How to Set Up Organizational Units in G Suite Correctly
What are G Suite Organizations?
G Suite Organizations is an administrator’s tool in G Suite that allows you to place different users in separate groups, depending on the apps they need access to in order to do their job.
Organizations give you the ability to:
- Turn services on and off for different groups of users
- Configure service settings differently for different groups
- Configure settings for Chrome OS devices if you’ve added those devices to an Organizational Unit.
Every G Suite domain starts with one top-level Organizational Unit that encompasses all users and services. It’s one big box with everyone and everything in it. It usually has the same name as your domain. Within this, you can create as many or as few sub-organizations as you want, building an organizational structure to keep track of them at the same time.
When you create a new Organizational Unit, it inherits the settings from its parent organization. So if you set up an Organizational Unit for your Sales team, everyone who is a member of the “Sales” Organizational Unit will have the same permissions and settings as everyone who is a member of ‘yourdomain.com.’ After the Organizational Unit is created, you can change the settings of that specific Organizational Unit to whatever you want.
Why would you want to use G Suite Organizations?
In most organizations, people with different roles need different levels of access. Everyone in sales needs access to CRM while another department might not need access at all. As data protection laws become tighter, it becomes more important to be able to show that only specific personnel have access to sensitive data for work reasons. Company financials, P&L statements, and employee personal data all require controlled access. Limiting access also prevents people from accidentally breaking something. The more people with access, the more likely something will go wrong.
G Suite Organizations lets you build a “virtual office building” inside G Suite where everyone only have access to the data and tools they need to do their jobs.
G Suite Admin Best Practices
Before we get into the details of how to do each step of setting up and operating G Suite Organizations, let’s talk for just a second about best practices for G Suite Admins.
- New users should be onboarded quickly and efficiently, and old users should be removed from your G Suite completely as part of the exit process, ideally.
- Employees and contractors are very different in the IRS’ eyes, and you don’t want to be penalized for mixing them up.
- G Suite Admins can force Two-Factor Authentication for all users, which gives the most security for the least effort.
- Any time you audit the G Suite users of a midsize company, you’re going to find a few users that everyone forgot existed, and a few apps that no-one’s even sure why they’re there. You’ll save money and improve security by closing these down. So it’s good to audit both annually.
Follow these basics first. Your G Suite implementation will then have a strong foundation that you can easily build Organization Units into.
How to set up G Suite Organizations
Setting up G Suite Organizational Unit is fairly simple. Here’s a step-by-step guide to doing everything from starting a new organization, to managing data access based on geography, and managing the overall structure of your organization.
Adding an Organizational Unit
Start by going to your Google Admin console, and find Organizational Units. Or jump straight there with this link:
If you have just one Organizational Unit, here’s what you’ll see:
Click that big yellow plus button and you’ll see this menu:
You have the option to name your new Organizational Unit anything you want, whether that’s by department, purpose, or any other criteria. I recommend starting with departments.
Once you’ve created your new Organizational Unit you’ll see it listed below the main organization’s name in the dashboard.
Over on the right-hand side of the screen, your new Organizational Unit has its own set of controls.
Select that and you’ll see this:
Where you see “Parent organizational unit” at the bottom of the window, you have the option to move the Organizational Unit so that it’s inside a different parent Organizational Unit by editing that field.
You can keep creating as many new organizational units as you like. If I create another one under Marketing, I’d end up with a new sub-organization inside “Marketing” which will be nested in the dashboard:
Adding an Organizational Unit for Chrome Devices
If you want to apply rules to Chrome OS devices, like Chromebooks, you can do it here:
Hover over the Organizational Unit you want to add your device to, then click “Add Suborganization.”
Enter the name you want to give your new sub-organization and add a description if you want to.
Your new sub-organization has been created. Note that you can’t do this for Android devices. To manage settings for users on Android devices, you have to use the device owner’s Organizational Unit.
Adding a new user to an Organizational Unit
To add a new user to your G Suite, start in Users and select the yellow plus sign above the list of users.
You’ll be asked for that user’s details:
You can select what the user’s email address will be, manage password settings and add an image of the user. You can also select which Organizational Unit to add the user to. Here, I’ve left it the default option, which is to add the user to your top-level Organizational Unit. But you can add new users directly to any Organizational Unit you’ve already created. Once you have your Organizational Units built out, make sure new users get added to the right unit during your onboarding processes. This will keep your Organizational Units clean and prevent new employees from getting too much access accidentally.
Removing a user from an Organizational Unit
When a user moves on from your organization, you’ll want to remove them entirely from your G Suite as soon as possible. Here’s how to do that.
Head to “Users” from the Admin home screen and select the user you want to delete. Under the menu for that user, select “Delete user.”
You’ll be offered the chance to move all that user’s G Suite apps data over to an administrator or another user:
Once you’ve chosen the right user to forward all that data to, click “Delete.”
You’ll see a confirmation window:
That user has been permanently removed from the organization’s G Suite and all their data has been transferred.
How to Move Users to an Organizational Unit
By default, all users belong to your top-level Organizational Unit. But you can move them to new groups.
Start in your Google Admin Home screen. “Users” is at the top on the left.
Select that and you’ll see all your users. If you’ve never set up an Organizational Unit before you’ll see them all under the same top-level domain, in the same group as you.
Select the user you want to move, and hover over the three dots over on the right side of the screen to see these options:
Scroll to “Change organizational unit” and you’ll be given the option of where to put this user:
Once you’ve selected the right destination Organizational Unit for that user, you’ll be asked to confirm your decision and reminded that your changes could take 24 hours to take effect:
Control Settings for an Organizational Unit
Once you’ve created your new Organizational Unit, you’ll want to manage its settings. You do that in the settings for individual services, not from the Organizational Unit menu.
Just for the sake of an example, I’m doing it here with Hangouts Chat.
Find the service in Apps:
The default is to show you all users in all Organizational Units:
Select the OU you want to edit settings for and you’ll see the settings on the right side of the screen:
You can see the settings are “inherited” since they’re the same as the main domain. I’ve set the status of Hangouts Chat to ‘Off’ for everyone in Marketing. When I click “Override,” these new settings will replace the ones that Marketing inherited from the main Organizational Unit when I created it. It can take up to 24 hours for the new settings to go live.
Managing Organizational Structure
You can create and manage an organizational structure between your G Suite Organizational Units. When you create a new G Suite Organizational Unit, it’s either a child of your top-level Organizational Unit or of another Organizational Unit.
But you can move Organizational Units around inside G Suite. So if you’ve created a child Organizational Unit and it’s in the wrong place, you can make it higher in the org chart as well as moving it sideways.
For example, here I have “Lead Acquisition” as a child of “Social Media Marketing” which doesn’t make much sense.
Lead Acquisition makes more sense as a child of Marketing. This Organizational Unit should be the parent.
At the end of the row for each Organizational Unit is a menu and the middle choice is “Move organizational unit.”
Select that and you’ll see this:
You’re choosing which unit that you want your Organizational Unit to be a child of. Here, you click the arrow next to the Organizational Unit you want, to both select it and collapse the menu below it:
Once you’ve found the right organization unit to place the this unit under, hit “Continue” and you’ll see a confirmation window:
As with all changes, this one will take up to 24 hours to take effect. Though when I did it, it was instant.
That looks more sensible!
Managing multiple domains
If you manage multiple domains, they behave for these purposes as if they’re one domain: users from all your domains are automatically added to your top-level Organizational Unit by default, and that Organizational Unit includes all your domains. You can add users from any domain you’re an Admin to any Organizational Unit.
Managing Organizational Units can seem like more work, but done correctly it can save you a ton of difficulties and bring structure to your organization. Being able to control permissions within G Suite for groups of users rather than having to do it for each individual user sets Admins free to get on with more important work. And moving users to the right Organizational Unit — or onboarding them directly into it — means they’ll automatically have access to the right tools and data.