# Register an existing organizational unit with AWS Control Tower
An efficient way to bring multiple, existing AWS accounts into AWS Control Tower is to *extend governance* by AWS Control Tower to an entire organizational unit (OU).
To enable AWS Control Tower governance over an existing OU that was created with AWS Organizations, and its accounts, *register* the OU with your AWS Control Tower landing zone. You can register OUs that contain up to 1000 accounts. If an OU contains more than 1000 accounts, you cannot register it in AWS Control Tower.
When you register an OU, its member accounts are enrolled into the AWS Control Tower landing zone. They are governed by the controls that apply to their OU.
Starting with Landing Zone version 4.0, you can directly enable controls on an OU. Detective controls require AWS Config recording which can be activated by registering the OU or enabling AWS Config recording on the OU. Register OU will enable `AWSControlTowerBaseline`. Enable AWS Config recording will enable `ConfigBaseline`. For more information, see [Types of baselines](types-of-baselines.md) and [**The AWS Control Tower Controls Reference Guide**](link-to-new-guide.md)
**Note**
If you don't already have an AWS Control Tower landing zone, start by setting up a landing zone, either in a new organization created by AWS Control Tower, or in an existing AWS Organizations organization. For more details about how to set up a landing zone, see [Getting started with AWS Control Tower](getting-started-with-control-tower.md).
**What happens to my accounts when I register my OU?**
AWS Control Tower requires permission to establish trusted access between AWS CloudFormation and AWS Organizations on your behalf, so that AWS CloudFormation can deploy your stack to the accounts in your organization automatically.
+ The `AWSControlTowerExecution` role is added to all accounts with status **Not enrolled**.
+ Mandatory controls are enabled by default to your OU and all its accounts when you register your OU.
**Partial enrollment of accounts after an OU is registered**
It's possible to register an OU successfully, yet certain accounts may remain unenrolled. If so, these accounts do not meet some of the prerequisites for enrollment. If an account enrollment as part of the **Register OU** process does not succeed, the account status on the accounts page shows **Enrollment failed**. You may also see account information on your OU page such as **4 of 5**, in the accounts field.
For example, if you see **4 of 5**, it means that your OU has 5 accounts in total, and 4 of them enrolled successfully, but one account failed to enroll during the **Register OU** process. You can choose **Re-Register OU** to bring accounts into enrollment, after you make sure the accounts meet the enrollment prerequisites.
**IAM user prerequisites for registering an OU**
Your AWS Identity and Access Management (IAM) identity (user or role) or IAM Identity Center user identity must be included on the appropriate Account Factory portfolio when you perform the **Register OU** operation, even if you already have `Admin` permissions. Otherwise, the creation of the provisioned products will fail during registration. Failure occurs because AWS Control Tower relies upon the credentials of the IAM user or IAM Identity Center user identity when registering an OU.
The relevant portfolio is one created by AWS Control Tower, called **AWS Control Tower Account Factory Portfolio**. Navigate to it by choosing **Service Catalog > Account Factory > AWS Control Tower Account Factory Portfolio**. Then select the tab called **Groups, roles, and users** to view your IAM or IAM Identity Center identity. For more information on how to grant access, see [the documentation for AWS Service Catalog.](https://docs.aws.amazon.com//servicecatalog/latest/adminguide/catalogs_portfolios_users.html)
# Register an existing OU
In the AWS Control Tower console, on the **Organization** page, you can view all of of your organization's OUs and accounts in a hierarchy, including OUs that are registered with AWS Control Tower, and those that are not registered.
In general, unregistered OUs were created in AWS Organizations, and they are not governed by any other landing zone. You can register existing OUs that contain up to 1000 accounts. If an OU contains more than 1000 accounts, you cannot register it in AWS Control Tower.
**To register an existing OU from the console**
1. Sign in to the AWS Control Tower console at [https://console.aws.amazon.com/controltower](https://console.aws.amazon.com/controltower).
1. In the left-pane navigation menu, choose **Organization**.
1. On the **Organization** page, select the radio button next to the OU you want to register, then select **Register organizational unit** from the **Actions** dropdown menu at the upper right, or alternatively, select the name of the OU so you can view the **OU details** page for that OU.
1. On the **OU details** page, at the upper right you can select **Register OU** from the **Actions** dropdown menu.
The registration process takes a minimum of 10 minutes to extend governance to the OU, and up to 2 additional minutes for each additional account.
** To register an existing OU with APIs**
To register an existing OU with the AWS Control Tower APIs, you can call the `EnableBaseline` API with the `AWSControlTowerBaseline` in the `baselineIdentifier` field. For more information, see [Register an AWS Control Tower OU with APIs only](https://docs.aws.amazon.com//controltower/latest/userguide/walkthrough-baseline-steps.html).
**Results of registering an existing OU**
After you register an existing OU, the `AWSControlTowerExecution` role allows AWS Control Tower to extend governance to its individual accounts. Guardrails are enforced, and information about account activities is reported to your audit and logging accounts.
Other results include the following:
+ `AWSControlTowerExecution` allows auditing by the AWS Control Tower audit account.
+ `AWSControlTowerExecution` helps you configure your organization’s logging, so that all the logs for every account are sent to the logging account.
+ `AWSControlTowerExecution` ensures that your selected AWS Control Tower controls apply automatically to every individual account in your OUs, as well as to every new account you create in AWS Control Tower.
For a registered OU, you can provide compliance and security reports based on the auditing and logging features embodied by AWS Control Tower controls. Your security and compliance teams can verify that all requirements are met, and that no organizational drift has occurred. For more information about drift, see [Detect and resolve drift in AWS Control Tower](drift.md).
**Note**
One unusual situation can occur when AWS Control Tower displays OUs and their accounts. If you have created an account in a registered OU and then you subsequently move that enrolled account into another OU that’s not registered, particularly if you use AWS Organizations to move the account, you can see a result “1 of 0” accounts in your OU details page. Furthermore, you may have created another unenrolled account in that unregistered OU. If there’s an unregistered account, the console may read “1 of 1” for the OU. It will seem that the single (newly created) account is enrolled, but in fact it is not. You must enroll the new account.
# Create a new OU
Here's how to create an OU or a nested OU in AWS Control Tower.
**To create a new OU in AWS Control Tower**
1. Navigate to the **Organization** page.
1. Select **Create organizational unit** from the **Create resources** dropdown menu in the upper right.
1. Specify a name in the **OU name** field.
1. In the **Parent OU** dropdown, you can see the hierarchy of registered OUs. Select a parent OU for the new OU you’re creating.
1. Choose **Add**.
**Tip**
To add a nested OU in fewer steps, select the name of the parent OU shown in the table on the **Organization** page, view the **OU** page for that parent OU, and then choose **Add an OU** from the **Actions** dropdown menu in the upper right. The new OU is created as a nested OU under your selected OU, automatically.
**Note**
If your landing zone is not up to date, you will see a flat list instead of a hierarchy in the dropdown menu. Even if your landing zone includes nested OUs, you will not see L5 OU’s in the dropdown, because you cannot create a new OU beneath a L5 OU. For more information about nested OUs in AWS Control Tower, see [Nested OUs in AWS Control Tower](nested-ous.md).
# Remove an OU
AWS Control Tower supports separate console actions to *deregister* an OU and to *delete* an OU.
Deleting an OU is final. It cannot be undone.
**Considerations**
+ The OU must be empty of accounts for **Delete** and **Deregister** operations to succeed.
+ All optional controls must be removed from the OU.
+ You must deregister the OU before you delete it.
+ You can remove an OU from AWS Control Tower by deregistering it, without deleting it.
**To remove an OU from AWS Control Tower**
1. Sign in to the AWS Control Tower console at [https://console.aws.amazon.com/controltower](https://console.aws.amazon.com/controltower).
1. Navigate to the **Organization** page.
1. Select the name of the OU to view the **OU details** page, and be sure that all accounts are removed from the OU.
1. Also on the **OU details** page, be sure that all optional controls are removed from the OU.
1. Return to the **Organization** page and select the radio button next to the OU.
1. Select **Deregister organizational unit** from the **Actions** dropdown menu in the upper right.
1. **Stop here** if you do not wish to delete the OU entirely, only to deregister it from AWS Control Tower. To delete the OU completely, continue to the next step.
1. To continue, select **Delete** from the **Actions** dropdown menu in the upper right.
You must wait until the deregistration process is complete before you can deregister another OU.
**Note**
To remove accounts managed by AWS Control Tower, you can navigate to **Account factory** from the left navigation pane in the AWS Control Tower console. To remove accounts in the OU that are not managed by AWS Control Tower, go to the AWS Organizations console.
To deregister an OU programmatically, call the [`DisableBaseline` API](https://docs.aws.amazon.com//controltower/latest/APIReference/API_DisableBaseline.html).
# Common causes of failure during registration or re-registration
In general, when you register or re-register an OU, all accounts within that OU are enrolled in AWS Control Tower. However, it is possible that some accounts may fail to enroll, even if the OU as a whole is registered successfully. In these cases, you must resolve the pre-check failure related to the account and then try re-enrolling that account or OU.
If registration (or re-registration) of an OU or any of its member accounts fails, AWS Control Tower returns error messages for the member accounts that are affected. You can view the error messages on the **OU details** page, where a table aggregates the prechecks and account error messages. If a **Register OU ** operation fails, the table shows all of the error messages for all of the accounts under the OU. If needed, you also can view the error messages on the **Account details** page for each account.
Optionally, you can download a file containing a detailed report that shows which pre-checks did not pass, for offline analysis. You can complete the download by choosing the **Download** button, which appears at the upper right of the registration area.
This section lists the types of errors you may receive if pre-checks fail, and how to correct the errors.
**Landing Zone error**
+ **Landing zone not ready**
Reset your current landing zone, or update it to the latest version.
**OU errors**
+ **Exceeds maximum number of SCPs**
You may be over the limit for service control policies (SCPs) per OU, or you may have reached another quota. A limit of 5 SCPs per OU applies to all OUs in your AWS Control Tower landing zone. If you have more SCPs than the quota allows, you must delete or combine the SCPs.
+ **Conflicting SCPs**
Existing SCPs may be applied to the OU or account, which prevent AWS Control Tower from enrolling the account. Check the applied SCPs for any policy that may prevent AWS Control Tower from working. Be sure to check the SCPs that are inherited from OUs higher in the hierarchy.
+ **Exceeds stack set quota**
The stack set quota may have been exceeded. If you have more instances than the quota allows, you must delete some stack instances. For more information, see [AWS CloudFormation quotas](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cloudformation-limits.html) in the *AWS CloudFormation User Guide*.
+ **Exceeds account limit**
AWS Control Tower limits each OU to 1000 accounts during registration.
**Account errors**
+ **Pre-checks prevented on accounts**
An existing SCP on the OU prevents AWS Control Tower from conducting pre-checks on your OU member accounts. To resolve this pre-check failure, update or remove the SCP from the OU.
+ **Email address error**
The email address you specified for the account does not conform to the naming standards. Here is the regular expression (regex) that specifies which characters are allowed: `[A-Z0-9a-z._%+-]+@[A-Za-z0-9.-]+[.]+[A-Za-z]+`
+ **Config recorder or delivery channel enabled**
The account may have an existing AWS Config configuration recorder or delivery channel. These must be deleted or modified through the AWS CLI in all AWS Regions where the AWS Control Tower management account has governed resources, before you can enroll an account.
+ **STS disabled**
AWS Security Token Service (AWS STS) may be disabled in the account. AWS STS endpoints must be activated in the accounts for all Regions supported by AWS Control Tower.
+ **IAM Identity Center conflict**
The AWS Control Tower home Region is not the same as the AWS IAM Identity Center (IAM Identity Center) Region. If IAM Identity Center is already set up, the AWS Control Tower home region must be the same as the IAM Identity Center Region.
+ **Conflicting SNS topic**
The account has an Amazon Simple Notification Service (Amazon SNS) topic name that AWS Control Tower needs to use. AWS Control Tower creates resources (such as SNS topics) with specific names. If these names are already taken, AWS Control Tower setup fails. This situation could occur if you are reusing an account previously enrolled in AWS Control Tower.
+ **Suspended account detected**
This account has been suspended. It cannot be enrolled into AWS Control Tower. Remove the account from this OU, and try again.
+ **IAM user not in portfolio**
Add the AWS Identity and Access Management (IAM) user to the Service Catalog portfolio before registering your OU. This error pertains to the management account only.
+ **Account does not meet prerequisites**
The account doesn’t meet prerequisites for account enrollment. For example, the account may be missing roles and permissions required to enroll it in AWS Control Tower. Instructions for adding a role are available in [Manually add the required IAM role to an existing AWS account and enroll it](enroll-manually.md).
As a reminder, AWS CloudTrail is auto-enabled on all of your AWS accounts when you enroll them in AWS Control Tower. If CloudTrail is enabled on an account previous to enrollment, you could experience double-billing unless you deactivate CloudTrail before you begin the enrollment process.