This image illustrates the concept of the Active Directory hierarchy. At the very top of the Active Directory hierarchy is the Domain Controller (DC). To keep this simple, let's say Acme company consists of about 2,000 employee's. In this scenario, let's say there is one administrator that controls the domain controller. This admin has full control of the Acme domain.

Often, employee's will probably ask for some type of permission change, typically when the user wants to be able to do something on their computer that is being restricted by a Group Policy Object (GPO) in Active Directory. While the admin may be able to support 2,000 employee's, it would be much better if the admin had some help. This is a compelling reason to create Organizational Units (OU). Of the 2,000 employee, let's say 500 are in Sales and 500 are in Support. In a scenario like this, it makes sense to create a Sales OU and a Support OU. Then, an user account can be created in Active Directory and assigned as a delegate (admin) of the OU. This user account would have the ability to change some, but not all, of the permissions for the groups that are included in the OU. For example, the Sales OU admin would be able to change some of the GPOs for the Remote Sales Group and Local Sales Group, but not the support groups. This removes some of the work load off of the DC admin, letting each OU admin handle some of the requests from the users in their groups.

To create a new Organizational Unit (OU) in Server Core:

1. In the command line, type powershell and press enter
2. Type New-ADOrganizationalUnit -Name "example"

To ensure the new OU has been created, type Get-ADOrganizationalUnit -Identity "OU=<OU name>,DC=<domain name>,DC=Local"

In this example, an OU named staged was successfully created.

Next let's create a group in the Staging OU:

1. At the command line, type powershell and press enter
2. Type dsadd group "CN=groupname, OU=ouname, DC=domainname, DC=local"
   • Replace "groupname" with the new group name
   • Replace "ouname" with the name of the OU you want to add the group to
   • replace "domainname" with your domain name

dsadd group "CN=groupname, OU=ouname, DC=domainname, DC=local"

The dsquery group command can be used to verify the group was created.

Let's create a user in the Staging OU:

1. At the command line, type powershell and press enter
2. Follow is an example syntax to create a new user:

New-ADUser 
-AccountPassword (ConvertTo-SecureString SuperSecretPassword� -AsPlainText -Force) 
-ChangePasswordAtLogon $false 
-City New York 
-company Example Company� 
-DisplayName Last, First� 
-Enabled $true 
-Name Last, First� 
-SamAccountName username 
-Title Sales Admin 
-Path  OU=OUname,DC=domainname,DC=local� 
-givenname First 
-surname Last 
-department Sales 
-office New York�

Use the Get-ADUser -Identity username cmdlet or dsquery user command to view the user account.