3.4 Organizational Unit (OU) Structure (Google)

Basics

Google defines an organizational unit (OU) as a group (not to be confused with Google groups) that a super administrator can create in the Google Admin console to apply settings to a specific set of users. Administrators can set up different organizational units and add users based on their job roles and the apps they need access to. (from SysCloud)

Initially in your Google Admin console, all your users and devices are placed in a single organizational unit, called the top-level organizational unit. All settings you make in the Admin console apply to this top-level organizational unit and, therefore, to all users and devices in your account.

You should know the following terms:

  • Child OU 
  • Organizational Unit (OU) 
  • Top Level/Parent OU 

How to create an organizational unit

  1. Open your Google Admin console.
  2. Go to Menu → Directory  → Organizational units.
  3. Hover over the organization you want to modify and click Create new organizational unit (+).
  4. In the Name of organizational unit field, enter the new group's name.
    Note: The  "/" character isn't allowed in names of organizational units. If you use Google Cloud Directory Sync, Google Workspace Admin SDK, or School Directory Sync to create or rename an organizational unit, the "/" automatically replaced automatically by "_" (underscore). 
  5. (Optional) To add a description of the organization, enter it in the Description field.
  6. (Optional) To place the organization under a different parent organization:
    Under Parent organizational unit, click Edit.
    Choose a parent organization.
    Click Done.
  7. Click Create.

How to move users into an organizational unit

  1. In your Google Admin console (at admin.google.com) go to Menu → Directory → Users.
  2. If necessary, click at the upper left of the Users list to see the organizational tree.
  3. Click the organization the users are in now. Users who haven't been moved are in the top-level organization. Tip: If you're not sure which organization a user belongs to, go to the user's profile page, instead.

  4. (Skip this step if you went to the user's profile page.)

    1. To move a single user, find the user in the Users list.Then check the box for the user.

    2. To move multiple users, check the box for each user you want to move in the Users list.

    3. To move users in bulk, at the top, click Bulk update users → download your users → update column Org Unit path. 

  5. At the top, click More →  Change organizational unit. 
  6. Choose the new organization from the dialog box, and then click Continue. 
  7. In the confirmation message, review the information about moving the users to a different organization.
  8. Click Change.

How to create an admin role for an organizational unit.

You can only assign certain privileges to a custom role for an organizational unit. If you grant any other privileges to the custom role, you can’t limit the role for use with an organizational unit. 

You can assign the following privileges:

  • Users
  • User Security Management
  • Organizational Units
  • Chrome Management
  • Shared device settings

Create and assign the role

  1. Go to Create a custom role and follow the steps. Make sure the role only includes privileges that apply to organizational units (details above).
  2. Click Assign role.
  3. Add a user that you want to assign to the role.
  4. Next to the user, click the organizational unit.
  5. Select the organizational unit and click Done.
  6. Click Assign Role.

Here are additional resources you may find useful:

Complete the following task or self-assessment:

Understand your Organizational Unit Structure

  1. Open the admin console and identify any pre-established organizational units under the parent organization. Are there any that need to be added? Are there any that are not necessary?
  2. Create an Organizational Unit for a mock department within your organization. This is just for practice, so it can be anything (your book club, your lunch buddies, your fantasy football league, etc.). 
  3. Add some users (it’s probably best to create mock users for this purpose, but if you choose to include real users, just make a note of their original settings so that you can rest them when you are done.)
  4. Assign admin roles for at least one of these users.

Following the activities, reflect on the following questions:

  • Did you run into any trouble? If so, where might you seek answers to your questions? Do you have any trusted colleagues you could speak with for assistance?
  • What advice or tips might you offer to a new colleague in your role?