In this article
Note: When you change any setting for the parent organizational units, the settings for child units will also change by default, unless custom settings have been applied.
Note: To manage the organizational structure, one needs to have Organizational Units privilege assigned to them in the Google Admin console. A Super administrator, by default, has all the admin privileges assigned to them.
Step 1: Go to the Google Admin Console and navigate to the Organizational Units section on the Admin Console home page.
Step 2: Click on the ‘+’ icon on the upper left of the page.
Step 3: Add a name and description for the organizational unit. Choose the parent organizational unit under which you want to place the new organizational unit. By default, a newly created organizational unit will be placed under the top-level organizational unit.
Step 4: Click Create.
Note: You can also directly create a new organizational unit under an existing organizational unit by using the ‘+’ icon next to it.
Step 1: From the Google Admin Console home page, select the Users tab.
Step 2: Under the All organizations section on the left side of the page, choose whether you want to view Users from all organizational units or Users from selected organizational units, and select the required organizational unit from the list.
Step 3: Select the user(s) that you want to move to another organizational unit. Click More -> Change organizational unit.
Step 4: Choose the organizational unit to which the user has to be moved. Review the settings and click on Change.
Step 1: Go to Devices in the Google Admin Console.
Step 2: Navigate to Chrome Devices.
Step 3: From left panel on the page, select the organizational unit the device is part of. (You can also search for a particular device using its serial number)
Step 4: Select the device that you want to move and click the Move option at the top of the page.
Step 5: Choose the organizational unit that you want to move the device to and click Move.
Step 1: In the Google Admin Console home page, go to the Apps section.
Step 2: Click on the tab Google Workspace.
Step 3: On the left side, you can see all the organizational units listed. Select the organizational unit that contains the users for which you want to set up app services. This will show the status of all the apps for the selected organizational unit.
Step 4: Check the box next to the service you want to turn on or off. On the top of the page, choose whether you want to keep the service On or OFF for the selected organizational unit. For child organizational units, you can also choose the Inherit option, to directly inherit the settings the corresponding parent unit has for the selected service.
For detailed steps on how this can be done for each Google service, see the table provided in the Google support page.
Step 1: Log in to the Google Admin Console. Go to Apps -> Google Workspace.
Step 2: From the list of Google Workspace apps, click on the app whose settings you need to customize. You will be taken to the app settings page.
Step 3: Click on a setting panel to expand that setting. Select the organizational unit that has the users for which you want to change the settings.
Step 4: Edit the settings and click Override (Click Save if it is the top-level organizational unit).
Note: You need to be a Chrome Enterprise Upgrade or Chrome Education Upgrade customer to perform this.
Step 1: From the Admin console Home page, go to Devices -> Chrome.
Step 2: Navigate to Settings -> Device.
Step 3: Select the organizational unit which contains all the devices for which you need to change the setting. To apply the setting to all devices, leave the top organizational unit selected. Apply the settings you want. To learn about each setting in detail, refer the Google support page.
Note: You can quickly find a setting using the Search or add a filter option at the top.
Step 4: Click Save. It might take up to 24 hours to apply for the settings to apply to everyone.
Note: Access groups can only be created from the Google Admin Console, Google Cloud Directory Sync, or Directory API. A group created with Google Groups, or a dynamic group cannot be used as access groups.
The following table gives the differences between an access group and an organizational unit:
Table Source: Google Support page
As mentioned before, only groups created using the Admin console, Directory API, or Google Cloud Directory Sync can be used as access groups. You cannot use a group created with Google Groups, at groups.google.com, or a dynamic group as an access group.
To learn more, read Customize service settings with configuration groups
In the Google Admin console, a Super Administrator can share the responsibility of managing the organizational account by assigning administrator roles to users in the organization. This gives the users access to the Google Admin console. An admin can assign the user a pre-built role available in the console to perform common business functions, or they can create a custom role to be assigned to the user. Learn more about administrator roles in the Google Admin console
Step 1: In the Google Admin console Home page, go to Admin roles, and click Create a new role.
Step 2: Enter a name and description, and click Continue. From the list of privileges, select the privileges that you want to assign to the user, and click Continue. Make sure to check only those privileges that apply to organizational units. (See Administrator Privileges Required)
Step 3: Review the privileges and click Create Role to create the custom administrator role with selected privileges. Click Assign users.
Step 4: Enter the user to whom you want to assign the role. Choose the organizational unit to which you want to limit the role.
Step 5: Click ASSIGN ROLE. The assigned admin will now be able to manage specific management tasks for the users belonging to the selected organizational unit.
To retain data using retention rules or holds, one needs access to Google Vault. Learn how to get Google Vault for your organization.
To learn more about Google Vault, read this article.
Step 1: Sign in to Google Vault. Click Retention -> Custom Rules -> Create.
Step 2: Select the service for which you want to apply the rule, and click Continue. A separate retention rule needs to be created for each service for which you need to retain data.
Step 3: Choose the organizational unit for which you need to retain data, and click Continue.
Step 4: (optional) Choose the conditions that must be met for data to be covered by this rule, and click Continue. This step can be skipped if you want to retain the entire data. (This step is applicable only if you have selected Gmail or Groups in step 2)
Step 5: Choose how long to keep the data:
1) To permanently retain messages covered by this rule, choose Indefinitely.
2) To retain data for a specific period, and remove it once the retention period expires, choose Retention period, and enter the number of days (from 1 to 36,500).
Step 6: If you selected Retention period in the previous step, choose what to do with the data when the retention period ends. Click Create.
Learn more about how retention works in Google Vault
Step 1: Sign in to Google Vault and select Matters.
Step 2: If the matter already exists, click it to open it. Otherwise, click on Create to create a new matter. Enter the matter name and description.
Step 3: Open the matter you created, and navigate to Holds -> Create.
Step 4: Enter the hold name. Select the service for which you want to place data on hold, and click Continue.
Step 5: Choose the organizational unit for which you need to retain data, and click Continue. (You might have to perform an additional step here depending on the service you choose. For example, if you have selected Drive in step 4, you need to choose whether to include items in shared drives as well)
Step 6: (optional) Set the conditions for the hold to be applied, and click Create. This step can be skipped if you want to retain the entire data. (This step is applicable only if you have selected Gmail or Groups in step 4. For other Google services, you can directly create the hold in Step 4)
To learn more about holds in Google Vault, click here.
Even though retention rules and holds in Google Vault can be used to retain data at an organizational unit level, they are not designed for the purpose of backup and restore, and therefore, have serious limitations as a backup solution. Click here to view all the limitations associated with using Google Vault as a backup solution
Third-party cloud backup applications like SysCloud are better options to back up your Google Workspace data.
SysCloud backup for Google Workspace provides administrators the option to set up and configure backup at an organizational unit level, with different retention settings for each Google organizational unit.
1. Keep it simple: You should create as many organizational units as necessary but as few as possible. Create a new organizational unit only if you need to customize service access or settings for different users or devices. If it is not necessary to differentiate between users, provide everyone with the same level of access to services and settings.
2. Do not over-organize: It may be tempting to meticulously categorize users, but this gives you more work when it is time to assign new policies. Only create organizational units when there is a specific purpose for that unit. For example, in a school, it would make sense to place the students and staff in separate organizational units because their settings and restrictions would be different. Whereas, students in each grade need not be placed in separate organizational units, unless specifically required.
3. Pay attention while moving organizational units: Like how it takes time to initially configure organizational units for your company, you need to pay enough attention while modifying the organizational structure as well. When you move an organizational unit from the current location to a new location, you need to consider whether that organizational unit has any local settings applied to it, in which case, those settings will continue to remain in effect in the new location. Whereas, inherited settings will not be carried over to the new location; those settings will be inherited from the new parent organizational unit. Knowing where settings are locally applied and how inheritance works is a key step in the planning process. Amplified IT’s support team can assist you in generating a report of most locally applied settings and services. (Available for K-12 and higher educational institutions using Google Workspace for Education)
4. When restructuring, choose the method that suits your need: If you do not want to maintain the current settings that are applied to existing organizational units, the easiest method to update the organizational structure is to start creating organizational units from scratch. Whereas, if you want to maintain all the current settings, it will be better to move existing organizational units with their locally applied settings, and rename them appropriately. There might be situations where a hybrid solution works better - moving and renaming some organizational units (that have locally applied settings which are too tedious to be configured again), and then creating new organizational units for which you want the settings to be fully inherited. (source: https://www.amplifiedit.com/ou-structure/)
1. Are organizational units related to domains?
2. Can settings be customized for a single user using an organizational unit?
3. How do I change my Google organizational unit?
4. Does organizational structure impact the rate at which users are added to a Google Workspace account?
5. How are organizational units different from access groups?