell:

Get-ADOrganizationalUnit -filter "Proper name -eq 'NewYork'"| Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $False

active directory organizational unit example

If the OU contains objects, an error will appear on deletion. To remove the OU and all child objects, employ the –Recursive pick:

Get-ADOrganizationalUnit -filter "Proper name -eq 'NewYork'"| Remove-ADOrganizationalUnit –Recursive

To find all unprotected Organizational Units for which the ProtectedFromAccidentalDeletion pick is disabled:

Get-ADOrganizationalUnit -filter * -Properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $false} | FT Name,DistinguishedName,ProtectedFromAccidentalDeletion

To enable the delete protection choice for all OUs in an Active Directory domain:

Become-ADOrganizationalUnit -filter * -Properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $false} | Ready-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $truthful

To motility the OU, use the Move-ADObject cmdlet (the ProtectedFromAccidentalDeletion choice should not be enabled on the source OU):

Move-ADObject -Identity "OU=Services,OU=NewYork,DC=THEITBROS,DC=Com" -TargetPath "OU=It,OU=Enterprise,DC=THEITBROS,DC=Com"

The Move-ADObject tin exist also used to move other AD objects (users, computers, groups) betwixt OUs. For case, you tin move the computer to the new OU:

Movement-ADObject –Identity "CN=pc-b11-23,OU=Computers,OU=NewYork,OU=U.s.a.,DC=theitbros,DC=com" -TargetPath "OU=Computers,OU=LA,OU=USA,DC=theitbros,DC=com"

To transfer several computers, which names are specified in the txt file, you can use the following PowerShell script:

$computers = Get-Content C:\PS\MoveComputerList.txt  $TargetOU = "OU=Computers,OU=LA,OU=United states,DC=theitbros,DC=com"  ForEach($computer in $computers){  Become-ADComputer $computer | Move-ADObject -TargetPath $TargetOU  }

The following PowerShell script allows you to count the number of enabled users in each OU of your domain.

Get-ADOrganizationalUnit -Properties CanonicalName -Filter * | Sort-Object CanonicalName |  ForEach-Object {  [pscustomobject]@{  CanonicalName = $_.CanonicalName  UserCount = @(Get-AdUser -Filter 'enabled -eq $true' -SearchBase $_.DistinguishedName -SearchScope OneLevel).Count  }  }

If you desire to count the number of disabled AD users, supercede the line with:

UserCount = @(Get-AdUser -Filter 'enabled -eq $imitation' -SearchBase $_.DistinguishedName -SearchScope OneLevel).Count

How to Consul Active Directory Permissions to the Organizational Units?

When delegating Active Directory permissions to OU to other users, it is desirable to grant permissions not straight to user accounts, just to security groups. Thus, in order to grant OU permissions to a new user, information technology is enough to add together it to the security group.

To delegate the permissions, right-click on the OU, and select Delegate Command.

ou windows server

In the Delegate Direction Wizard, select the group of users to which yous want to grant access.

active directory ou structure example

And then, select the administrative tasks you desire to delegate.

active directory create ou

You tin can consul common authoritative tasks using the OU:

  • AD user direction (create, edit, delete, etc.);
  • AD Group direction (creating, deleting groups, modifying group membership);
  • Manage GPOs links;
  • Alter Active Directory user passwords.
  • Author
  • Recent Posts

Cyril Kardashevsky

I relish technology and developing websites. Since 2012 I'm running a few of my ain websites, and share useful content on gadgets, PC administration and website promotion.

Cyril Kardashevsky