NeuroAgent

How to Nest One OU Inside Another in Active Directory

Learn how to nest one organizational unit inside another in Active Directory. We explore the causes of 'Access is denied' errors and solutions to access permission issues.

#active-directory-ou#ad-hierarchy#ad-permissions#it-administration#organizational-units#windows-server
Question

Can organizational units (OUs) be nested within other OUs in Active Directory?

In my Active Directory infrastructure, I have multiple organizational units (OUs), each containing computers. I need to create a new OU and move some existing OUs into it. I attempted to do this similarly to how I move computers between OUs, but I received an error: “Windows cannot move object ‘OU_name’ because: Access is denied”.

Is it possible to nest OUs within other OUs in Active Directory, or do all organizational units have to exist at the same hierarchy level?

NeuroAgent

Yes, in Active Directory you can nest one Organizational Unit (OU) within another, creating a hierarchical structure. The “Access is denied” error occurs due to insufficient permissions for moving the OU, rather than being a technical impossibility of such an operation.

Table of Contents

Can you nest OUs within other OUs?

Yes, in Active Directory, it is fully possible to nest one Organizational Unit (OU) within another. This functionality allows creating a multi-level hierarchical structure for better organization of objects in the directory.

Unlike some other directories, Active Directory supports arbitrary nesting of OUs, giving administrators flexibility in designing the organization’s structure.

However, there are important limitations and recommendations:

  1. Optimal hierarchy depth: according to best practices, you should avoid depths of more than two levels of nesting for OUs [1]. Too deep a hierarchy complicates security policy management and increases the risk of error propagation.

  2. Impact on Group Policies: with OU nesting, policies are applied top-down through inheritance. Each additional level can affect the application of Group Policy Objects (GPOs).

  3. Access Management: as hierarchy depth increases, rights delegation and access control become more complex.

Reasons for “Access is denied” error when moving OUs

The “Access is denied” error when attempting to move an OU is a common problem and is usually caused by the following reasons:

  1. Insufficient rights of the current user: moving an OU requires special permissions that regular users or even some administrators without appropriate delegated authorities do not have.

  2. Protection of objects from accidental deletion: as noted in research, the “Protect object from accidental deletion” setting blocks not only deletion but also movement of objects [5]. This setting adds Access Control Entries (ACEs) of type “Deny” for “Delete” and “Delete Subtree” operations.

  3. Impact of AdminSDHolder: protected groups and objects in Active Directory have special protection mechanisms through AdminSDHolder. Incorrect settings on this object can block move operations [7].

  4. Denial inheritance: move denials may be set in the parent OU and are inherited by child objects.

Permissions required to move OUs

To successfully move an OU between other OUs, the following permissions are required:

  1. Object owner rights: the user must be the owner of the OU being moved or have the Take Ownership right.

  2. Rights to modify the parent container: permission to create objects in the target OU is required.

  3. Special move rights: the GenericWrite or Write right on the object is required, which allows changing its parent container.

  4. Rights to delete from the original location: effective moving requires deletion from the old location and creation in the new one.

Unlike computers, which are objects of the computer class, OUs are containers of the organizationalUnit class, which requires stricter rights for manipulation.

Best practices for designing OU hierarchy

When designing a nested OU structure, consider the following recommendations:

  1. Limit hierarchy depth: as noted in sources, try not to exceed two levels of nesting [1]. This simplifies management and reduces risks.

  2. Use logical grouping: create nested OUs based on geographical location, department, or function, not randomly.

  3. Consider alternative approaches: instead of deep nesting, you can use parallel OUs with a common parent structure.

  4. Automate object protection: configure automatic enabling of protection against accidental deletion for all critical OUs [5].

  5. Regularly check permissions: conduct audits of delegated rights, especially in complex hierarchies, to avoid accumulation of excessive permissions.

Solving access problems

To solve the problem of the “Access is denied” error when moving an OU, follow these steps:

  1. Check current permissions: ensure you have the necessary rights to move objects. You can use the PowerShell cmdlet for this:

    powershell
    Get-ACL "OU=Source,DC=domain,DC=com" | Format-List

  2. Temporarily disable protection: if the object is protected from accidental deletion, you can temporarily disable this protection:

    powershell
    Set-ADOrganizationalUnit -Identity "OU=Source,DC=domain,DC=com" -ProtectedFromAccidentalDeletion $false

  3. Use rights delegation: through the Active Directory Users and Computers console:

    • Right-click on the target OU
    • Select “Delegate Control”
    • Add a user or group
    • Grant necessary permissions, including “Create, delete, and manage all child objects”

  4. Use dsacls to modify permissions: for fine-tuning permissions, you can use the dsacls utility:

    cmd
    dsacls "OU=Target,DC=domain,DC=com" /G "DOMAIN\Users:GR"

  5. Check denial inheritance: ensure there are no denials at the domain level or parent OUs that block the operation.

Sources

  1. Active Directory 102: Planning Your Active Directory Architecture - Medium
  2. How to delegate OU permissions with minimal risk - Windows-Active-Directory
  3. Protect object from accidental deletion - Hartiga
  4. AD object with non-default permissions on AdminSDHolder - Cayosoft
  5. Auditing Nested Group Memberships: An Expert Guide - Windows-Active-Directory
  6. Apply Least Privilege in Active Directory with Delegation Wizard - AdminDroid
  7. How to safely hand off AD permissions without breaking - Toxigon

Conclusion

  1. OU nesting is possible: Active Directory supports nesting of organizational units, creating a multi-level structure, but with a recommendation to limit it to two levels for maintainability.

  2. Access error is solvable: the “Access is denied” issue is related to permission limitations rather than technical impossibility of the operation, and can be resolved through proper delegation of authorities.

  3. Security is more important than convenience: before simplifying the structure through deep nesting, evaluate security risks and the complexity of managing inheritance policies.

  4. Use automation: to protect critical objects, configure automatic enabling of protection against accidental deletion and regularly conduct access rights audits.

  5. Test changes: before mass OU moves, test operations in test environments to avoid failures in the production environment.

What are the best practices for designing OU hierarchy in Active Directory for large organizations?How to properly delegate rights for managing OU without compromising Active Directory security?What to do if an 'Object already exists' error occurs when moving OU in Active Directory?What alternative approaches to organizing Active Directory structure can be used instead of deep OU nesting?How to use PowerShell to automate management and movement of organizational units in Active Directory?
Ask NeuroAgent