Windows OS Hub
  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu

 Windows OS Hub / Active Directory / Create Organizational Units (OU) Structure in Active Directory with PowerShell

May 17, 2022 Active DirectoryPowerShellWindows Server 2019

Create Organizational Units (OU) Structure in Active Directory with PowerShell

Quite often when creating new Organizational Units (OUs), an Active Directory administrator has to create a structure of nested containers inside a new OU. For example, when a company opens a new branch office, you need to create AD containers for users, groups, servers, and service accounts in the new OU. To avoid manually creating nested OUs and assigning permissions in the ADUC snap-in (dsa.msc), you can use the PowerShell script from this article to create and configure nested OUs in bulk. The script not only creates new organizational units but also creates administrative security groups and grants them permission to new OUs.

To create a new OU in Active Directory, use the New-ADOrganizationalUnit cmdlet from the RSAT-AD-PowerShell module. To create an OU in the specified container, you can use the command below:

Import-Module ActiveDirectory
New-ADOrganizationalUnit -Name "Users" -Path "OU=Berlin,OU=DE,DC=woshub,DC=com" –Description "Account container for Berlin users" -PassThru

If you do not specify the -Path parameter, a new OU will be created in the AD root.

By default, when creating AD containers, the ProtectedFromAccidentalDeletion option is enabled for them. You can disable it or change any other Organizational Unit attribute in Active Directory using the Set-ADOrganizationalUnit cmdlet:

Get-ADOrganizationalUnit -Identity “OU=Users,OU=Berlin,OU=DE,DC=woshub,DC=com”| Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $false

To remove an OU with all nested objects, use the following command:

Remove-ADObject -Identity "OU=Users,OU=Berlin,OU=DE,DC=woshub,DC=com” -Recursive

Let’s look at a small PowerShell script to automatically create a typical OU structure in Active Directory for a new company branch office.

Suppose your company has a separate OU for each of its branches with the following structure of nested containers:

Country
-City_name
--Admins
--Computers
--Contacts
--Groups
--Servers
--Service Accounts
--Users

After creating an OU structure, you need to create branch administrator groups in AD and delegate them privileges on the new OUs:

  • City_admins – branch administrators (full control over all branch OUs);
  • City_account_managers – users with account operator privileges (create new users, AD password reset, etc.). Assign permissions only to Users and Service Accounts OUs;
  • City_wks_admins – HelpDesk Support team with administrator privileges on the branch computers (assign the permissions on the Computers OU, add this group to local administrators group on computers via GPO).

Active Directory Organizational Unit hierarchy for branch office

Here is a basic version of this PowerShell script with comments. The CreateBranchOUs.ps1 script code is available on my GitHub repo:

#Create Active Directory OU structure, security groups and assign permissions for a new branch office
# Set the container name
$Country="DE"
$City = "HH"
$CityFull="Hamburg"
$DomainDN=(Get-ADDomain).DistinguishedName
$ParentOU= "OU="+$Country+",$DomainDN"
$OUs = @(
"Admins",
"Computers",
"Contacts",
"Groups",
"Servers",
"Service Accounts",
"Users"
)
# Create an OU for a new branch office
$newOU=New-ADOrganizationalUnit -Name $CityFull -path $ParentOU –Description “A container for $CityFull users” -PassThru
ForEach ($OU In $OUs) {
New-ADOrganizationalUnit -Name $OU -Path $newOU
}
#Create administrative groups
$adm_grp=New-ADGroup ($City+ "_admins") -path ("OU=Admins,OU="+$CityFull+","+$ParentOU) -GroupScope Global -PassThru –Verbose
$adm_wks=New-ADGroup ($City+ "_account_managers") -path ("OU=Admins,OU="+$CityFull+","+$ParentOU) -GroupScope Global -PassThru –Verbose
$adm_account=New-ADGroup ($City+ "_wks_admins") -path ("OU=Admins,OU="+$CityFull+","+$ParentOU) -GroupScope Global -PassThru –Verbose
##### An example of assigning password reset permissions for the _account_managers group on the Users OU
$confADRight = "ExtendedRight"
$confDelegatedObjectType = "bf967aba-0de6-11d0-a285-00aa003049e2" # User Object Type GUID
$confExtendedRight = "00299570-246d-11d0-a768-00aa006e0529" # Extended Right PasswordReset GUID
$acl=get-acl ("AD:OU=Users,OU="+$CityFull+","+$ParentOU)
$adm_accountSID = [System.Security.Principal.SecurityIdentifier]$adm_account.SID
#Build an Access Control Entry (ACE)string
$aceIdentity = [System.Security.Principal.IdentityReference] $adm_accountSID
$aceADRight = [System.DirectoryServices.ActiveDirectoryRights] $confADRight
$aceType = [System.Security.AccessControl.AccessControlType] "Allow"
$aceInheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "Descendents"
$ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($aceIdentity, $aceADRight, $aceType, $confExtendedRight, $aceInheritanceType,$confDelegatedObjectType)
# Apply ACL
$acl.AddAccessRule($ace)
Set-Acl -Path ("AD:OU=Users,OU="+$CityFull+","+$ParentOU) -AclObject $acl

Set the variables at the beginning of the script and run it (don’t forget to check your current PowerShell execution policy settings). The script will create an OU structure and groups you need, and delegate password reset permissions to the Users OU.

Create nested OUs, groups and assign AD permissions with PowerShell script

To assign AD privileges, use the Set-ACL cmdlet, which also allows you to assign NTFS permissions on files and folders.

You can extend the script by adding typical operations that you perform when creating an OU for a new branch office.

For example, you can create Group Policies Objects (GPOs) using PowerShell and link them to the OUs:

$wksGPO=New-GPO -Name ($City + “_WKS_Policy”) -Comment "$City Workstations Policy"
Get-GPO $wksGPO | New-GPLink -Target ("OU=Computers,OU="+$City+","+$ParentOU) -LinkEnabled Yes

0 comment
2
Facebook Twitter Google + Pinterest
previous post
Windows Security Won’t Open or Shows a Blank Screen on Windows 10/ 11
next post
How to Share Files and Printers in Windows 10 and 11?

Related Reading

Configure User’s Folder Redirection with Group Policy

February 3, 2023

Join a Windows Computer to an Active Directory...

February 2, 2023

Using Previous Command History in PowerShell Console

January 31, 2023

How to Install the PowerShell Active Directory Module...

January 31, 2023

Finding Duplicate E-mail (SMTP) Addresses in Exchange

January 27, 2023

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • PowerShell
  • VMWare
  • Hyper-V
  • Linux
  • MS Office

Recent Posts

  • Configure User’s Folder Redirection with Group Policy

    February 3, 2023
  • Using Previous Command History in PowerShell Console

    January 31, 2023
  • How to Install the PowerShell Active Directory Module and Manage AD?

    January 31, 2023
  • Finding Duplicate E-mail (SMTP) Addresses in Exchange

    January 27, 2023
  • How to Delete Old User Profiles in Windows?

    January 25, 2023
  • How to Install Free VMware Hypervisor (ESXi)?

    January 24, 2023
  • How to Enable TLS 1.2 on Windows?

    January 18, 2023
  • Allow or Prevent Non-Admin Users from Reboot/Shutdown Windows

    January 17, 2023
  • Fix: Can’t Extend Volume in Windows

    January 12, 2023
  • Wi-Fi (Internet) Disconnects After Sleep or Hibernation on Windows 10/11

    January 11, 2023

Follow us

woshub.com
  • Facebook
  • Twitter
  • RSS
Popular Posts
  • Configure Google Chrome Settings with Group Policy
  • Get-ADUser: Find Active Directory User Info with PowerShell
  • How to Find the Source of Account Lockouts in Active Directory?
  • Get-ADComputer: Find Computer Properties in Active Directory with PowerShell
  • How to Disable or Enable USB Drives in Windows using Group Policy?
  • Configuring Proxy Settings on Windows Using Group Policy Preferences
  • How to Automatically Fill the Computer Description in Active Directory?
Footer Logo

@2014 - 2023 - Windows OS Hub. All about operating systems for sysadmins


Back To Top