What is an OU in Active Directory?
An organizational unit (OU) is a type of container in Active Directory. An OU can contain one or many AD objects, such as user accounts, computer accounts, printers and groups.
Organizational units are similar to folders in that they can be arranged hierarchically to represent the structure of the organization. For example, you can have an OU for all user accounts in the domain, with child OUs for each division or department. Those OUs can have child OUs of their own. You can create your OUs based on function, department, location or other relevant criteria.
You can create a similar hierarchy for computer objects. For instance, you might place all standard printers in one OU and all color laser printers in another OU. You can also use OUs to efficiently manage machines running different versions of the Windows operating systems.
Benefits of Active Directory Organizational Units
The time you invest in meticulous planning of your OUs is well spent. Indeed, a well-designed OU structure delivers a wide range of benefits, including stronger security and easier management:
- Precise and accurate security controls — By organizing your users, computers and other AD objects into logical OUs, you can more easily apply specific security controls to different objects. In particular, Group Policy (GPOs) can be linked to OUs to apply their settings to particular groups of objects. For example, you might apply use Group Policy to apply a shorter inactivity lock-out time for your key servers than for user workstations, or to impose more stringent password requirements on administrative accounts than business user accounts.
- Easy delegation of administrative tasks — OUs also enable you to delegate specific permissions to business users, instead of having to grant them broad administrative privileges. For example, you can enable your helpdesk technicians to reset passwords for all AD domain users, or just for the users in a particular child OU.
How to Manage OUs using Active Directory Users and Computers (ADUC)
Create an Organizational Unit
- Right-click on the domain or OU where you want to create the new OU.
- Click New and then Organizational Unit.
- Enter a name for the new OU.
- Click OK.
Rename an Organizational Unit
- Right-click on the OU you want to rename..
- Choose Rename.
- Specify the new name.
Move an Organizational Unit
- Right-click on the OU you want to move.
- Choose Cut.
- Navigate to the target location and click Paste.
Delete an OU
Caution: Deleting an OU will delete all objects in the OU. To delete an OU, take these steps:
- Right-click on the OU you want to delete.
- Select Delete.
- Confirm the action.
Delegate Permissions using Organizational Units
You can delegate specific administrative responsibilities to designated users or groups using OUs. Take these steps:
- Right-click on the desired OU.
Choose Delegate Control and follow steps in the wizard
How to Manage OUs using Active Directory Users and Computers (ADUC)
Windows PowerShell provides a robust way to efficiently create and manage OUs in your Active Directory domains.
How to Create an Active Directory OU using PowerShell
To create an OU in the root of the domain, use the following PowerShell cmdlet:
New-ADOrganizationalUnit -Name "Engineering"
To create an OU in an existing container, add the -Path parameter:
New-ADOrganizationalUnit -Name "NewOU" -Path "OU=ParentOU,DC=domain,DC=com"
How to Manage Active Directory OUs with PowerShell
Here are additional PowerShell cmdlets that you can use for managing OUs:
- Retrieve the properties of an OU — Get-ADOrganizationalUnit
Get-ADOrganizationalUnit -Identity 'OU=Engineering,DC=MILKYWAY,DC=LOCAL'
- Modify the properties of an OU — Set-ADOrganizationalUnit
Set-ADOrganizationalUnit -Identity "OU=Engineering,DC=MILKYWAY,DC=LOCAL" -Country "US" -StreetAddress "350 S. Bixel Street" -City California -State CA
- Delete an OU — Remove-ADOrganizationalUnit
Remove-ADOrganizationalUnit -Identity "OU=Engineering,DC=MILKYWAY,DC=LOCAL" -Recursive
Default Containers and OUs in Active Directory
Multiple containers, including one OU, are created by default during Active Directory installation.
Domain Controllers OU
The only OU created by default when AD is installed is the Domain Controllers OU. Domain controllers (DCs) are automatically put in this OU when they are added to the domain. (DCs are the servers that run Active Directory and provide services like authentication and authorization for the domain.)
A set of policies are applied to this OU by default. To protect DC security and functionality, leave all DC computer objects in this OU.
By default, the service administrators control the Domain Controllers OU. Do not delegate control of this OU to other individuals or groups.
Other Built-in Containers
Additional containers created during installation of Active Directory include:
- Domain — This is the root container for the domain.
- Built-in — This is used for service administrator accounts by default.
- Users — New user accounts and groups that are created are placed here by default.
- Computers — New computer accounts are placed here by default.
Note that these containers are not OUs so you cannot apply Group Policy to them.
Best Practices for Using OUs
- Plan your OU structure carefully. Think about how you want to organize your user accounts, computers and other AD objects. Consider factors such as department, role, location and device type. Every minute spent on planning will pay dividends down the road!
- Create a hierarchical OU structure. This will allow you to apply Group Policy and security settings to specific groups of objects.
- Create different OUs for user accounts, servers and non-server computers. This will simplify Group Policy management greatly.
- Implement consistent and well-defined naming conventions. This will make your OUseasier to find and manage. For example, you could use the naming convention OU=[Dept]_[Location-Site] so it is easy to tell which department and location an OU was created for.
- Delegate administrative permissions to OUs. This will enable you to distribute administrative tasks to appropriate users. Delegate carefully to maintain security!
- Document your OU structure. Comprehensive documentation provides valuable insight into how OUs are structured and used. Both current and future administrators will be grateful.
Conclusion
Organizational units are a valuable feature of Active Directory. Creating a well-organized OU structure will simplify management of users, computers and groups, while also enabling stronger security.
FAQ
What is an OU in Active Directory?
An organizational unit in Active Directory is a container used to organize and manage user accounts, computer accounts, printers, groups and other AD objects. OUs enable organizations to organize resources based on function, department, location or other factors.
What is the only OU created by default when installing Active Directory?
The only OU created by default during Active Directory installation is the Domain Controllers OU. It plays a crucial role in managing critical servers called domain controllers. It is recommended to leave all domain controller computer objects in this OU.
How do I create an OU in Active Directory?
To create an OU, take the following steps:
- Open the Active Directory Users and Computers (ADUC) console.
- Right-click on the domain or OU where you want to create a new OU.
- Select New and then choose Organizational Unit.
- Enter a name for the new OU.
- Click OK.
How do I find an OU in Active Directory?
To find an OU, take these steps:
- Open the ADUC console.
- In the left pane, navigate to the domain or OU structure.
- Use the search functionality or visually inspect the hierarchy to locate the desired OU.
Alternatively, you can use the PowerShell cmdlet Get-ADOrganizationalUnit.