Ova

How do I add a user to my organizational unit in Windows Server?

Published in Active Directory User Management 7 mins read

Adding a user to an Organizational Unit (OU) in Windows Server can refer to two distinct actions: either placing a user account within the OU structure or granting a user specific permissions over the OU itself. Both are crucial aspects of Active Directory management.

Creating a New User or Moving an Existing User into an OU

This is the most common interpretation of "adding a user to an OU"—it means making the user account a direct member of that organizational unit. This helps in organizing users logically and applying Group Policy settings efficiently.

Creating a New User Account in an OU

To create a brand new user account directly within a specific OU, you typically use the Active Directory Users and Computers (ADUC) console.

Steps to Create a New User:

  1. Open Active Directory Users and Computers:
    • Press Win + R, type dsa.msc, and press Enter.
    • Alternatively, go to Server Manager > Tools > Active Directory Users and Computers.
  2. Navigate to the Desired OU: In the left-hand pane, expand your domain and browse to the specific Organizational Unit where you want to create the new user. For example, yourdomain.com/Departments/Sales.
  3. Initiate User Creation:
    • Right-click on the target OU.
    • Select New > User.
  4. Fill in User Information:
    • Enter the user's First name, Last name, Full name, and User logon name. The "User logon name" is the username the user will use to log in (e.g., jsmith).
    • Click Next.
  5. Set Password and Options:
    • Enter and confirm a Password.
    • Select appropriate password options, such as:
      • User must change password at next logon (recommended for new users).
      • User cannot change password.
      • Password never expires.
      • Account is disabled.
    • Click Next and then Finish.

Example:

To create a new user named "Jane Doe" with a logon name "jdoe" in the Sales OU within yourdomain.com:

  • Open ADUC.
  • Navigate to yourdomain.com > Departments > Sales.
  • Right-click Sales, select New > User.
  • Enter: First name: Jane, Last name: Doe, Full name: Jane Doe, User logon name: jdoe.
  • Set a password and complete the wizard.

Moving an Existing User Account to an OU

If a user account already exists in Active Directory but is located in a different OU or the default Users container, you can easily move it to the desired OU.

Steps to Move an Existing User:

  1. Open Active Directory Users and Computers:
    • Press Win + R, type dsa.msc, and press Enter.
  2. Locate the User Account: Navigate to the current location of the user account you wish to move. This could be another OU or the default Users container.
  3. Initiate the Move:
    • Right-click on the user account.
    • Select Move...
  4. Select Target OU: In the "Move" dialog box, browse and select the destination OU where you want to place the user account.
  5. Confirm: Click OK.

Example:

To move the user "John Smith" from the IT OU to the Marketing OU:

  • Open ADUC.
  • Navigate to yourdomain.com > Departments > IT.
  • Right-click on John Smith.
  • Select Move...
  • Browse to and select yourdomain.com > Departments > Marketing.
  • Click OK.

Granting Users Permissions (Delegated Control) on an OU

Beyond simply placing a user object within an OU, "adding a user to an OU" can also mean granting specific administrative permissions to a user or group over that OU. This is commonly known as delegation and allows certain users (e.g., department managers) to manage specific aspects of their OU without granting them full domain administrator rights.

To manage permissions on an OU, you use its Properties window, specifically the "Security" tab.

Steps to Grant Permissions on an OU:

  1. Open Active Directory Users and Computers:
    • Press Win + R, type dsa.msc, and press Enter.
  2. Enable Advanced Features (if necessary): For the "Security" tab to be visible, you might need to enable advanced features.
    • In ADUC, go to View > Advanced Features.
  3. Locate the Target OU: Navigate to the Organizational Unit where you want to grant permissions (e.g., yourdomain.com/Departments/HR).
  4. Open OU Properties:
    • Right-click on the target OU.
    • Select Properties.
  5. Access the Security Tab: In the Properties window, go to the "Security" tab.
  6. Add Users or Groups: Click "Add..." to select the users or groups you want to grant permissions to.
    • In the "Select Users, Computers, Service Accounts, or Groups" dialog, type the name of the user or group and click "Check Names" to verify.
    • Click "OK".
  7. Assign Permissions: Once the user or group is added to the Security tab, you can assign standard permissions directly. For more granular control, click on "Advanced" to open the Advanced Security Settings window.
  8. Configure Advanced Permissions (if needed):
    • In the "Advanced Security Settings" window, select the user/group and click "Edit" to define specific permissions.
    • You can choose to apply permissions to "This object only," "This object and all descendant objects," or other granular options.
    • Grant specific permissions such as "Create User objects," "Delete User objects," "Reset Password," etc.
    • Click "OK" on all open dialogs to save changes.

Example: Delegating Password Reset Permissions

Let's say you want to allow a "Helpdesk Group" to reset user passwords only within the Sales OU.

  • Open ADUC with Advanced Features enabled.
  • Right-click on the Sales OU, select Properties, then go to the Security tab.
  • Click Add..., find and add the Helpdesk Group.
  • With Helpdesk Group selected, click Advanced.
  • Click Add... (or Edit if Helpdesk Group is already listed) to add an entry for Helpdesk Group.
  • Set Type: Allow.
  • Set Applies to: This object and all descendant User objects.
  • Scroll down and select the permission Reset password.
  • Click OK until all windows are closed.

Common Delegation Scenarios

Delegating control over OUs is a powerful way to distribute administrative tasks. Here are some common scenarios:

Delegation Scenario Description Key Permissions to Grant
User Account Management Allow a manager to create, delete, and modify user accounts within their department's OU. Create User objects, Delete User objects, Full Control (on User objects), Read and Write all properties
Password Resets Enable helpdesk staff to reset passwords for users in specific OUs. Reset password
Group Membership Management Grant a department head the ability to add/remove users from security groups within their OU. Read and Write Group Membership
Printer Management Allow a user to manage printers associated with an OU. Create Printer objects, Delete Printer objects, Full Control (on Printer objects)
Read All User Information Permit HR staff to view all user properties within a specific OU for auditing or reporting. Read all properties (on User objects)

For more detailed information on delegating control in Active Directory, refer to Microsoft Learn: Delegate administrative control to Active Directory OUs.

PowerShell Alternatives for User Management

For automating tasks or managing users at scale, PowerShell provides powerful cmdlets.

  • To create a new user in an OU:
    New-ADUser -Name "Alice Smith" -GivenName "Alice" -Surname "Smith" -SamAccountName "asmith" -Path "OU=Sales,OU=Departments,DC=yourdomain,DC=com" -AccountPassword (Read-Host -AsSecureString "Set password for asmith") -Enabled $true
  • To move an existing user to an OU:
    Move-ADObject -Identity "CN=John Smith,OU=IT,OU=Departments,DC=yourdomain,DC=com" -TargetPath "OU=Marketing,OU=Departments,DC=yourdomain,DC=com"
  • To add permissions (delegate control) on an OU using PowerShell, you would typically use Add-ADPermission or manage the ACL directly, which is more complex and often done for advanced scripting.

Best Practices for OU and User Management

  • Logical Structure: Design your OU structure to reflect your organizational hierarchy or administrative delegation model.
  • Group Policy Application: OU structure is fundamental for applying Group Policies effectively. Keep users and computers that require similar policies in the same OU.
  • Security Principle: Follow the principle of least privilege. Grant only the necessary permissions to users or groups, especially when delegating control over OUs.
  • Documentation: Maintain clear documentation of your OU structure, delegation model, and Group Policy links.
  • Testing: Always test changes in a non-production environment before implementing them across your Active Directory.

By understanding both direct user placement and permission delegation, you can efficiently manage your Windows Server environment and secure your Active Directory.

← Previous Article
Is Indonesia Cheaper Than Dubai?
Next Article →
How to Wear a Pocket Square