Recipe 5.1 Creating an OU

5.1.1 Problem

You want to create an OU.

5.1.2 Solution

5.1.2.1 Using a graphical user interface
  1. Open the Active Directory Users and Computers (ADUC) snap-in.

  2. If you need to change domains, right-click on the Active Directory Users and Computers label in the left pane, select Connect to Domain, enter the domain name, and click OK.

  3. In the left pane, browse to the parent container of the new OU, right-click on it, and select New Organizational Unit.

  4. Enter the name of the OU and click OK.

  5. To enter a description for the new OU, right-click on the OU in the left pane and select Properties.

  6. Click OK after you are done.

5.1.2.2 Using a command-line interface
> dsadd ou "<OrgUnitDN>" -desc "<Description>"
5.1.2.3 Using VBScript
' This code creates an OU 
' ------ SCRIPT CONFIGURATION ------
strOrgUnit       = "<OUName>"      ' e.g. Tools
strOrgUnitParent = "<ParentDN>"    ' e.g. ou=Engineering,dc=rallencorp,dc=com
strOrgUnitDescr  = "<Description>" ' e.g. Tools Users
' ------ END CONFIGURATION ---------

set objDomain = GetObject("LDAP://" & strOrgUnitParent)
set objOU = objDomain.Create("organizationalUnit", "OU=" & strOrgUnit)
objOU.Put "description", strOrgUnitDescr
objOU.SetInfo
WScript.Echo "Successfully created " & objOU.Name

5.1.3 Discussion

OUs are used to structure data within Active Directory. Typically, there are four reasons why you would need to create an OU:

Segregate objects

It is common practice to group related data into an OU. For example, user objects and computer objects are typically stored in separate OUs (in fact, that is the default configuration with Active Directory). One reason for this is to make searching the directory easier.

Delegate administration

Perhaps the most often used reason for creating an OU is to delegate administration. With OUs you can give a person or group of people rights to do certain functions on objects within the OU.

Apply a GPO

An OU is the smallest unit that a GPO can be applied to. If you have different types of users within your organization that need to apply different GPOs, the easiest way to set that up is to store the users in different OUs and apply GPOs accordingly.

Controlling visibility of objects

You can use OUs as a way to restrict what users can see in the directory.

In each solution, the description attribute was set. It is not a mandatory attribute, but it is good practice to set it so that others browsing the directory have a general understanding of the purpose of the OU. Also, consider setting the managedBy attribute to reference a user or group that is the owner of the OU.

5.1.4 See Also

MS KB 308194 (HOW TO: How to Create Organizational Units in a Windows 2000 Domain)



    Chapter 3. Domain Controllers, Global Catalogs, and FSMOs
    Chapter 6. Users
    Appendix A. Tool List