Create OUs and nested OUs in Active Directory

I’ve worked with AD long enough to know that a messy OU structure will come back to haunt you—usually when you’re knee-deep in a GPO rollout or trying to delegate permissions cleanly. So when I spun up a fresh domain for a client last quarter, I decided to script the OU creation from the start. No clicking around in ADUC. Just PowerShell, clean and fast.

Why I Went the PowerShell Route

Not gonna lie, I used to avoid scripting OU creation. It felt overkill for small setups. But once you’ve had to replicate the same structure across staging, dev, and prod—or worse, rebuild it after a botched migration—you start appreciating the repeatability. Plus, I was working on a Hyper-V lab running Server 2022 with RSAT tools on my admin box, so I had everything I needed.

Step-by-Step: What Actually Worked

Here’s how I tackled it, with some commentary for anyone winging it like I was:

1. Launch PowerShell as Admin
   Right-click, run as admin. If you skip this, some commands just silently fail. Been there.
2. Import the AD Module Import-Module ActiveDirectory If you’re on a fresh RSAT install, this might throw an error. I had to reboot once before it loaded properly.
3. Create the Base OU New-ADOrganizationalUnit -Name "UserAccounts" -Path "DC=contoso,DC=com" I usually start with a top-level OU for users, then nest roles or departments under it. Keeps things tidy.
4. Add Attributes (Optional but Useful) New-ADOrganizationalUnit -Name "UserAccounts" -Path "DC=contoso,DC=com" -Description "OU for user accounts" -ProtectedFromAccidentalDeletion $True That accidental deletion flag? Saved me once when someone tried to clean up “unused” OUs.
5. Create Nested OUs New-ADOrganizationalUnit -Name "Admins" -Path "OU=UserAccounts,DC=contoso,DC=com" Most guides gloss over this, but make sure the parent OU exists before running nested commands. Otherwise, PowerShell throws a vague error that doesn’t help.
6. Bulk OU Creation Script
   I used this to spin up HR, IT, and Finance OUs in one go: $OUs = @( @{Name="HR"; Path="DC=contoso,DC=com"}, @{Name="IT"; Path="DC=contoso,DC=com"}, @{Name="Finance"; Path="DC=contoso,DC=com"} ) foreach ($OU in $OUs) { New-ADOrganizationalUnit -Name $OU.Name -Path $OU.Path } You can expand this easily for nested structures. I’ve used CSV imports for larger orgs, but this inline array works fine for quick setups.

Gotchas and Lessons Learned

• Typos in the path: Ever spent 30 minutes debugging a script only to find a missing comma in DC=contoso,DC=com? Welcome to my world.
• Module not loading: If Import-Module ActiveDirectory fails, check RSAT and reboot. It’s not always instant.
• Nested OU errors: PowerShell doesn’t always tell you when the parent OU is missing. I now pre-check with Get-ADOrganizationalUnit.

Final Thoughts

Setting up OUs via PowerShell isn’t just about speed—it’s about consistency. Especially if you’re managing multiple environments or onboarding new clients. I’ve started saving these scripts in a central repo so I can tweak and reuse them across projects.

Ever tried scripting OU creation for a multi-forest setup? Or hit weird bugs with protected deletion flags? Drop a comment or DM—I’m always curious how others handle this.