Is it possible to nest one OU inside another in Active Directory?
In Active Directory, there are many organizational units (OUs) with computers inside them. I need to create a separate OU and move some existing OUs into it. When I try to move an OU by analogy with moving computers between OUs, I get an error: “Windows cannot move object ‘OU_name’ because: Access is denied”. Is it even possible to nest OUs within other OUs in Active Directory, or must all OUs be only at the same level?
Yes, in Active Directory, it is not only possible but also recommended to nest one Organizational Unit (OU) within another. This functionality is called “OU nesting” and is a standard part of Active Directory architecture. The “Access is denied” error occurs not due to technical impossibility of nesting, but due to access rights limitations or security settings.
Table of Contents
- Basics of OU Nesting in Active Directory
- Causes of “Access is denied” Error When Moving OUs
- Solutions for Access Problems When Moving OUs
- Best Practices for OU Structure
- Tools for Managing Nested OUs
Basics of OU Nesting in Active Directory
Organizational Units (OUs) in Active Directory can be organized in a hierarchical structure where one OU can contain other OUs within it. This capability is a fundamental element of Active Directory, allowing for the creation of logical structures for managing domain objects.
Technical aspects of OU nesting:
- Hierarchical structure is reflected in the LDAP path of the object
- Nested OUs inherit some policies from parent OUs
- Nesting depth is practically unlimited, but there are optimization recommendations
According to research, best practice recommends avoiding nesting depth beyond two levels: “Best practice: avoid going beyond two levels of OU nesting whenever possible” (source: Medium, 2025).
Example of OU hierarchy:
Company
├── IT Department
│ ├── Infrastructure Team
│ └── Development Team
├── Finance Department
│ ├── Accounting
│ └── Payroll
└── HR Department
├── Recruitment
└── Employee Relations
Causes of “Access is denied” Error When Moving OUs
Access errors when attempting to move an OU are a common issue that is typically related to security settings and permissions, rather than the impossibility of the operation itself.
Main causes of the error:
-
Parent OU permission restrictions
- Moving an OU requires
writepermission on the parent OU delete childpermission on the original parent OU
- Moving an OU requires
-
Protection against accidental deletion
- Enabled protection against deletion can block move operations
- As noted in research: “Moving triggers delete on source” (source: Hartiga.de)
-
Incorrect delegation of authority
- When attempting to scale infrastructure, a complex delegation structure may be created
- “Complex Organizational Units (OUs) structure and delegation, this approach becomes cumbersome, error-prone, and difficult to secure at scale” (source: Medium)
-
Access permission conflicts
- Conflicting permissions between different administrator groups
- Incorrect permission configuration on objects through
dsacls
-
Active Directory replication issues
- Delayed or incomplete replication changes between domain controllers
- Particularly relevant when moving critical objects
Solutions for Access Problems When Moving OUs
To successfully move an OU into another OU, you need to properly configure access permissions and consider the security features of Active Directory.
Steps to resolve access errors:
-
Check current access permissions
- Use the
dsaclstool to check permissions for moving objects - As recommended by specialists: “Use precise extended rights or dsacls with object-class scoping” (source: Windows-Active-Directory.com)
- Use the
-
Temporarily disable protection against deletion
powershell# Check protection status Get-ADOrganizationalUnit -Identity "OU=Source,DC=domain,DC=com" -Properties ProtectedFromAccidentalDeletion # Disable protection Set-ADOrganizationalUnit -Identity "OU=Source,DC=domain,DC=com" -ProtectedFromAccidentalDeletion $false -
Assign necessary permissions
- Grant the administrator group
GenericAllpermission on the parent OU - Or use more strict permission delegation through
Extended Rights
- Grant the administrator group
-
Use built-in administration groups
- Temporarily add to the
Enterprise AdminsorDomain Adminsgroup - These groups have the necessary rights for any operations in the domain
- Temporarily add to the
-
Check Active Directory replication
- Ensure all domain controllers are synchronized
- Use the
repadmin /showreplcommand to check replication status
Best Practices for OU Structure
Proper OU structure design is critical for effective Active Directory management.
Design recommendations:
-
Limit nesting depth
- No more than 2-3 levels of nesting for ease of management
- As experts point out: “avoid going beyond two levels of OU nesting whenever possible” (source: Medium)
-
Logical object grouping
- Structure OUs geographically
- Or by functional purpose (departments, teams, projects)
-
Separation of administrative and business needs
- Create separate branches for managing users and computers
- Use
OU=Users,OU=IT,DC=domain,DC=comandOU=Computers,OU=IT,DC=domain,DC=com
-
Policy management through GPO
- Apply group policies at the OU level
- Inheritance of policies occurs automatically with nesting
-
Delegate rights at the OU level
- Grant local administrators rights only to their OU
- This improves security and reduces the risk of accidental changes
Tools for Managing Nested OUs
Various tools and approaches are available for effectively managing nested OUs.
Main tools:
-
Active Directory Users and Computers (ADUC)
- Graphical interface for visual OU structure management
- Drag and drop objects to move between OUs
-
Active Directory PowerShell module
powershell# Move OU using PowerShell Move-ADObject -Identity "OU=Source,DC=domain,DC=com" -TargetPath "OU=Target,DC=domain,DC=com" # Get OU structure information Get-ADOrganizationalUnit -Filter * -Properties * | Select-Object Name, DistinguishedName -
dsacls - access rights management
- Command-line utility for detailed permission configuration
- Allows working with extended rights and object scope
-
AD Explorer from Sysinternals
- Advanced tool for viewing and editing Active Directory
- Visualization of OU structure and access rights
-
Group Policies (GPO)
- Apply policies at the OU level
- Automatic policy inheritance with nesting
Sources
- Active Directory 102: Planning Your Active Directory Architecture - Medium
- Scaling Your Identity Infrastructure: From Single Domain to Forests in Active Directory - Medium
- How to delegate OU permissions with minimal risk - Windows-Active-Directory.com
- Protect object from accidental deletion - Hartiga.de
- Organizational Units - Blackbaud Documentation
Conclusion
Nesting OUs within other OUs in Active Directory is not only possible but also recommended for creating a logical and manageable structure. The “Access is denied” error occurs due to access rights limitations, not technical limitations of the system itself.
Key takeaways:
- Technical capability: Active Directory fully supports OU nesting with practically unlimited depth
- Optimal depth: It is recommended to limit nesting to 2-3 levels for ease of management
- Access rights: The main issue when moving OUs is insufficient permissions, not impossibility of the operation
- Tools: Both graphical (ADUC) and command-line (PowerShell, dsacls) tools exist for managing nested OUs
Recommended actions:
- Check current access permissions on parent OUs
- Temporarily disable protection against deletion if necessary
- Use PowerShell to automate move operations
- Design OU structure with future scaling in mind
- Implement proper rights delegation for local administrators
Creating a nested OU structure significantly improves Active Directory management, allows for policy application at department levels, and provides more detailed security control.