How to Create an Organizational Unit in Active Directory?
Admins who are currently struggling as they dont know how to create an organizational unit in Active Directory can feel at ease. We have culminated multiple different strategies for OU creation in AD in this write-up.
Read and learn to use the native GUI portals or deploy code-based alternatives. However, before we get to know the methods, let’s understand why OU creation is done in an Active Directory.
Reasons to Create and Use Organizational Units in AD
There are primarily two reasons that push for the need for OU creation:
- OUs allow administrators to delegate permissions at a granular level.
- OUs help organize and manage resources (users, computers, groups) by department, location, or function.
Now that we know why OU creation is done, let us start with the most basic way first.
How to Create an Organizational Unit in Active Directory with ADUC?
- Step 1. Open the Users and Computers Portal.
- Step 2. Right-click on your Domain.
- Step 3. In the context, menu, select New.
- Step 4. Then tap on Organizational Unit.
- Step 5. Inside the pop-up, add a Name and click OK.
You can get to the same position by going to the Action tab > New > Organizational unit. Or simply by clicking the New OU icon present in the ADUC toolbar. However, do so with caution, as it is not easy to move OU’s post creation.
Regarding the setting during OU creation in ADUC, there are not many things that the admin needs to configure. As there is only one other optional option along with the OU name. This is if admins want to protect the OU from accidental deletion. Choose the name carefully; otherwise, you will face many issues if you try to find the OU of the user at any time in the future.
By default, it is pre-selected, but you can unmark it; just remember, when you try to delete an OU with no protection, you won’t receive any warning.
Like the Users and computer portal, there is another GUI-based OU creation portal built in your Active Directory environment. So let’s see what it is and how to use it.
Make OU with the Help of the ADAC Portal
Some admins find it relatively simple, although there is no universal consensus. You can compare the two on your own with these steps for the Admin Center technique.
Launch the portal > Select your Domain > Expand New tab on the Right side pane > Select Organization Unit.
The Window that appears has more configuration settings available that admins can set up at the time of OU creation itself. With the name being the only self-filled mandatory field. The rest of them are either decided in the background via the AD itself or can be safely ignored for the time being.
This is how to create an organizational unit in Active Directory via the ADAC portal. Some admins prefer this over ADUC as it allows for a more customized creation at the cost of an increase in setup time.
Those from a technical background can utilize code-based alternatives for faster bulk OU creation. You need not start from scratch, as we have laid out some basic scripts and queries to help you out.
PowerShell Script for Automated OU Creation
The following script creates a function that can be used repeatedly to create new OUs.
Open a new instance of PowerShell ISE and paste the following in the Script Pane (White Screen).
# Requires the Active Directory module
# Import if not already loaded
if (!(Get-Module -Name ActiveDirectory)) {
Import-Module ActiveDirectory
}
function New-CustomOU {
param(
[Parameter(Mandatory=$true)]
[string]$OUName,
[Parameter(Mandatory=$false)]
[string]$ParentPath = (Get-ADDomain).DistinguishedName,
[Parameter(Mandatory=$false)]
[string]$Description = ""
)
try {
# Check if OU already exists
$existingOU = Get-ADOrganizationalUnit -Filter "Name -eq '$OUName'" -SearchBase $ParentPath -SearchScope OneLevel -ErrorAction SilentlyContinue
if ($existingOU) {
Write-Warning "An OU with the name '$OUName' already exists at the specified location."
return
}
# Create the new OU
New-ADOrganizationalUnit -Name $OUName -Path $ParentPath -Description $Description -ProtectedFromAccidentalDeletion $true
Write-Host "Successfully created OU: $OUName" -ForegroundColor Green
}
catch {
Write-Error "Failed to create OU: $_"
}
}
# Example usage:
# New-CustomOU -OUName "TestOU" -Description "Test Organizational Unit"
# New-CustomOU -OUName "HR" -ParentPath "OU=Departments,DC=contoso,DC=com" -Description "Human Resources Department"
Save and run the script.
Then, inside the Console Pane (Blue Screen) test out the script.
New-CustomOU -OUName "TestOU" -Description "Test Organizational Unit"
Sometimes admins may feel that PowerShell is too complex, especially when they have to use PowerShell to get a list of computers in an OU. Moreover, they might change something they weren’t supposed to. Not to worry, as apart from PowerShell, there is one more code-based method that is less intrusive on your AD.
How to Create an Organizational Unit in Active Directory on the Command Line
Press Win + R, Type cmd, click Enter, and paste:
dsadd ou "<Entire Path>"
Press Enter again to run the query.
For eg:
dsadd ou "OU=NewDepartment,DC=contoso,DC=com" -desc "New Department OU"
Another classic command-line tool available for admins is the LDIFDE (LDAP Data Interchange Format Data Exchange). To use it and make new OUs, you have to.
First, make a plain text file that looks something like this.
dn: OU=Sales,DC=contoso,DC=com changetype: add objectClass: organizationalUnit dn: OU=Marketing,DC=contoso,DC=com changetype: add objectClass: organizationalUnit
Then save the file with the .ldf extension and use the following command to call and run the script.
ldifde -i -f OUCreation.ldf
Apart from this, you can also use the VBScript (Visual Basic Script) or other programming languages like C# to programmatically make new OUs. However, they don’t offer any significant advantage over the methods that we have already discussed.
This completes all the methods that are available for OU Creation.
Best Practices to Follow During New OU Creation in AD
Make sure that the historical OU structure is intact and only build new ones without disturbing the original ones.
Keep a record of OU modifications to perform troubleshooting anytime in the future. Use the SysTools Active Directory Reporting solution to verify new OU creations remotely without much effort.
Keep OUs under supervision by appointing pseudo-admin roles. So, once you figure out how to create an organizational unit in Active Directory, distribute responsibility from the super admin, and build a level of escalation systems in case things go wrong.
Follow the predefined naming conventions for new OUs to avoid confusion. Include business units or locations so that the role and function of the OU are readily apparent.
Don’t over-create OUs. It is important to keep the number of New Organizational Units at a manageable level to avoid confusion.
Ensure that the OU structure remains simple and consistent; if the OUs are too deeply nested, then they lose the sense of purpose and end up doing more harm in the long run.
Conclusion
So now admins have all the tools they need and know how to create an organizational unit in Active Directory without any issues. There are a lot of different ways through which one can complete the task, which include ADUC, ADAC, PowerShell, and the command line. Moreover, for tracking whether or not the OU creation was successful, admins can use the automated tool.
Frequently Asked Questions
Q. How to create an Organizational Unit in Active Directory in the least possible time?
Use a PowerShell Script. Although the initial setup time is more when compared to other methods. The amount of flexibility and customization you get beats all other methods in multi-OU setup scenarios.
Q. How many OUs can I have inside a single domain?
There is no magic number. You should make as many OUs as your organization needs. However, it is the IT administrator’s responsibility to figure out whether a new OU is needed or an existing one can hold the objects. The more OUs greater the complexity in management.
Q. Do I need to assign members at the time of OU creation?
No, you can keep the OU empty at the time of creation and fill in the members later.