Windows 7

Creating and managing organizational units

Organizational units (OUs) are logical administrative units that can help you limit the scope of a domain. They can contain many types of objects, including those for computers, contacts, groups, printers, or users. Because they can also contain other OUs, you can build a hierarchy of OUs within a domain. You can also use OUs to delegate administrator privileges on a limited basis.

Creating an OU

Several tools are available for creating OUs. Typically, the tool you use depends on what other administrative tasks you might need to perform. For example, if you are creating an OU to add resources to it, you might want to use either Active Directory Users And Computers or Active Directory Administrative Center. If you are creating an OU to apply Group Policy to it, you might want to use Group Policy Management.

As long as you use an account that is a member of the Administrators group, you'll be able to create OUs anywhere in the domain. The only exception is that you cannot create OUs within the default containers created by Active Directory.

Note:
You can create OUs within the Domain Controllers container. This is possible because this container is created as an OU. Creating OUs within Domain Controllers is useful if you want to organize domain controllers.

When you work with Active Directory Users And Computers, you are connected to your login domain by default. If you want to create OUs in a different domain, press and hold or right-click the Active Directory Users And Computers node in the console tree and then select Change Domain. In the Change Domain dialog box, type the name of the domain to which you want to connect and then tap or click OK. Alternatively, in the Change Domain dialog box, you can tap or click Browse to open the Browse For Domain dialog box so that you can find the domain to which you want to connect.

You can now create the OU. If you want to create a top-level OU (that is, an OU that has the domain container as its parent), press and hold or right-click the domain node in the console tree, point to New, and then select Organizational Unit. If you want to create a lower-level OU, press and hold or right-click the OU in which you want to create the new OU, point to New, and then select Organizational Unit.

In the New Object-Organizational Unit dialog box, type a new name for the OU, and then tap or click OK. Although the OU name can be any string of up to 256 characters, the best OU names are short and descriptive.

Understanding Deletion Protection for OUS
When you create a new OU, the Protect Container From Accidental Deletion check box is selected automatically. This prevents any user or administrator in the domain from deleting the OU accidentally. Before you can delete a protected OU, you must clear this protection flag. In Active Directory Administrative Center, this is a standard property in the Properties dialog box. In Active Directory Users And Computers, this is an advanced property on the Object tab, and you must enable the Advanced Features view by selecting Advanced Features on the View menu before you can clear or select it. Therefore, to delete an OU, you must complete the following steps:
  1. In Active Directory Users And Computers, enable the Advanced Features view by selecting Advanced Features on the View menu.
  2. Press and hold or right-click the OU and then select Properties.
  3. On the Object tab of the Properties dialog box, clear the Protect Object From Accidental Deletion check box and then tap or click OK.
  4. In Active Directory Users And Computers, press and hold or right-click the OU and then select Delete.
  5. When prompted to confirm, tap or click Yes.

Creating OUs in Active Directory Administrative Center is similar. When you work with Active Directory Administrative Center, you are connected to your login domain by default. If you want to create OUs in a different domain, tap or click Manage and then select Add Navigation Nodes.

In the Additional Navigation Nodes dialog box, you'll see available domains for the forest in the Columns list. To add a node for a listed domain, select it in the Columns list, tap or click the Add (>>) button, and then tap or click OK. To add a node for a domain that isn't listed, click Connect To Another Domain, enter the fully qualified domain name, and then tap or click OK. Either way, a management node for the domain should be added to the console.

If you want to create a top-level OU in Active Directory Administrative Center, press and hold or right-click the domain node in the console tree, point to New, and then select Organizational Unit. If you want to create a lower-level OU, press and hold or right-click the OU in which you want to create the new OU, point to New, and then select Organizational Unit. In the Create Organizational Unit dialog box, type a new name for the OU and then tap or click OK.

Setting OU properties

OUs have properties that you can set to add descriptive information. This helps other administrators know how the OU is used.

To set the properties of an OU in Active Directory Users And Computers, press and hold or right-click the OU and then select Properties. This displays the OU's Properties dialog box.

  • On the General tab, you can enter descriptive information about the OU, including a text description and address information.
  • On the Managed By tab, you can specify the user or contact responsible for managing the OU. This gives a helpful point of contact for questions regarding the OU.
  • On the Object tab, you can determine the canonical name of the OU object and specify whether the OU should be protected from accidental deletion.
  • On the COM+ tab, you can specify the COM+ partition of which the OU should be a member (if any).
  • On the Attribute Editor tab, you can view and set attributes of the OU object.

Similar options for setting the properties of an OU are available in Active Directory Administrative Center. Press and hold or right-click the OU and then select Properties to open the OU's Properties dialog box. COM+ and Attribute Editor options are available on the Extensions panel.

Creating or moving accounts and resources for use with an OU

After you create an OU, you might want to place accounts and resources in it. In either Active Directory Users And Computers or Active Directory Administrative Center, you follow one of these procedures:

  • You create accounts in the OU. To do so, press and hold or right-click the OU, point to New, and then select the type of object to create, such as Computer, Group, or User.
  • You move existing accounts or resources to an OU. To do so, select the accounts or resources in their existing container. Using Ctrl+Tap or click or Shift+Tap or click, you can select and move multiple accounts or resources as well. Next, press and hold or right-click on the accounts or resources and then select Move. In the Move dialog box, select the container to which you want to move the accounts or resources and then tap or click OK.
[Previous] [Content] [Next]

In this tutorial:

  1. Implementing Active Directory Domain Services
  2. Installing Active Directory Domain Services
  3. Cloning virtualized domain controllers
  4. Uninstalling Active Directory
  5. Creating and managing organizational units
  6. Delegating the administration of domains and OUs