Crear una Unidad Organizativa en un dominio con Azure AD Domain Service

 

Organizational units (OU) in Active Directory are containers where users, computers, groups and other organization units are placed. These containers help create Active Directory’s logical structure and can be used to assign group policies & manage the resources.  This is common procedure in in-house domain environment.
The same strategy can also be enabled in Azure Managed Domains with however, some limitations. Managed domains do not offer full control over the functions such as complex group policies etc. I will explain those in later article but for the Organizational units, we can create those and manage those in azure managed domain. There is no option in azure portal to create this, this need to be created using a PC, server which is connected to the Azure Ad managed domain.

You also need be a member of AAD DC Administrators group.

Let’s see how we can create OU.

In my demo I am using a windows 2016 TP5 server which is connected to managed domain. Also I logged in as a member of AAD DC Administrators group.

ou01

Also I have already installed AD DS and AD LDS Tools (Remote server administration tools > Role administration tools > AD DS and AD LDS Tools)

ou02

To start the process, go to Server Manager > Tools > Active Directory Administrative Center

ou03

In left hand side in the console click on the managed domain

ou04

In the right hand under the Tasks click on New > Organizational Unit

ou05

In next window we can provide the information about new OU and click OK to complete.

ou06

Then you can see the new OU added.

ou07

By default the user account I used for to create the OU got full permissions to control the OU.

ou08

Now you can create new users, groups under this OU. But keep in mind you CANNOT move any users, groups which is already under AADDC users OU. It’s the default OU for the users, groups added via azure portal.

ou09

NOTE: The users and groups added under new OU will not be visible on azure portal. It’s only valid inside the managed domain environment.


Fuente: canitpro.net