Windows OS Hub
  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux
  • Home
  • About

Windows OS Hub

  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux

 Windows OS Hub / Active Directory / Create Organizational Units (OU) Structure in Active Directory with PowerShell

March 17, 2024

Create Organizational Units (OU) Structure in Active Directory with PowerShell

Quite often when creating new Organizational Units (OUs), an Active Directory administrator has to create a structure of nested containers inside a new OU. For example, when a company opens a new branch office, you need to create AD containers for users, groups, servers, and service accounts in the new OU. To avoid manually creating nested OUs and assigning permissions in the ADUC snap-in (dsa.msc), you can use the PowerShell script from this article to create and configure nested OUs in bulk. The script not only creates new organizational units but also creates administrative security groups and grants them permission to new OUs.

To create a new OU in Active Directory, use the New-ADOrganizationalUnit cmdlet from the RSAT-AD-PowerShell module. To create an OU in the specified container, you can use the command below:

Import-Module ActiveDirectory
New-ADOrganizationalUnit -Name "Users" -Path "OU=Berlin,OU=DE,DC=woshub,DC=com" –Description "Account container for Berlin users" -PassThru

If you do not specify the -Path parameter, a new OU will be created in the AD root.

By default, when creating AD containers, the ProtectedFromAccidentalDeletion option is enabled for them. You can disable it or change any other Organizational Unit attribute in Active Directory using the Set-ADOrganizationalUnit cmdlet:

Get-ADOrganizationalUnit -Identity “OU=Users,OU=Berlin,OU=DE,DC=woshub,DC=com”| Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $false

To remove an OU with all nested objects, use the following command:

Remove-ADObject -Identity "OU=Users,OU=Berlin,OU=DE,DC=woshub,DC=com” -Recursive

Let’s look at a small PowerShell script to automatically create a typical OU structure in Active Directory for a new company branch office.

Suppose your company has a separate OU for each of its branches with the following structure of nested containers:

Country
-City_name
--Admins
--Computers
--Contacts
--Groups
--Servers
--Service Accounts
--Users

After creating an OU structure, you need to create branch administrator groups in AD and delegate them privileges on the new OUs:

  • City_admins – branch administrators (full control over all branch OUs);
  • City_account_managers – users with account operator privileges (create new users, AD password reset, etc.). Assign permissions only to Users and Service Accounts OUs;
  • City_wks_admins – HelpDesk Support team with administrator privileges on the branch computers (assign the permissions on the Computers OU, add this group to the local administrators group on computers via GPO).

Active Directory Organizational Unit hierarchy for branch office

Here is a basic version of this PowerShell script with comments. The CreateBranchOUs.ps1 script code is available on my GitHub repo:

#Create Active Directory OU structure, security groups and assign permissions for a new branch office
# Set the container name
$Country="DE"
$City = "HH"
$CityFull="Hamburg"
$DomainDN=(Get-ADDomain).DistinguishedName
$ParentOU= "OU="+$Country+",$DomainDN"
$OUs = @(
"Admins",
"Computers",
"Contacts",
"Groups",
"Servers",
"Service Accounts",
"Users"
)
# Create an OU for a new branch office
$newOU=New-ADOrganizationalUnit -Name $CityFull -path $ParentOU –Description “A container for $CityFull users” -PassThru
ForEach ($OU In $OUs) {
New-ADOrganizationalUnit -Name $OU -Path $newOU
}
#Create administrative groups
$adm_grp=New-ADGroup ($City+ "_admins") -path ("OU=Admins,OU="+$CityFull+","+$ParentOU) -GroupScope Global -PassThru –Verbose
$adm_wks=New-ADGroup ($City+ "_account_managers") -path ("OU=Admins,OU="+$CityFull+","+$ParentOU) -GroupScope Global -PassThru –Verbose
$adm_account=New-ADGroup ($City+ "_wks_admins") -path ("OU=Admins,OU="+$CityFull+","+$ParentOU) -GroupScope Global -PassThru –Verbose
##### An example of assigning password reset permissions for the _account_managers group on the Users OU
$confADRight = "ExtendedRight"
$confDelegatedObjectType = "bf967aba-0de6-11d0-a285-00aa003049e2" # User Object Type GUID
$confExtendedRight = "00299570-246d-11d0-a768-00aa006e0529" # Extended Right PasswordReset GUID
$acl=get-acl ("AD:OU=Users,OU="+$CityFull+","+$ParentOU)
$adm_accountSID = [System.Security.Principal.SecurityIdentifier]$adm_account.SID
#Build an Access Control Entry (ACE)string
$aceIdentity = [System.Security.Principal.IdentityReference] $adm_accountSID
$aceADRight = [System.DirectoryServices.ActiveDirectoryRights] $confADRight
$aceType = [System.Security.AccessControl.AccessControlType] "Allow"
$aceInheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "Descendents"
$ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($aceIdentity, $aceADRight, $aceType, $confExtendedRight, $aceInheritanceType,$confDelegatedObjectType)
# Apply ACL
$acl.AddAccessRule($ace)
Set-Acl -Path ("AD:OU=Users,OU="+$CityFull+","+$ParentOU) -AclObject $acl

Set the variables at the beginning of the script and run it (don’t forget to check your current PowerShell execution policy settings). The script will create an OU structure and groups you need, and delegate password reset permissions to the Users OU.

Create nested OUs, groups and assign AD permissions with PowerShell script

To assign AD privileges, use the Set-ACL cmdlet, which also allows you to assign NTFS permissions on files and folders.

You can extend the script by adding typical operations that you perform when creating an OU for a new branch office.

For example, you can create Group Policies Objects (GPOs) using PowerShell and link them to the OUs:

$wksGPO=New-GPO -Name ($City +"_WKS_Policy") -Comment "$City Workstations Policy"
Get-GPO $wksGPO | New-GPLink -Target ("OU=Computers,OU="+$City+","+$ParentOU) -LinkEnabled Yes

0 comment
3
Facebook Twitter Google + Pinterest
Active DirectoryPowerShellWindows Server 2019
previous post
Windows Security Won’t Open or Shows a Blank Screen on Windows 10/ 11
next post
How to Share a Folder (Printer) over the Network on Windows 11/10

Related Reading

How to Find the Source of Account Lockouts...

March 12, 2024

Configuring Windows Firewall Rules Using Group Policy

March 15, 2024

Copy Files and Folders to User Computers via...

March 15, 2024

Configure Windows LAPS (Local Administrator Passwords Solution) in...

March 15, 2024

How to Disable NTLM Authentication in Windows Domain

March 16, 2024

Updating Group Policy Administrative Templates (ADMX)

January 24, 2025

How to Install the PowerShell Active Directory Module...

March 15, 2024

Display System Info on Desktop with BGInfo

February 6, 2025

Leave a Comment Cancel Reply

join us telegram channel https://t.me/woshub
Join WindowsHub Telegram channel to get the latest updates!

Recent Posts

  • Map a Network Drive over SSH (SSHFS) in Windows

    May 13, 2025
  • Configure NTP Time Source for Active Directory Domain

    May 6, 2025
  • Cannot Install Network Adapter Drivers on Windows Server

    April 29, 2025
  • Change BIOS from Legacy to UEFI without Reinstalling Windows

    April 21, 2025
  • How to Prefer IPv4 over IPv6 in Windows Networks

    April 9, 2025
  • Load Drivers from WinPE or Recovery CMD

    March 26, 2025
  • How to Block Common (Weak) Passwords in Active Directory

    March 25, 2025
  • Fix: The referenced assembly could not be found error (0x80073701) on Windows

    March 17, 2025
  • Exclude a Specific User or Computer from Group Policy

    March 12, 2025
  • AD Domain Join: Computer Account Re-use Blocked

    March 11, 2025

Follow us

  • Facebook
  • Twitter
  • Telegram
Popular Posts
  • Configure Google Chrome Settings with Group Policy
  • Get-ADUser: Find Active Directory User Info with PowerShell
  • Allow Non-admin Users RDP Access to Windows Server
  • How to Find the Source of Account Lockouts in Active Directory
  • How to Disable or Enable USB Drives in Windows using Group Policy
  • Get-ADComputer: Find Computer Properties in Active Directory with PowerShell
  • Configuring Proxy Settings on Windows Using Group Policy Preferences
Footer Logo

@2014 - 2024 - Windows OS Hub. All about operating systems for sysadmins


Back To Top