An organizational unit (OU) is a sub container or subfolder in an AD where user accounts, computers, groups, etc... reside. OUs can only be managed by domain admins and by users with delegated permissions to a specific OU. OUs can be nested and you can link GPO's to them.
Creating an Organizational Unit
OUs are created via Active Directory Administrative Center (ADAC), Active Directory Users and Computers (ADUC), command prompt and PowerShell.
Creating OU with ADAC
Lets create an OU via ADAC:
Run the dsac.exe. Switch to tree view and expand your domain or OU where you want to place your new one. Right-click an OU or Domain, select New..., and after that select Organizational Unit.
The Create Organizational Unit window appears:
Enter a unique name for the OU and click OK.
Creating OU with the Command Line
To create an OU via cmd, run dsadd.exe with the following parameters:
dsadd.exe ou "OU=testorg,DC=office,DC=local" -desc "TestOU"This will create a TestOU in the domain with description “TestOU”.
Creating OU with PowerShell
New-ADOrganizationalUnit cmdlet can help us to accomplish the creation task. Run PowerShell as Administrator and type the following:
Import-Module ActiveDirectory
New-ADOrganizationalUnit "TestOU" -Description "TestOU"This will create a TestOU in the domain with description “TestOU”.
Deleting an Organizational Unit
OUs cannot be deleted easily; they are protected from accidental deletion by default. In order to delete an Organizational Unit, we need to uncheck the Protected from Accidental Deletion checkbox from the OU's properties.
Deleting OU with ADAC
Open the Active Directory Administrative Center (dsac.exe).
Switch to tree view, expand your domain and find the OU you want to delete. Rightclick the OU and then Delete.
The Delete Confirmation window appears:
Click Yes to confirm. If the OU contains child objects, click Yes again.
Deleting OU with Using the Command Line
To delete an OU using a command prompt we need to use dsrm.exe tool in cmd run as an administrator with the following syntax:
dsrm.exe "OU=TestOU,DC=office,DC=local" -subtreeThis will completely remove an OU with any existing sub-OUs.
Deleting OU with Windows PowerShell
In order to delete an OU we need to use the New-ADOrganizationalUnit PowerShell cmdlet:
Import-Module ActiveDirectory
Remove-ADObject -Identity "OU=TestOU,DC=office,DC=local" -Recursive -Confirm:$FalseThis will completely remove the TestOU OU with any existing sub-OUs.
Modifying an Organizational Unit
Sometimes you need to modify and OU so here is explanation to do those three different ways.
Modifying an OU with the Active Directory Administrative Center
Open the Active Directory Administrative Center (dsac.exe). Switch to tree view and find the OU that you need to modify.
Rightclick it and select “Properties:” in the appeared window you can change OU settings such as description or manager.
Uncheck the Protected from Accidental Deletion setting and click OK.
Modifying OU with the Command Line
In order to modify an OU, you need to use dsmod.exe in cmd as administrator. But in this case, you can modify only description.
dsmod.exe ou "OU=TestOU,DC=office,DC=local" -desc "New description"Here we assign “New description” to the TestOU.
Modifying OU with the Windows PowerShell
The Set-ADOrganizationalUnit PowerShell cmdlet is what we will use to change the OU. It is very powerful unlike dsmod.exe. You can easily change lots of OU’s parameters such as DistinguishedName, LinkedGroupPolicyObjects or ManagedBy. Here is the example of how to change ManagedBy parameter in an OU:
Import-Module ActiveDirectory
Set-ADOrganizationalUnit -Identity "OU=TestOU,DC=office,DC=local" -ManagedBy "CN=User,CN=Users,DC=office,DC=local"Conclusion
Managing Organizational Units (OUs) is a fundamental part of maintaining a well-structured and secure Active Directory environment. Whether you're creating, deleting, or modifying OUs, using the right tools—such as ADAC, ADUC, the command line, or PowerShell—helps ensure consistency and control. With proper delegation and structure, OUs simplify administrative tasks, support GPO application, and improve overall domain management efficiency.
FAQ
- What is the purpose of an Organizational Unit in Active Directory?
An Organizational Unit (OU) is a container used to organize and manage AD objects like users, computers, and groups. It also allows administrators to apply Group Policies and delegate permissions. - Can I create nested OUs in Active Directory?
Yes. OUs can be nested within other OUs to create a hierarchical structure that reflects your organization's departments or roles. - Who can manage Organizational Units?
Only Domain Admins or users with delegated permissions can manage OUs—this includes creating, modifying, and deleting them. - Why can’t I delete an OU in Active Directory?
By default, OUs are protected from accidental deletion. You must first uncheck the “Protect object from accidental deletion” property before removing it. - How do I apply a Group Policy to an OU?
Group Policies can be linked to an OU through the Group Policy Management Console (GPMC), allowing you to enforce specific configurations and security settings on the objects within that OU.
