How to Configure Organisational Units in Active Directory on Windows Server 2012 R2

How to Configure Organisational Units in Active Directory on Windows Server 2012 R2

Organisational Units (OUs) are the fundamental containers within Active Directory that allow administrators to organise directory objects into logical administrative units. A well-designed OU structure simplifies Group Policy application, delegation of administrative authority, and object management at scale. On Windows Server 2012 R2, OUs can be created and managed through Active Directory Users and Computers, Active Directory Administrative Center, or PowerShell. This guide explores OU design principles and walks through practical configuration tasks.

Prerequisites

You must be a member of the Domain Admins group or have been delegated the Create All Child Objects permission on the parent container where you wish to create OUs. The ActiveDirectory PowerShell module must be available and imported. The AD DS role must be installed on the domain controller you are working with.

Import-Module ActiveDirectory

Understanding OU Design Principles

Before creating OUs, it is important to understand the two primary purposes they serve: Group Policy application and administrative delegation. OUs are the only container objects in Active Directory to which Group Policy Objects (GPOs) can be linked. This makes OU structure critical to GPO inheritance and application. The second purpose is delegation — you can grant specific users or groups administrative rights over objects within an OU without granting them domain-wide privileges.

Two common design approaches are geography-based and function-based structures. A geography-based design mirrors physical locations (e.g., London, New York, Singapore) as top-level OUs with departmental sub-OUs beneath them. A function-based design uses department or role as the top level (e.g., Finance, IT, HR) with location beneath. Hybrid designs are also common. The key principle is to design your OU structure around your delegation and GPO requirements, not merely for cosmetic organisation.

Creating Organisational Units

Use the New-ADOrganizationalUnit cmdlet to create OUs from PowerShell. The following example builds a representative corporate OU structure:

# Create top-level OU for the company
New-ADOrganizationalUnit -Name "Contoso" `
    -Path "DC=contoso,DC=com" `
    -Description "Contoso Corporation Root OU" `
    -ProtectedFromAccidentalDeletion $true

# Create departmental sub-OUs
$departments = @("Finance","IT","HR","Operations","Marketing","Executive")
foreach ($dept in $departments) {
    New-ADOrganizationalUnit -Name $dept `
        -Path "OU=Contoso,DC=contoso,DC=com" `
        -Description "$dept Department" `
        -ProtectedFromAccidentalDeletion $true
    
    # Create Users, Computers, and Groups sub-OUs within each department
    foreach ($type in @("Users","Computers","Groups","ServiceAccounts")) {
        New-ADOrganizationalUnit -Name $type `
            -Path "OU=$dept,OU=Contoso,DC=contoso,DC=com" `
            -ProtectedFromAccidentalDeletion $true
    }
}

Create additional OUs for special-purpose objects:

# Disabled accounts holding OU
New-ADOrganizationalUnit -Name "DisabledAccounts" `
    -Path "OU=Contoso,DC=contoso,DC=com" `
    -ProtectedFromAccidentalDeletion $true

# Admin accounts OU (tier model)
New-ADOrganizationalUnit -Name "AdminAccounts" `
    -Path "OU=Contoso,DC=contoso,DC=com" `
    -ProtectedFromAccidentalDeletion $true

New-ADOrganizationalUnit -Name "Tier0" `
    -Path "OU=AdminAccounts,OU=Contoso,DC=contoso,DC=com" `
    -ProtectedFromAccidentalDeletion $true

New-ADOrganizationalUnit -Name "Tier1" `
    -Path "OU=AdminAccounts,OU=Contoso,DC=contoso,DC=com" `
    -ProtectedFromAccidentalDeletion $true

Accidental Deletion Protection

The ProtectedFromAccidentalDeletion attribute sets an ACL deny entry that prevents the OU from being deleted or moved until the protection is explicitly removed. Always enable this on production OUs:

# Enable protection on an existing OU
Set-ADOrganizationalUnit -Identity "OU=Finance,OU=Contoso,DC=contoso,DC=com" `
    -ProtectedFromAccidentalDeletion $true

# Remove protection (required before deletion or move)
Set-ADOrganizationalUnit -Identity "OU=Finance,OU=Contoso,DC=contoso,DC=com" `
    -ProtectedFromAccidentalDeletion $false

# Check protection status across all OUs
Get-ADOrganizationalUnit -Filter * -Properties ProtectedFromAccidentalDeletion |
    Select-Object Name, DistinguishedName, ProtectedFromAccidentalDeletion |
    Where-Object {$_.ProtectedFromAccidentalDeletion -eq $false}

Moving Objects Between OUs

Moving objects between OUs is a common operation during organisational restructuring or initial provisioning cleanup. Use Move-ADObject for this purpose:

# Move a single user to a new OU
Move-ADObject `
    -Identity "CN=Jane Smith,OU=Users,OU=IT,OU=Contoso,DC=contoso,DC=com" `
    -TargetPath "OU=Users,OU=Finance,OU=Contoso,DC=contoso,DC=com"

# Move all users from one OU to another (bulk migration)
Get-ADUser -SearchBase "OU=LegacyUsers,DC=contoso,DC=com" -Filter * |
    ForEach-Object {
        Move-ADObject -Identity $_.DistinguishedName `
            -TargetPath "OU=Users,OU=HR,OU=Contoso,DC=contoso,DC=com"
        Write-Host "Moved: $($_.Name)"
    }

Delegating Administrative Control

Delegation allows you to grant specific users or groups rights to manage objects within an OU without granting Domain Admin rights. This is critical for a least-privilege administrative model. Use the Delegation of Control Wizard in ADUC for GUI-based delegation, or directly manipulate ACLs with PowerShell:

# Grant a group the ability to reset passwords and unlock accounts in Finance OU
$ouDN = "OU=Users,OU=Finance,OU=Contoso,DC=contoso,DC=com"
$group = Get-ADGroup "Finance-HelpDesk"
$groupSID = [System.Security.Principal.SecurityIdentifier]$group.SID

$acl = Get-Acl "AD:$ouDN"

# Extended right: Reset Password (GUID: 00299570-246d-11d0-a768-00aa006e0529)
$resetPasswordGUID = [GUID]"00299570-246d-11d0-a768-00aa006e0529"
$adRight = [System.DirectoryServices.ActiveDirectoryRights]::ExtendedRight
$type = [System.Security.AccessControl.AccessControlType]::Allow
$inheritance = [System.DirectoryServices.ActiveDirectorySecurityInheritance]::Descendents
$userGUID = [GUID]"bf967aba-0de6-11d0-a285-00aa003049e2" # User class GUID

$ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule(
    $groupSID, $adRight, $type, $resetPasswordGUID, $inheritance, $userGUID
)
$acl.AddAccessRule($ace)
Set-Acl "AD:$ouDN" $acl

Renaming and Deleting OUs

Renaming an OU changes its RDN (Relative Distinguished Name) while preserving its GUID and all child objects:

# Rename an OU
Rename-ADObject `
    -Identity "OU=Marketing,OU=Contoso,DC=contoso,DC=com" `
    -NewName "Marketing-EMEA"

# Delete an OU (must remove protection first and ensure it is empty or use -Recursive)
Set-ADOrganizationalUnit -Identity "OU=OldDept,DC=contoso,DC=com" `
    -ProtectedFromAccidentalDeletion $false

Remove-ADOrganizationalUnit -Identity "OU=OldDept,DC=contoso,DC=com" `
    -Recursive -Confirm:$false

Auditing and Reporting OU Structure

Documenting your OU structure is essential for change management. Generate a full OU hierarchy report:

# Export full OU structure to CSV
Get-ADOrganizationalUnit -Filter * -Properties Description, ProtectedFromAccidentalDeletion |
    Select-Object Name, DistinguishedName, Description, ProtectedFromAccidentalDeletion |
    Sort-Object DistinguishedName |
    Export-Csv "C:ReportsOUStructure.csv" -NoTypeInformation

# Count objects in each OU
Get-ADOrganizationalUnit -Filter * | ForEach-Object {
    $count = (Get-ADObject -SearchBase $_.DistinguishedName `
        -SearchScope OneLevel -Filter *).Count
    [PSCustomObject]@{
        OU = $_.Name
        DN = $_.DistinguishedName
        DirectChildCount = $count
    }
} | Sort-Object DN

Linking GPOs to OUs

Once your OU structure is in place, link Group Policy Objects to apply settings to objects within those OUs. The Group Policy module provides cmdlets for this:

# Link a GPO to an OU
New-GPLink -Name "Finance Security Baseline" `
    -Target "OU=Users,OU=Finance,OU=Contoso,DC=contoso,DC=com" `
    -LinkEnabled Yes `
    -Enforced No

# List all GPO links on an OU
Get-GPInheritance -Target "OU=Finance,OU=Contoso,DC=contoso,DC=com" |
    Select-Object -ExpandProperty GpoLinks

Verifying the OU Configuration

# Verify the OU exists and check its properties
Get-ADOrganizationalUnit `
    -Identity "OU=Finance,OU=Contoso,DC=contoso,DC=com" `
    -Properties *

# View child OUs
Get-ADOrganizationalUnit `
    -Filter * `
    -SearchBase "OU=Finance,OU=Contoso,DC=contoso,DC=com" `
    -SearchScope OneLevel

Summary

A well-designed OU structure in Active Directory on Windows Server 2012 R2 is foundational to effective Group Policy management, administrative delegation, and object organisation. Design OUs around your delegation and GPO requirements rather than purely for aesthetic purposes. Always enable ProtectedFromAccidentalDeletion on production OUs. Use PowerShell for bulk OU creation and management, and document your OU structure with regular exports. Delegation of control to the appropriate groups at the OU level supports a least-privilege model that reduces security risk while enabling efficient day-to-day administration.