Create large number of OUs with set structure and delegation

Q. I need to create a large number of OUs with a set structure of child OUs with each OU delegated to different users. What is a good way of doing this?

A. PowerShell to the rescue. I've received a number of requests where people need to create multiple OUs with each OU containing a users, groups and computers child OU then want to be able to delegate full control to the OU to different people. In script below the following is happening:

The script is shown below.

$LABs = @(("LABATL","Atlanta"),("LABBOS","Boston"),("LABCHI","Chicago"),("LABDAL","Dallas"),("LABDET","Detroit"),("LABIRV","Irvine"),("LABLA","Los Angeles"),("LABMPLS","Minneapolis"),("LABNY","New York"),("LABPHL","Philadelphia"),("LABRES","Reston"),("LABSIVY","Silicon Valley"),("LABSTL","St. Louis"),("LABTOR","Toronto"))$ParentOU = "OU=NA,DC=savilltech,DC=net"foreach($LAB in $LABs){        #Check if exists, if it does skip    [string] $Path = "OU=$($LAB[0]),OU=NA,DC=oneLABqa,DC=net"    if(![adsi]::Exists("LDAP://$Path"))    {         $NewOU = New-ADOrganizationalUnit -Name $LAB[0] -Path $ParentOU `            -Description $LAB[1] `            -ProtectedFromAccidentalDeletion $false -PassThru        #Create the child OUs for objects        $OUUsers=New-ADOrganizationalUnit -Name "Users" -Path $NewOU.DistinguishedName `            -Description "Users" `            -ProtectedFromAccidentalDeletion $false -PassThru        $OUGroups=New-ADOrganizationalUnit -Name "Groups" -Path $NewOU.DistinguishedName `            -Description "Groups" `            -ProtectedFromAccidentalDeletion $false -PassThru        $OUServers=New-ADOrganizationalUnit -Name "Servers" -Path $NewOU.DistinguishedName `            -Description "Servers" `            -ProtectedFromAccidentalDeletion $false -PassThru        #Create a delegated admins group for the OU        $AdminGroupName = "$($LAB[0]) Admins"        $AdminGroup = New-ADGroup -Name $AdminGroupName -GroupCategory Security -GroupScope Global `            -DisplayName $AdminGroupName -Path $OUGroups.DistinguishedName `            -Description "Delegated Administrators for OU $($LAB[0])"  -PassThru        #Grant the group full control on the OU        $GrpSID = New-Object System.Security.Principal.SecurityIdentifier $AdminGroup.SID        $OUacl = Get-ACL -Path AD:$($NewOU.DistinguishedName)        $identity = [System.Security.Principal.IdentityReference] $GrpSID        $adRights = [System.DirectoryServices.ActiveDirectoryRights] "GenericAll"        $type = [System.Security.AccessControl.AccessControlType] "Allow"        $inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "All"        $NewACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $identity,$adRights,$type,$inheritanceType        $OUacl.AddAccessRule($NewACE)        Set-ACL -ACLObject $OUacl -Path AD:$($NewOU.DistinguishedName)    }}