How to Set Up Organizational Units in G Suite Correctly

G Suite Administrators can arrange their users into containers called Organizational Units, which allow you to set different app permissions for different users by allocating them to different Units.

Using Organizational Units can just lead to more headaches if it’s not done right: fortunately, it’s fairly simple to set up and operate. In this guide, we’ll talk briefly about some best practices and then jump into the nitty-gritty of how to set up and operate G Suite Organizational Units.

What are G Suite Organizations?

G Suite Organizations is an administrator’s tool in G Suite that allows you to place different users in separate groups, depending on the apps they need access to in order to do their job.

Organizations give you the ability to:

  • Apply policies to turn services on and off for different users
  • Configure service settings differently for different users
  • Configure settings for Chrome OS devices, if you’ve added those devices to an Organizational Unit.

Every domain starts with one top-level Organizational Unit that encompasses all users and services: one big box, with everyone and everything in it. It usually has the same name as your domain. Within this, you can create as many or as few sub-organizations as you want, building an organizational structure to keep track of them at the same time.

When you create a new Organizational Unit, it inherits the settings from its parent organization. So if you set up an Organizational Unit for your Sales team, everyone who is a member of the ‘Sales’ Organizational Unit will have the same permissions and settings as everyone who is a member of ‘yourdomain.com.’ Once the Organizational Unit is created though, you can change the settings of that specific Organizational Unit.

Why would you want to use G Suite Organizations?

In most organizations, people with different roles need different levels of access and the use of different apps. Everyone in sales needs access to CRM; another department might not need it. As data protection laws become tighter, it becomes more important to be able to show that only specific personnel have access to sensitive data for work reasons. Company financials, P&L statements, and employee personal data all require controlled access.

G Suite Organizations lets you build a ‘virtual office building’ inside G Suite, one where everyone only access to the data and tools they need to do their jobs.

G Suite Admin Best Practices

Before we get into the details of how to do each step of setting up and operating G Suite Organizations, let’s talk for just a second about best practices for a G Suite Admin.

  • New users should be onboarded quickly and efficiently, and old users should be removed from your G Suite completely as part of the exit process, ideally.
  • Employees and contractors are very different in the IRS’ eyes, and you don’t want to be penalized for mixing them up.
  • G Suite Admins can enforce Two-Factor Authentication, which I think is the most security for the least effort, and improve security by manually watching for suspicious behavior.
  • Any time you audit the G Suite users of a midsize company, you’re going to find a few users that everyone forgot existed, and a few apps that no-one’s even sure why they’re there, so it’s good to audit both annually.

How to set up G Suite Organizations

Setting up G Suite Organizational Unit is fairly simple. Here’s a step-by-step guide to doing everything from starting a new organization, to managing data access based on geography and managing the overall structure of your organization.

Adding an Organizational Unit

Start by going to your Google Admin console, and find Organizational Units — or jump straight there:

https://admin.google.com/ac/orgunits

If you have just one Organizational Unit, here’s what you’ll see:

Create new Organizational Unit

Click that big yellow plus and you’ll see this menu:

You have the option to name your new Organizational Unit anything you want, whether that’s by department, purpose, or any other criteria.

Once you’ve created your new Organizational Unit you’ll see it listed below the main organization’s name in the dashboard.

New Organizational Unit

Over on the right-hand side of the screen, your new Organizational Unit has its own set of controls.

Select that and you’ll see this:

Sub-organization unite

Where you see ‘Parent organizational unit’ at the bottom of the window, you have the option to move the Organizational Unit so that it’s inside a different parent Organizational Unit by editing that field.

You can also keep creating as many new organizational units as you like. If I create another one under Marketing, I’d end up with a new sub-organization inside ‘Marketing’ which will be nested in the dashboard:

Sub-sub-organization Unit

Adding an Organizational Unit for Chrome devices

If you want to apply rules to Chrome OS devices, like Chromebooks, you can do it here:

https://admin.google.com/AdminHome#ChromeDevices

Hover over the Organizational Unit you want to add your device to, then click ‘Add Suborganization.’

Enter the name you want to give your new sub-organization and add a description if you want to.

Your new sub-organization has been created. Note that you can’t do this for Android devices. To manage settings for users on Android devices, you have to use the device owner’s Organizational Unit.

Adding a new user to an Organizational Unit

To add a new user to your G Suite, start in Users and select the yellow plus sign above the list of users.

Users from all Organizational Units

You’ll be asked for that user’s details:

Add a new user

You can select what the user’s email address will be, manage password settings and add an image of the user. You can also select which Organizational Unit to add the user to. Here, I’ve left it the default option, which is to add the user to your top-level Organizational Unit, by default the same as your domain. But you can add new users directly to any Organizational Unit you’ve already created.

Removing a user from an Organizational Unit

When a user moves on from your organization, you’ll want to remove them entirely from your G Suite as soon as possible. Here’s how to do that.

Head to ‘Users’ from the Admin home screen and select the user you want to delete. Under the menu for that user, select ‘Delete user.’

You’ll be offered the chance to move all that user’s G Suite apps data over to an administrator or another user:

Delete user confirmation

Once you’ve chosen the right user to forward all that data to, click ‘Delete.’

You’ll see a confirmation window:

Successfully deleted user

That user has been permanently removed from the organization’s G Suite and all their data has been transferred.

How to move users to an Organizational Unit

By default, all users belong to your top-level Organizational Unit. But you can move them to new groups.

Start in your Google Admin Home screen. ‘Users’ is at the top on the left.

Select that and you’ll see all your users. If you’ve never set up an Organizational Unit before you’ll see them all under the same top-level domain, in the same group as you.

Select the user you want to move, and hover over the three dots over on the right side of the screen to see these options:

Organizational Unit Menu

Scroll to ‘Change organizational unit’ and you’ll be given the option of where to put this user:

Change organizational unit

Once you’ve selected the right destination Organizational Unit for that user, you’ll be asked to confirm your decision and reminded that your changes could take 24 hours to take effect:

Confirm User Organizational Unit Change

Control settings for an Organizational Unit

Once you’ve created your new Organizational Unit, you’ll want to manage its settings.

To do that, start by moving users to the Organizational Unit.

Once you’ve moved the right users into the right Organizational Unit, you can manage the settings. You do that in the settings for individual services, not from the Organizational Unit menu.

Just for the sake of an example, I’m doing it here with Hangouts Chat.

Find the service in Apps:

G Suite App Permissions

The default is to show you all users in all Organizational Units:

Hangouts G Suite Settings

Select the OU you want to edit settings for and you’ll see the settings on the right side of the screen:

Change G suite Settings for Service

You can see the settings are ‘inherited’ — they’re the same as for the main domain. I’ve set the status of Hangouts Chat to ‘Off’ for everyone in Marketing. When I click ‘Override,’ these new settings will replace the ones that Marketing inherited from the main Organizational Unit when I created it. It can take up to 24 hours for the new settings to percolate through.

Managing organizational structure

You can create and manage an organizational structure between your G Suite Organizational Units. When you create a new G Suite Organizational Unit, it’s either a child of your top-level Organizational Unitor of another Organizational Unit.

But you can move Organizational Units around inside G Suite. So if you’ve created a child Organizational Unit and it’s in the wrong place, you can make it higher in the org chart as well as moving it sideways.

For example, here I have ‘Lead Acquisition’ as a child of ‘Social Media Marketing’ — which doesn’t make much sense.

Manage Organization Structure - Mistake

That’s a specialized function of marketing, itself a lead acquisition activity: this Organizational Unit should be the parent.

At the end of the row for each Organizational Unit is a menu, and the middle choice is ‘Move organizational unit.’

Select that and you’ll see this:

Make Organizational Unit Parent

You’re choosing which unit that you want your Organizational Unit to be a child of — just like you were putting a folder inside another one in Google Drive. Here, you click the arrow next to the Organizational Unit you want, to both select it and collapse the menu below it:

Move Organizational Unit

Once you’ve found the right organization unit to place the this unit under, hit ‘Continue’ and you’ll see a confirmation window:

Confirm Organizational Unit Move

As with all changes, this one will take up to 24 hours to take effect — though in fact when I did it, it was instant.

Fixed Organizational Unit

That looks more sensible!

Managing multiple domains

If you manage multiple domains, they behave for these purposes as if they’re one domain: users from all your domains are automatically added to your top-level Organizational Unit by default, and that Organizational Unit includes all your domains. You can add users from any domain you’re an Admin for to any Organizational Unit.

Wrapping up

Managing Organizational Units can seem like more work, but done correctly it can save you a ton of difficulties and bring structure to your organization. Being able to control permissions for groups of users rather than having to do it for each individual user sets Admins free to get on with more important work. And moving users to the right Organizational Unit — or onboarding them directly into it — means they’ll automatically have access to the right tools and data.