News
Faster Speeds: Bandwidth for vStack Servers in Kazakhstan Increased to 200 Mbps
OL
July 1 2021
Updated June 27 2025

How to Manage Organizational Units (OUs) in Active Directory – Create, Delete, and Modify OUs

AD Windows

An Organizational Unit (OU) is a fundamental container within Active Directory (AD) that organizes and holds objects such as user accounts, computers, groups, and other OUs. Acting like a folder within the directory, OUs help administrators logically structure and manage resources in a scalable and hierarchical way. Management of OUs is restricted to domain administrators or users who have been granted delegated permissions for specific OUs, ensuring controlled and secure administration. Additionally, OUs support nesting, allowing you to create complex hierarchies that reflect your organization's structure. One of the key advantages of using OUs is the ability to link Group Policy Objects (GPOs) directly to them, enabling centralized management of security settings, software deployment, and other configurations tailored to the OU’s contents.

Creating an Organizational Unit

OUs are created via Active Directory Administrative Center (ADAC), Active Directory Users and Computers (ADUC), command prompt and PowerShell.

Creating OU with ADAC

Lets create an OU via ADAC:

Run the dsac.exe. Switch to tree view and expand your domain or OU where you want to place your new one. Right-click an OU or Domain, select New..., and after that select Organizational Unit.

Creating OU with ADAC | Serverspace

The Create Organizational Unit window appears:

Create Organizational Unit | Serverspace

Enter a unique name for the OU and click OK.

Creating OU with the Command Line

To create an OU via cmd, run dsadd.exe with the following parameters:

dsadd.exe ou "OU=testorg,DC=office,DC=local" -desc "TestOU"

This will create a TestOU in the domain with description “TestOU”.

Creating OU with PowerShell

New-ADOrganizationalUnit cmdlet can help us to accomplish the creation task. Run PowerShell as Administrator and type the following:

Import-Module ActiveDirectory
New-ADOrganizationalUnit "TestOU" -Description "TestOU"

This will create a TestOU in the domain with description “TestOU”.

Deleting an Organizational Unit

OUs cannot be deleted easily; they are protected from accidental deletion by default. In order to delete an Organizational Unit, we need to uncheck the Protected from Accidental Deletion checkbox from the OU's properties.

Deleting OU with ADAC

Open the Active Directory Administrative Center (dsac.exe).

Switch to tree view, expand your domain and find the OU you want to delete. Rightclick the OU and then Delete.

The Delete Confirmation window appears:

Delete Confirmation window appears

Click Yes to confirm. If the OU contains child objects, click Yes again.

Deleting OU with Using the Command Line

To delete an OU using a command prompt we need to use dsrm.exe tool in cmd run as an administrator with the following syntax:

dsrm.exe "OU=TestOU,DC=office,DC=local" -subtree

This will completely remove an OU with any existing sub-OUs.

Deleting OU with Windows PowerShell

In order to delete an OU we need to use the New-ADOrganizationalUnit PowerShell cmdlet:

Import-Module ActiveDirectory
Remove-ADObject -Identity "OU=TestOU,DC=office,DC=local" -Recursive -Confirm:$False

This will completely remove the TestOU OU with any existing sub-OUs.

Modifying an Organizational Unit

Sometimes you need to modify and OU so here is explanation to do those three different ways.

Modifying an OU with the Active Directory Administrative Center

Open the Active Directory Administrative Center (dsac.exe). Switch to tree view and find the OU that you need to modify.

Rightclick it and select “Properties:” in the appeared window you can change OU settings such as description or manager.

Uncheck the Protected from Accidental Deletion setting and click OK.

Protected from Accidental Deletion | Serverspace

Modifying OU with the Command Line

In order to modify an OU, you need to use dsmod.exe in cmd as administrator. But in this case, you can modify only description.

dsmod.exe ou "OU=TestOU,DC=office,DC=local" -desc "New description"

Here we assign “New description” to the TestOU.

Modifying OU with the Windows PowerShell

The Set-ADOrganizationalUnit PowerShell cmdlet is what we will use to change the OU. It is very powerful unlike dsmod.exe. You can easily change lots of OU’s parameters such as DistinguishedName, LinkedGroupPolicyObjects or ManagedBy. Here is the example of how to change ManagedBy parameter in an OU:

Import-Module ActiveDirectory
Set-ADOrganizationalUnit -Identity "OU=TestOU,DC=office,DC=local" -ManagedBy "CN=User,CN=Users,DC=office,DC=local"

Conclusion

Organizational Units (OUs) play a vital role in structuring and managing Active Directory environments efficiently. They allow administrators to logically group users, computers, and other resources, simplifying delegation of permissions and application of Group Policy Objects (GPOs). Whether you use the Active Directory Administrative Center, command-line tools, or PowerShell, managing OUs—creating, modifying, or deleting them—is essential for maintaining a secure and well-organized domain infrastructure. Proper OU management ensures streamlined administration, better security control, and improved scalability as your organization grows.

FAQ

  • Q: What is an Organizational Unit (OU) in Active Directory?
    A: An OU is a container within Active Directory used to organize and manage objects such as users, groups, and computers in a hierarchical way.
  • Q: Who can manage Organizational Units?
    A: By default, domain administrators have full control over OUs. Management can also be delegated to other users or groups with specific permissions.
  • Q: Can Organizational Units be nested?
    A: Yes, OUs can be nested inside other OUs to create a hierarchical structure that reflects an organization’s setup.
  • Q: How do I prevent accidental deletion of an OU?
    A: By default, OUs are protected from accidental deletion via a security setting that can be enabled or disabled in the OU’s properties.
  • Q: What tools can I use to create or modify OUs?
    A: You can manage OUs using the Active Directory Administrative Center (ADAC), Active Directory Users and Computers (ADUC), command-line utilities like dsadd, dsmod, dsrm, or PowerShell cmdlets such as New-ADOrganizationalUnit, Set-ADOrganizationalUnit, and Remove-ADObject.
  • Q: Can Group Policy Objects (GPOs) be linked to OUs?
    A: Yes, GPOs are commonly linked to OUs to apply policies and configurations to all objects within that OU.
  • Q: What happens if I delete an OU that contains objects?
    A: Deleting an OU with child objects will remove all contained objects unless you have specified otherwise. You will be prompted to confirm this action.
Vote:
5 out of 5
Аverage rating : 5
Rated by: 1
1101 CT Amsterdam The Netherlands, Herikerbergweg 292
+31 20 262-58-98
700 300
ITGLOBAL.COM NL
700 300

You might also like...

We use cookies to make your experience on the Serverspace better. By continuing to browse our website, you agree to our
Use of Cookies and Privacy Policy.