Organizational unit in active directory is a container where you can place users, computers, groups and other organization units even. Organizational Unit are helps to create logical structure of the AD. You can use it to assign group policies and manage the resources. This is common procedure in in-house domain environment, but what about the Azure managed domain? Can engineers use same method?
Answer is YES, but with some limitations. It is managed domain so you do not have full control over the functions such as complex group policies etc. I will explain those in later article but for the Organizational units, we can create those and manage those in azure managed domain. There is no option in azure portal to create this, this need to be created using a PC, server which is connected to the Azure Ad managed domain.
I wrote an article about adding a VM to the Azure managed domain. It is good place to start with http://www.rebeladmin.com/2016/05/step-step-guide-manage-azure-active-directory-domain-service-aad-ds-managed-domain-using-virtual-server/ . To create Organizational Unit, you must have this done before start.
You also need be a member of AAD DC Administrators group.
Create Organizational Unit (OU)
In my demo I am using a windows 2016 TP5 server which is connected to managed domain. Also I logged in as a member of AAD DC Administrators group.
Also I have already installed AD DS and AD LDS Tools (Remote server administration tools > Role administration tools > AD DS and AD LDS Tools)
To start the process, go to Server Manager > Tools > Active Directory Administrative Center
In left hand side in the console click on the managed domain
In the right hand under the Tasks click on New > Organizational Unit
In next window we can provide the information about new OU and click OK to complete.
Then you can see the new OU added.
By default the user account I used for to create the OU got full permissions to control the OU.
Now you can create new users, groups under this OU. But keep in mind you CANNOT move any users, groups which is already under AADDC users OU. It’s the default OU for the users, groups added via azure portal.
Also the users and groups added under new OU will not be visible on azure portal. It’s only valid inside the managed domain environment.
More info https://learn.microsoft.com/en-us/entra/identity/domain-services/create-ou
Hope this article was helpful. If you got any questions feel free to contact me on rebeladm@live.com