How to Configure Organisational Units in Active Directory on Windows Server 2016

How to Set Up Windows Server 2016 Organizational Units

Organizational Units (OUs) are container objects in Active Directory that allow administrators to logically organize users, computers, groups, and other objects within a domain. OUs serve two primary purposes: delegating administrative control to specific users or groups, and applying Group Policy Objects (GPOs) to targeted sets of objects. A well-designed OU structure is the foundation of a manageable and secure Active Directory environment.

Planning Your OU Structure

Before creating OUs, invest time in planning the structure. The two most common approaches are organizing by geography (e.g., country, city, or site) and organizing by function (e.g., department, role, or object type). Many organizations use a hybrid approach. The key principle is that the OU structure should reflect how you need to apply Group Policy and delegate administration, not necessarily how the business is organized on an org chart.

Consider these design guidelines: Keep the hierarchy as flat as possible, ideally no more than five levels deep. Group Policy processing becomes slower with deeper nesting. Design for delegation — create OUs that align with the boundaries of who needs to manage what. Do not create OUs just for organizing objects if no delegation or GPO application is needed; nested groups can serve that purpose without adding OU depth.

Creating an Organizational Unit

To create an OU using Active Directory Users and Computers (ADUC), open the console via dsa.msc. Right-click the domain root or an existing OU where the new OU should reside, hover over New, and select Organizational Unit. Enter a name for the OU. You will also see the option to protect the container from accidental deletion — it is recommended to leave this checked for all production OUs.

New-ADOrganizationalUnit -Name "IT_Department" -Path "DC=corp,DC=local" -ProtectedFromAccidentalDeletion $true

To create a nested OU structure using PowerShell:

New-ADOrganizationalUnit -Name "Workstations" -Path "OU=IT_Department,DC=corp,DC=local" -ProtectedFromAccidentalDeletion $true
New-ADOrganizationalUnit -Name "Servers" -Path "OU=IT_Department,DC=corp,DC=local" -ProtectedFromAccidentalDeletion $true
New-ADOrganizationalUnit -Name "ServiceAccounts" -Path "OU=IT_Department,DC=corp,DC=local" -ProtectedFromAccidentalDeletion $true

Moving Objects into OUs

After creating OUs, you need to populate them. In ADUC, right-click a user, computer, or group object and select Move. A dialog appears listing all available OUs. Select the destination OU and click OK. You can also drag objects between OUs in the ADUC console, though dragging is less precise and can result in accidents.

Move-ADObject -Identity "CN=John Smith,CN=Users,DC=corp,DC=local" -TargetPath "OU=IT_Department,DC=corp,DC=local"

To move all computers from the default Computers container to a specific OU in bulk:

Get-ADComputer -Filter * -SearchBase "CN=Computers,DC=corp,DC=local" | ForEach-Object {
    Move-ADObject -Identity $_.DistinguishedName -TargetPath "OU=Workstations,OU=IT_Department,DC=corp,DC=local"
}

Protecting OUs from Accidental Deletion

Windows Server 2016 includes accidental deletion protection for OUs. When this option is enabled, attempting to delete the OU will return an error, even for Domain Admins, until the protection is explicitly removed. This is a safety net against inadvertently deleting an OU and all its contents.

To check whether an OU is protected and to remove protection if needed:

Get-ADOrganizationalUnit -Identity "OU=IT_Department,DC=corp,DC=local" | Select-Object Name, ProtectedFromAccidentalDeletion

Set-ADOrganizationalUnit -Identity "OU=IT_Department,DC=corp,DC=local" -ProtectedFromAccidentalDeletion $false

Deleting an Organizational Unit

Before deleting an OU, first move or delete all objects it contains. Deleting a non-empty OU with protection disabled will remove all child objects permanently (or until restored from backup/Recycle Bin). After confirming the OU is empty, right-click it in ADUC and select Delete, or use PowerShell:

Remove-ADOrganizationalUnit -Identity "OU=OldDepartment,DC=corp,DC=local" -Recursive -Confirm:$false

Viewing OU Properties and Linked GPOs

Right-click an OU in ADUC and select Properties to view and edit its attributes. The General tab allows entering description text and a managed-by contact. The Group Policy tab (visible when Group Policy Management Console is installed) shows linked GPOs. The Managed By tab shows which user or group is responsible for managing this OU, which is useful for documentation and delegation visibility.

Delegating Control to an OU

One of the most powerful uses of OUs is the ability to delegate administrative control to non-Domain Admin accounts. Right-click an OU and select Delegate Control to launch the Delegation of Control Wizard. Select the users or groups to receive delegated rights, then choose specific tasks such as creating/deleting user accounts, resetting passwords, or managing group membership. This allows help desk staff or department-level IT staff to manage their own OU without needing full domain admin rights.

dsacls "OU=IT_Department,DC=corp,DC=local" /G "CORPHelpDesk:RPWP;pwdLastSet;user" /G "CORPHelpDesk:CA;Reset Password;user"

Linking Group Policy to an OU

GPOs can be linked to OUs so that their settings apply to all objects within that OU. Open Group Policy Management Console (GPMC), right-click the target OU, and select Link an Existing GPO or Create a GPO in this domain, and Link it here. GPOs applied at the OU level take precedence over those applied at the domain or site level (absent blocking or enforcement).

New-GPLink -Name "IT_Security_Policy" -Target "OU=IT_Department,DC=corp,DC=local" -LinkEnabled Yes

Listing All OUs in the Domain

To get an overview of all OUs in the domain, useful for auditing or documentation, use the following PowerShell command:

Get-ADOrganizationalUnit -Filter * | Select-Object Name, DistinguishedName | Sort-Object DistinguishedName | Format-Table -AutoSize

Redirecting Default Computer and User Containers

By default, computers that join the domain land in the CN=Computers container and new users created without specifying an OU land in CN=Users. These are not OUs and cannot have GPOs linked to them directly. To redirect these defaults to a proper OU:

redircmp "OU=Workstations,OU=IT_Department,DC=corp,DC=local"
redirusr "OU=Staff,DC=corp,DC=local"

Best Practices Summary

Keep the OU hierarchy shallow and purposeful. Name OUs clearly and consistently, using a naming convention documented in your IT standards. Always enable accidental deletion protection on production OUs. Use the Managed By attribute to record OU ownership. Regularly review and clean up OU structures as the organization changes. Document all delegation assignments since ADUC does not provide an easy native report of delegated permissions. Consider using scripts or third-party tools to audit effective permissions on OUs periodically.

A well-structured OU hierarchy simplifies administration, improves Group Policy targeting accuracy, and enables secure delegation of tasks. Taking the time to design and implement OUs correctly at the start of a project pays dividends throughout the lifetime of the Active Directory deployment.