Blog

How to Set Up Organizational Units in G Suite Correctly

Marie ProkopetsMarie Prokopets,Co-founder of Nira
Sub-sub-organization Unit

What are G Suite Organizations?

G Suite Organizations is an administrator’s tool in G Suite that allows you to place different users in separate groups, depending on the apps they need access to in order to do their job.

Organizations give you the ability to:

  • Turn services on and off for different groups of users
  • Configure service settings differently for different groups
  • Configure settings for Chrome OS devices if you’ve added those devices to an Organizational Unit.

Every G Suite domain starts with one top-level Organizational Unit that encompasses all users and services. It’s one big box with everyone and everything in it. It usually has the same name as your domain. Within this, you can create as many or as few sub-organizations as you want, building an organizational structure to keep track of them at the same time.

When you create a new Organizational Unit, it inherits the settings from its parent organization. So if you set up an Organizational Unit for your Sales team, everyone who is a member of the “Sales” Organizational Unit will have the same permissions and settings as everyone who is a member of ‘yourdomain.com.’ After the Organizational Unit is created, you can change the settings of that specific Organizational Unit to whatever you want.

Why would you want to use G Suite Organizations?

In most organizations, people with different roles need different levels of access. Everyone in sales needs access to CRM while another department might not need access at all. As data protection laws become tighter, it becomes more important to be able to show that only specific personnel have access to sensitive data for work reasons. Company financials, P&L statements, and employee personal data all require controlled access. Limiting access also prevents people from accidentally breaking something. The more people with access, the more likely something will go wrong.

G Suite Organizations lets you build a “virtual office building” inside G Suite where everyone only have access to the data and tools they need to do their jobs.

G Suite Admin Best Practices

Before we get into the details of how to do each step of setting up and operating G Suite Organizations, let’s talk for just a second about best practices for G Suite Admins.

  • New users should be onboarded quickly and efficiently, and old users should be removed from your G Suite completely as part of the exit process, ideally.
  • Employees and contractors are very different in the IRS’ eyes, and you don’t want to be penalized for mixing them up.
  • G Suite Admins can force Two-Factor Authentication for all users, which gives the most security for the least effort.
  • Any time you audit the G Suite users of a midsize company, you’re going to find a few users that everyone forgot existed, and a few apps that no-one’s even sure why they’re there. You’ll save money and improve security by closing these down. So it’s good to audit both annually.

Follow these basics first. Your G Suite implementation will then have a strong foundation that you can easily build Organization Units into.

How to set up G Suite Organizations

Setting up G Suite Organizational Unit is fairly simple. Here’s a step-by-step guide to doing everything from starting a new organization, to managing data access based on geography, and managing the overall structure of your organization.

Adding an Organizational Unit

Start by going to your Google Admin console, and find Organizational Units. Or jump straight there with this link:

https://admin.google.com/ac/orgunits

If you have just one Organizational Unit, here’s what you’ll see:

Create new Organizational Unit

Click that big yellow plus button and you’ll see this menu:

You have the option to name your new Organizational Unit anything you want, whether that’s by department, purpose, or any other criteria. I recommend starting with departments.

Once you’ve created your new Organizational Unit you’ll see it listed below the main organization’s name in the dashboard.

New Organizational Unit

Over on the right-hand side of the screen, your new Organizational Unit has its own set of controls.

Select that and you’ll see this:

Sub-organization unite

Where you see “Parent organizational unit” at the bottom of the window, you have the option to move the Organizational Unit so that it’s inside a different parent Organizational Unit by editing that field.

You can keep creating as many new organizational units as you like. If I create another one under Marketing, I’d end up with a new sub-organization inside “Marketing” which will be nested in the dashboard:

Sub-sub-organization Unit

Adding an Organizational Unit for Chrome Devices

If you want to apply rules to Chrome OS devices, like Chromebooks, you can do it here:

https://admin.google.com/AdminHome#ChromeDevices

Hover over the Organizational Unit you want to add your device to, then click “Add Suborganization.”

Enter the name you want to give your new sub-organization and add a description if you want to.

Your new sub-organization has been created. Note that you can’t do this for Android devices. To manage settings for users on Android devices, you have to use the device owner’s Organizational Unit.

Adding a new user to an Organizational Unit

To add a new user to your G Suite, start in Users and select the yellow plus sign above the list of users.

Users from all Organizational Units

You’ll be asked for that user’s details:

Add a new user

You can select what the user’s email address will be, manage password settings and add an image of the user. You can also select which Organizational Unit to add the user to. Here, I’ve left it the default option, which is to add the user to your top-level Organizational Unit. But you can add new users directly to any Organizational Unit you’ve already created. Once you have your Organizational Units built out, make sure new users get added to the right unit during your onboarding processes. This will keep your Organizational Units clean and prevent new employees from getting too much access accidentally.

Removing a user from an Organizational Unit

When a user moves on from your organization, you’ll want to remove them entirely from your G Suite as soon as possible. Here’s how to do that.

Head to “Users” from the Admin home screen and select the user you want to delete. Under the menu for that user, select “Delete user.”

You’ll be offered the chance to move all that user’s G Suite apps data over to an administrator or another user:

Delete user confirmation

Once you’ve chosen the right user to forward all that data to, click “Delete.”

You’ll see a confirmation window:

Successfully deleted user

That user has been permanently removed from the organization’s G Suite and all their data has been transferred.

How to Move Users to an Organizational Unit

By default, all users belong to your top-level Organizational Unit. But you can move them to new groups.

Start in your Google Admin Home screen. “Users” is at the top on the left.

Select that and you’ll see all your users. If you’ve never set up an Organizational Unit before you’ll see them all under the same top-level domain, in the same group as you.

Select the user you want to move, and hover over the three dots over on the right side of the screen to see these options:

Organizational Unit Menu

Scroll to “Change organizational unit” and you’ll be given the option of where to put this user:

Change organizational unit

Once you’ve selected the right destination Organizational Unit for that user, you’ll be asked to confirm your decision and reminded that your changes could take 24 hours to take effect:

Confirm User Organizational Unit Change

Control Settings for an Organizational Unit

Once you’ve created your new Organizational Unit, you’ll want to manage its settings. You do that in the settings for individual services, not from the Organizational Unit menu.

Just for the sake of an example, I’m doing it here with Hangouts Chat.

Find the service in Apps:

G Suite App Permissions

The default is to show you all users in all Organizational Units:

Hangouts G Suite Settings

Select the OU you want to edit settings for and you’ll see the settings on the right side of the screen:

Change G suite Settings for Service

You can see the settings are “inherited” since they’re the same as the main domain. I’ve set the status of Hangouts Chat to ‘Off’ for everyone in Marketing. When I click “Override,” these new settings will replace the ones that Marketing inherited from the main Organizational Unit when I created it. It can take up to 24 hours for the new settings to go live.

Managing Organizational Structure

You can create and manage an organizational structure between your G Suite Organizational Units. When you create a new G Suite Organizational Unit, it’s either a child of your top-level Organizational Unit or of another Organizational Unit.

But you can move Organizational Units around inside G Suite. So if you’ve created a child Organizational Unit and it’s in the wrong place, you can make it higher in the org chart as well as moving it sideways.

For example, here I have “Lead Acquisition” as a child of “Social Media Marketing” which doesn’t make much sense.

Manage Organization Structure - Mistake

Lead Acquisition makes more sense as a child of Marketing. This Organizational Unit should be the parent.

At the end of the row for each Organizational Unit is a menu and the middle choice is “Move organizational unit.”

Select that and you’ll see this:

Make Organizational Unit Parent

You’re choosing which unit that you want your Organizational Unit to be a child of. Here, you click the arrow next to the Organizational Unit you want, to both select it and collapse the menu below it:

Move Organizational Unit

Once you’ve found the right organization unit to place the this unit under, hit “Continue” and you’ll see a confirmation window:

Confirm Organizational Unit Move

As with all changes, this one will take up to 24 hours to take effect. Though when I did it, it was instant.

Fixed Organizational Unit

That looks more sensible!

Managing multiple domains

If you manage multiple domains, they behave for these purposes as if they’re one domain: users from all your domains are automatically added to your top-level Organizational Unit by default, and that Organizational Unit includes all your domains. You can add users from any domain you’re an Admin to any Organizational Unit.

Wrapping Up

Managing Organizational Units can seem like more work, but done correctly it can save you a ton of difficulties and bring structure to your organization. Being able to control permissions within G Suite for groups of users rather than having to do it for each individual user sets Admins free to get on with more important work. And moving users to the right Organizational Unit — or onboarding them directly into it — means they’ll automatically have access to the right tools and data.

Incredible companies use Nira

Every company that uses Google Workspace should be using Nira.
Bryan Wise
Bryan Wise,
Former VP of IT at GitLab

Incredible companies use Nira