How are your OU’s configured?

Do your OUs reflect your company structure?

Best Practice (Litmus Test)

Professionals: Plan to create lots of Organizational Units

Amateurs: Create all new objects in the Users folder

Organisational Units

Windows Active Directory features Organization units, the benefit of OUs is that they allows you to classify users by department or site.  There are two advantages of this arrangement, you can delegate within units, and you can create different Group Policies for each OU.

If you do not create OUs, all your users will be born in the default container, and so you lose a valuable chance to categorize people by department or site. 

Planning Organization Units is a major job.  Firstly do create a top level based on geographic location, or company department?  Also bear in mind that OUs are the main vehicle for Group Policy, my point is that you may want different Group Policies for different users.  So take care designing your OU structure.


Delegation is item that has been high on administrator’s wish list for many years.  The problem in NT 4.0 is that if you wanted help desk staff to be able to change user’s passwords, then you had to make them members of the Account operator’s group. There was no half way house they either had full rights over the users or none at all.

With Windows server 2003 you can achieve fine control through delegation.  For example, IT help desk staff can reset passwords of the sales OU.  Human resources can be delegated to create new users in the manufacturing OU.  Neither group would be allowed to view the audit logs or reset the administrator’s password.

To configure, got to \ Active Directory Users and Computer \ <domain> \ organisational unit \ right-click  Delegate Control. 

See more on delegating control in active directory.

Guy Recommends:  SolarWinds’ Free Bulk Import ToolFree Download Solarwinds Bulk Import Tool

Import users from a spreadsheet.  Just provide a list of the users with their fields in the top row, and save as .csv file.  Then launch this FREE utility and match your fields with AD’s attributes, click and import the users.

Optionally, you can provide the name of the OU where the new accounts will be born. Download your FREE bulk import tool.

If you need more comprehensive software, download a free trial of SAM (Server & Application Monitor)

Using VBScript to Create OUs

Please would you inspect Active Directory Users and Computers and confirm that there is no tiny book symbol on your Users folder.  My point is that Users is a container object, referenced by CN=Users, not an OU referred to by: OU=Users.

Meanwhile, back to the main goal, creating a top level OU with VBscript.


  1. Important: Which OU will create?  My script will generate OU=Accounts.  If you prefer a different OU name, then change line 10 in your script.
  2. Copy and paste the script below into notepad.
  3. Save the file with .vbs extension e.g. Accounts.vbs.
  4. Double click and examine the message boxes.
  5. Open Up your Active Directory Users and Computers and inspect the OUs.

‘ VBscript to create an OU (Organizational Unit)
‘ Note two steps to set domain
‘ Author Guy Thomas
‘ Version 1.3 – September 2010
‘ ———————————————–‘
Option Explicit
Dim objRoot, objDomain, objOU
Dim strContainer

strContainer ="OU=Accounts"

‘ Section to bind to YOUR Active Directory.
Set objRoot = GetObject("LDAP://rootDSE")
objDomain = objRoot.Get("defaultNamingContext")
Set objDomain = GetObject("LDAP://" & objDomain)

‘ Section to create the OU defined by strContainer
‘ Also note the use of: .SetInfo

‘On Error Resume next
Set objOU = objDomain.Create("organizationalUnit", strContainer)

WScript.Echo "New Top Level OU created = " & strContainer

Learning Points – Binding to Active Directory

Building on this theme of mastering VBScript commands, I would like to draw your attention to a section of the script.  What we see here is how VBScript binds to Active Directory.  There has to be a logical connection or binding before we can manipulate existing objects, or as here, create a new OU.


‘ Section to bind to YOUR Active Directory.
Set objRoot = GetObject("LDAP://rootDSE")
objDomain = objRoot.Get("defaultNamingContext")
Set objDomain = GetObject("LDAP://" & objDomain)

Note 1:  GetObject() retrieves data, later in the full script we will make the OU with the sister command CreateObject()

Note 2:  The ‘Set’ Command points the objRoot variable to the base of the LDAP name.  Think of rootDSE as tunnelling down into the heart of Active Directory and returning with information.  In this instance, naming information.

Note 3:  DefaultNamingContext is a wonderful command because I do not have to know your domain, the script retrieves the distinguished name automatically, for example dc=cp, dc=mosel. (DC = Domain Context, not Domain Controller).  The alternative would be to ‘hard code’ my domain name, then ask you to search and replace with your domain.  What a waste of time when I can use DefaultNamingContext.

Note 4:  You may see other people’s scripts, which Set ObjDomain with one line instead of two.  My way just helps us understand the stages of binding to Active Directory.

Litmus Tests

Guy’s Litmus test is a concept that you can apply anywhere.  Each test gives you an instant answer to the simple question:-  ‘Are you dealing with a professional, or are they an amateur?   Is this the real deal, or is it a turkey?’   The Litmus Test concept is rather like Best Practice, but it reduces a 27 page report to one sentence. 

Try another of my Litmus tests »

Learn about Windows 8 and Active Directory

Windows 8 New Features   • Windows 8 Remote Desktop   •Windows 8 Install and Boot

Windows 8 Performance  •Windows 8 Overview  •Permissions

Organization Units Litmus Test  • Universal Groups  •Permissions Analyzer