Restoring lost data is just a matter of a few clicks

Protect Your Cloud Data, Now!

Google organizational units (OUs) in Google Workspace enable tailored management of user settings, access, and data retention:

OUs allow for customized access to apps, services, and device management based on specific roles and departments. 

Data retention policies can be applied at the OU level using Google Vault, ensuring compliance and security. 

Access groups offer flexibility in managing service access without altering the OU structure.

Leverage OUs for efficient management and use SysCloud for automated backups, ensuring comprehensive data protection and easy recovery.

This article is a one-stop destination for everything a super administrator needs to know about Google organizational units, along with data retention management at an organizational unit level.  

Google defines an organizational unit as a group (not to be confused with Google groups) that a super administrator can create in the Google Admin console to apply settings to a specific set of users. Administrators can set up different organizational units and add users based on their job roles and the apps they need access to.

In Google Workspace, by default, every person has access to the same set of apps, with the same configuration. When an administrator adds or enables an app, access to the app is enabled for everyone. But most organizations are comprised of many smaller units or teams that focus on specific tasks or projects. Administrators might therefore be required to apply different settings to a specific group of users. This can be done by using organizational units in the Google Admin console.  

In most organizations, people with different roles need different levels of access. For example, the Sales team needs access to a CRM service, or the Finance team needs access to an accounting app, while another department might not need access to these services at all. As data protection laws become tighter, it is important that only specific personnel have access to sensitive data.  Google Workspace organizational units ensure that everyone in the organization has access only to the data and apps they need to do their jobs. 

Using organizational units, administrators can: 

Turn Google services on and off for specific groups of users

Configure service settings differently for specific groups of users 

Configure settings for Chrome OS devices if you have added those devices to an Organizational Unit 

By default, all the users and devices in a Google Workspace account belong to a single organizational unit, called the top-level (parent) organizational unit which usually has the same name as your domain. All the settings that are applied in the Admin Console apply to this top-level organizational unit, and thereby, to all the users and devices in the account.

For example, an organization can have different organizational units for Sales, Marketing, and HR teams to give each unit access to only relevant Google Workspace apps and settings.

You can create as many organizational units as you want below the top-level unit, but a user can only be a part of one organizational unit at a time. Child organizational units can be created under each organizational unit. By default, a child organizational unit inherits the settings of the parent, and any changes made to the parent organizational unit will also reflect in the child organizational units. But administrators can create custom settings specific to each child organizational unit to override the settings inherited from the parent organizational unit.

As shown in the above diagram, the top-level organizational unit has many child organizational units like Marketing, HR, Sales, IT, Finance, and Test. Some of these child units have more organizational units under them, with each having the same settings inherited from the parent or customized settings. For example, YouTube has been turned on for the users in the “Marketing” organizational unit. Therefore, by default, all users in “Social media management” which is a child unit of “Marketing” will be able to access YouTube. At the same time, a custom setting has been directly applied to the “Recruitment” organizational unit to turn on Google Drive access for the users in that unit, which overrides the settings inherited from the parent unit. Therefore, irrespective of the settings applied to the “HR” unit, users in “Recruitment" – which is a child unit of “HR" – can access Google Drive.

Note: When you change any setting for the parent organizational units, the settings for child units will also change by default, unless custom settings have been applied.

After setting up a Google Workspace account, administrators can create as many organizational units as required.

Note: To manage the organizational structure, one needs to have Organizational Units privilege assigned to them in the Google Admin console. A Super administrator, by default, has all the admin privileges assigned to them.

To apply different settings to a set of users or Chrome devices, administrators can create a new organizational unit below the top-level organizational unit, place the users or devices in it, and apply unique settings to that unit. To create a new organizational unit, follow the below steps: 

Step 1: Go to the Google Admin Console and navigate to the Organizational Units section on the Admin Console home page. 

Step 2: Click on Create organizational unit. 

Step 3: Add a name and description for the organizational unit.  Choose the parent organizational unit under which you want to place the new organizational unit. By default, a newly created organizational unit will be placed under the top-level organizational unit. 

Note: The organizational unit's name may not be unique within the organization hierarchy but its name is unique amongst its sibling organizational units. Also, an organizational unit's name is case insensitive. 

Note:  You can also directly create a new organizational unit under an existing organizational unit by using the ‘+’ icon next to it. 

Learn how to move, rename, or delete a Google organizational unit

Once an organizational unit is created, users need to be added to it so that you can configure service access and settings to a specific group of users. By default, all users in a Google Workspace account belong to the top-level organizational unit; administrators can move users to other child organizational units if needed.  

To move users to an organizational unit, follow the below steps:

Step 1: From the Google Admin Console home page, select the Users tab. 

Step 2: Under the All organizations section on the left side of the page, choose whether you want to view Users from all organizational units or Users from selected organizational units, and select the required organizational unit from the list.

Step 3: Select the user(s) that you want to move to another organizational unit. Click More options-> Change organizational unit.

Step 4: Choose the organizational unit to which the user has to be moved. Review the settings and click on Change.

It might take 24 hours for these changes to reflect in your account.  

Note that a user can be a part of only one organizational unit at a time. This means that a user added to a child organizational unit will no longer be a part of the parent organizational unit.  

For example, consider an organizational unit named ‘Sales’ which has two child organizational units under it called ‘USA’ and ‘Europe.’ A user added to the ‘Europe’ organizational unit will not belong to the ‘Sales’ organizational unit anymore, even though it is the parent unit.  Nevertheless, the users in ‘USA’ and ‘Europe’ will inherit the settings applied to the ‘Sales’ organizational unit, unless custom settings have been applied. 

When you enroll Chrome devices in the Google Admin Console, they are automatically added to the top-level organizational unit.  These can be moved to different organizational units to configure settings and policies for specific devices. For example, to let teachers use Incognito mode on their Chromebook but not students, create an organizational unit containing the teachers' Chromebooks. Then, in the Devices settings section, turn on Incognito mode for just that organizational unit.

To move a device to an organizational unit: 

Step 1: Go to Devices in the Google Admin Console. 

Step 2: Navigate to Chrome OS Devices. 

Step 3: From the left panel on the page, select the organizational unit the device is part of. (You can also search for a particular device using its serial number) 

Step 4: Select the device you want to move and click the Move option at the top of the page. 

Step 5: Choose the organizational unit that you want to move the device to and click Move.  

After adding users and devices to organizational units, these can be used to set up user and device policies. As mentioned earlier, all child organizational units, by default, will inherit settings from their parents, but these can be overridden by applying custom settings. A Google Workspace administrator can let some people in the organization use a feature or service in their managed Google account, but not others.  Similarly, an admin can tailor settings for specific Chrome devices. Users or devices that have specific requirements are grouped into organizational units, after which, the desired settings can be applied to these units. Using organizational units, an administrator can: 

1) Turn services on or off for different users 

2) Change service settings for different users 

3) Change settings for different Chrome devices

A Google Workspace administrator can control users’ access to different Google services. When users sign into their account, they will only have access to services that are turned on for them in the Google Admin console. 

Follow the below steps to switch on or switch off an app service for specific users:

Step 1: In the Google Admin Console home page, go to the Apps section.

Step 2: Click on the tab Google Workspace.  

Step 3: On the left side, you can see all the organizational units listed. Select the organizational unit that contains the users for which you want to set up app services. This will show the status of all the apps for the selected organizational unit. 

Step 4:  Check the box next to the service you want to turn on or off. On the top of the page, choose whether you want to keep the service On or OFF for the selected organizational unit. For child organizational units, you can also choose the Inherit option, to directly inherit the settings the corresponding parent unit has for the selected service.  

For detailed steps on how this can be done for each Google service, see the table provided in the Google support page. 

The easiest way to manage service access for specific users is using organizational units.  The users for which you want to turn on a service are added to an organizational unit, and then the service is turned on for just that organizational unit. However, if you already use organizational units to control other settings, you might want to use access groups to control service access for specific users. There can also be situations when a service needs to be turned on for a group of users who belong to different organizational units. Access groups allow administrators to turn on services for a group of users within or across organizational units without altering the organizational structure.

To learn more about access groups, refer to this Google support documentation.

Similar to how users’ access to Google services can be controlled using organizational units, administrators can customize service settings as well.   To customize service settings for specific users, follow the below steps: 

Step 1: Log in to the Google Admin Console. Go to Apps -> Google Workspace. 

Step 2:  From the list of Google Workspace apps, click on the app whose settings you need to customize. You will be taken to the app settings page.  

Step 3: Click on a setting panel to expand that setting. Select the organizational unit that has the users for which you want to change the settings. 

Step 4: Configure the settings and choose one of the following options: 

a. Override: Overrides the inherited setting with a new value.  
b. Inherit: Reverts to the parent's setting if a custom value was previously set.  
 (Click Save if it is the top-level organizational unit). 

An administrator can control settings that are applied when people use a managed Chrome OS device, such as a Chromebook. Device-level settings apply for anyone who uses the device, even if they sign in as a guest or with a personal Gmail account. 

Note: You need to be a Chrome Enterprise Upgrade or Chrome Education Upgrade customer to perform this. 

Step 1: From the Admin console Home page, go to Menu ->  Devices -> Chrome -> Settings -> Device settings. 

Step 2: Navigate to Settings -> Device. 

Step 3: Select the organizational unit which contains all the devices for which you need to change the setting. To apply the setting to all devices, leave the top organizational unit selected. Apply the settings you want.  To learn about each setting in detail, refer the Google support page. 

Note: You can quickly find a setting using the Search or add a filter option at the top.

If a setting is inherited from a parent organizational unit, it shows “Inherited from Google Default” below that specific setting. If you have applied customized settings to override the inherited setting, you can see “Locally applied” below the setting name.

Step 4: Click Save. It might take up to 24 hours to apply for the settings to apply to everyone.

For larger organizations, it is better to turn on services for a group of users rather than an entire organizational unit. This lets you control service access for specific users without changing your organizational structure.  

There might be situations when a few users across different organizational units require access to a specific service. Since a user can only belong to a single organizational unit at a time, administrators can create access groups to manage service access for a group of users across organizational units.  

Note:  Access groups can only be created from the Google Admin Console, Google Cloud Directory Sync, or Directory API. A group created with Google Groups, or a dynamic group cannot be used as access groups.   

In the Google Admin console, an admin can turn off an organizational unit’s access to a Google service, such as Google Drive. If some users in that organizational unit need to use Drive, there are two options: 

1) Move the users to another organizational unit that has Google Drive turned on. (This will remove the users from the existing organizational unit, thereby altering the organizational structure) 

2) Create a group for these users and turn on Google Drive for the group. Each member in the group can access the service, even if their organizational unit has the service turned off. Groups used in this way, called access groups, can include any users or groups in your organization.  

To understand how access groups work, consider an organization where Google Drive is turned off for the Sales OU, and by default inheritance, users in the US and UK child OUs will not be able to access Google Drive. At the same time, the Sales heads of both US and UK units need access to Google Drive. For this, the administrator can create an access group in the Google Admin console, add the Sales heads to this group, and turn on Drive access for the group. Thus, by using access groups, service access can be customized for users across organizational units, without altering the organizational structure.

Access groups can only be used to turn on user access to Google services. They cannot be used to turn off user access to a service that is turned on for their organizational unit. For example, if Google Meet is turned off for an organizational unit, it can be turned on for selected users in that unit if they are added to an access group that has Google Meet turned on, whereas if Google meet is turned on for an organizational unit, it cannot be turned off for selected users by adding them to an access group. 


If the Google service is off for a user’s organizational unit but on for their access group, you can turn it off for the group by unsetting it at the group level. 

The following table gives the differences between an access group and an organizational unit:

As mentioned before, only groups created using the Admin console, Directory API, or Google Cloud Directory Sync can be used as access groups.  You cannot use a group created with Google Groups, at groups.google.com, or a dynamic group as an access group. 

Learn how to create an access group from the Google Admin console. (See Option 1) 

Similar to how service access can be customized using access groups, service settings (for example, Drive Sharing options) can be customized for a group of users in one or more organizational units. Groups used in this way are called configuration groups.

To learn more, read Customize service settings with configuration groups

In the Google Admin console, a Super Administrator can share the responsibility of managing the organizational account by assigning administrator roles to users in the organization. This gives the users access to the Google Admin console. An admin can assign the user a pre-built role available in the console to perform common business functions, or they can create a custom role to be assigned to the user. Learn more about administrator roles in the Google Admin console 

When assigning a role to a user, an administrator can restrict the role to an organizational unit, so that the assigned user can perform management functions for that organizational unit alone. For example, a user can be assigned the User Management Admin role for the ‘Sales’ organizational unit. The user will be able to create or delete user accounts in the ‘Sales’ organizational unit only; they won’t be able to create or delete user accounts for ‘HR’ or ‘Marketing’ units.

A custom role can include one or more administrator privileges for specific management tasks in your Google Admin console. The privileges you select when assigning a custom role to a user determine which home page controls are in the user's Admin console and what settings the user can manage. 

A custom role for an organizational unit can only be assigned certain privileges. If any other privileges are granted to the custom role, the scope of the role will not be restricted to an organizational unit.  The following are the privileges that can be assigned to a custom role for an organizational unit: 

Learn more about each of these privileges 

If you use Google Vault archiving and eDiscovery service, the custom role for an organizational unit can also be granted any of these privileges:

Step 1: In the Google Admin console Home page, go to Admin roles and click Create new role.

Step 2: Enter a name and description, and click Continue. From the list of privileges, select the privileges that you want to assign to the user, and click Continue. Make sure to check only those privileges that apply to organizational units. (See Administrator Privileges Required)

Step 3: Review the privileges and click CREATE ROLE to create the custom administrator role with selected privileges. Click Assign members.

Step 4: Enter the user to whom you want to assign the role. Choose the organizational unit to which you want to limit the role.

Step 5: Click ASSIGN ROLE. The assigned admin will now be able to manage specific management tasks for the users belonging to the selected organizational unit.

Actionable insights, best practices and tips for IT admins to protect SaaS data.

Explore SaaS 
data protection center

Get expert insights on SaaS data and security

A Complete Guide to Google Organizational Units

I acknowledge cookies need to be deleted from my browser to remove tracking.

Ensure complete tracking removal by deleting cookies from your browser. Click here to learn how.

These cookies are set through our site by a range of third-party social media services that we have added to the site to enable you to share our content with your friends and networks. These cookies are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies, you may not be able to use or see the social media sharing tools.

These cookies are necessary for the website to function and allow us to count visits and traffic sources so we can measure and improve the performance of our site. The cookies may be set by us or third-party providers in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. All information these cookies collect is aggregated and therefore anonymous.

This website uses cookies. We use cookies to personalize content and ads, to provide social media features and to analyze our traffic. We also share information about your use of our site with our social media, advertising and analytics partners who may combine it with other information that you’ve provided to them or that they’ve collected from your use of their services.Learn more about how we process personal data in our  Privacy Policy.

These cookies are set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They are based on uniquely identifying your browser and internet device. If you disable these cookies, you will experience fewer or no targeted advertising. You may still see advertisements.

A Complete Guide to Google Drive Backup

Gmail Backup: How to Backup Gmail Emails for Business (Step-By-Step Guide)

What Is Google Vault? How Is It Different from Backup?

12 Reasons Why You Need Google Workspace Backup

How to Back Up Outlook Emails: A Step-by-Step Guide

An Admin’s Guide to SharePoint Online Backup

10 Critical Reasons to Backup Microsoft 365 Data Immediately!

How to Backup OneDrive for Business: A Complete Guide for Admins

How to Backup Outlook Emails: A Complete Guide (with screenshots)

Microsoft Teams Recovery Wizard

Gmail Recovery Wizard

Google Classroom Recovery Wizard

Google Sites Recovery Wizard

OneDrive Recovery Wizard

SharePoint Recovery Wizard

How to Prevent Cyberbullying in Schools: Strategies, Tips, & Best Practices

Mental Health in Schools – The Ultimate Guide for School Administrators

How to Recover Deleted Emails from Gmail for Business

How to Recover Permanently Deleted Files from Google Drive for Business

How to Recover Deleted Gmail Account – A Complete Guide

How to Recover Permanently Deleted Files from OneDrive for Business

How to Recover Deleted SharePoint Files in Microsoft Office 365?

How to Recover Deleted Outlook Emails in Microsoft 365?

SaaS Backup Buying Guide

How to Transfer Your Google Drive Files to Another Account

Shared Drive for the Confused – Google Drive vs. Shared (Team) Drives

How to Use Google Takeout for Business: A Complete Guide

How to Delete a Google and Gmail Account

How to Import MBOX into Gmail: A Step-By-Step Guide

Demystifying Google Drive Document Sharing

Google Vault: The Ultimate Guide for IT Administrators (Updated)

Google G Suite Primary Domain Change Migration Guide

Admin's Guide to Using OneDrive Shared Folder and Files

A Complete Guide to Azure AD Administrative Units

Why do IT Admins Prefer SysCloud for SaaS Backup?

FERPA Compliance: A Complete Guide for Educational Institutions

Ransomware Recovery Guide: How to Recover from a Ransomware Attack

Gmail Security Settings: Strengthen Gmail Security against Phishing and Ransomware

5 Microsoft 365 Admin Center Outlook Settings to Stop Phishing Attacks

Insider Threats : A Guide to Your Cloud Apps Security

The State of G Suite Third-Party App Security – 2018 Report

14 Types of Phishing Attacks That IT Administrators Should Watch For

16 Top Brands That Scammers Target for Brand Impersonation Attack

How to Prevent a Phishing Attack? 17 Easy Hacks for Administrators

Google Drive Security : 3 Ways to Guarantee Safety

How Compliance to PCI Can Be Achieved in Google G Suite

SOX Compliance in Google Apps

Top 3 Critical Security Mistakes When Configuring a Google Apps Domain

Get complete control over users' access to apps and settings using Google organizational units. Learn how to use OUs effectively in the admin console.

Admin's Guide to Google Organizational Units

An in-depth guide on using Google organizational units effectively in the Admin console to get complete control over users' access to apps and settings.

A Complete Guide to Google Organizational Units

1. An introduction to organizational units in the Google Admin console

1.1. Why organizational units?

2. Organizational structure overview

3. Building the organizational structure

3.1. Create a new organizational unit

3.2. Move users to an organizational unit

3.3. Add a Chrome device to an organizational unit

4. Organizational units and permissions

4.1. Turn app services on or off for users

4.2. Change service settings for users

4.3. Change settings for Chrome devices

5. Google organizational units vs. access groups

5.1. Customize service access using access groups

5.2. How to create an access group

5.3. Customize service settings using configuration groups

6. Admin role for an organizational unit

6.1. Administrator privileges required

6.2. How to create a custom administrator role for an organizational unit

7. Data retention management for Google organizational units

7.1. Retain data at an organizational unit level using retention rules

7.2. Retain data at an organizational unit level using holds

7.3. Limitations of using retention rules and holds as a backup solution

8. SysCloud backup for Google Workspace

9. Google organizational units best practices

10. Frequently asked questions on Google organizational units