Create large number of OUs with set structure and delegation

Create large number of OUs with set structure and delegation

Q. I need to create a large number of OUs with a set structure of child OUs with each OU delegated to different users. What is a good way of doing this?

A. PowerShell to the rescue. I've received a number of requests where people need to create multiple OUs with each OU containing a users, groups and computers child OU then want to be able to delegate full control to the OU to different people. In script below the following is happening:

  1. I create a two-dimensional array with the lab name and location and then a variable which will be the parent OU for all the OUs being created
  2. For each lab in the array check if the OU already exists
  3. If lab does not exists create the OU and then inside the OU create a Users, Groups and Servers child OU
  4. Create a group named "<lab name> Admins" in the Groups OU
  5. Delegate full control permissions for the created group to its OU

The script is shown below.

$LABs = @(("LABATL","Atlanta"),("LABBOS","Boston"),("LABCHI","Chicago"),("LABDAL","Dallas"),("LABDET","Detroit"),("LABIRV","Irvine"),("LABLA","Los Angeles"),("LABMPLS","Minneapolis"),("LABNY","New York"),("LABPHL","Philadelphia"),("LABRES","Reston"),("LABSIVY","Silicon Valley"),("LABSTL","St. Louis"),("LABTOR","Toronto"))
$ParentOU = "OU=NA,DC=savilltech,DC=net"

foreach($LAB in $LABs)
    #Check if exists, if it does skip
    [string] $Path = "OU=$($LAB[0]),OU=NA,DC=oneLABqa,DC=net"
        $NewOU = New-ADOrganizationalUnit -Name $LAB[0] -Path $ParentOU `
            -Description $LAB[1] `
            -ProtectedFromAccidentalDeletion $false -PassThru

        #Create the child OUs for objects
        $OUUsers=New-ADOrganizationalUnit -Name "Users" -Path $NewOU.DistinguishedName `
            -Description "Users" `
            -ProtectedFromAccidentalDeletion $false -PassThru
        $OUGroups=New-ADOrganizationalUnit -Name "Groups" -Path $NewOU.DistinguishedName `
            -Description "Groups" `
            -ProtectedFromAccidentalDeletion $false -PassThru
        $OUServers=New-ADOrganizationalUnit -Name "Servers" -Path $NewOU.DistinguishedName `
            -Description "Servers" `
            -ProtectedFromAccidentalDeletion $false -PassThru

        #Create a delegated admins group for the OU

        $AdminGroupName = "$($LAB[0]) Admins"
        $AdminGroup = New-ADGroup -Name $AdminGroupName -GroupCategory Security -GroupScope Global `
            -DisplayName $AdminGroupName -Path $OUGroups.DistinguishedName `
            -Description "Delegated Administrators for OU $($LAB[0])"  -PassThru

        #Grant the group full control on the OU
        $GrpSID = New-Object System.Security.Principal.SecurityIdentifier $AdminGroup.SID
        $OUacl = Get-ACL -Path AD:\$($NewOU.DistinguishedName)
        $identity = [System.Security.Principal.IdentityReference] $GrpSID
        $adRights = [System.DirectoryServices.ActiveDirectoryRights] "GenericAll"
        $type = [System.Security.AccessControl.AccessControlType] "Allow"
        $inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "All"
        $NewACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $identity,$adRights,$type,$inheritanceType
        Set-ACL -ACLObject $OUacl -Path AD:\$($NewOU.DistinguishedName)


Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.