# Organizations {% hint style="info" %} This page was generated from content adapted from the [AWS Developer Guide](https://github.com/awsdocs/aws-control-tower-guide.git) {% endhint %} ## Extend governance to an existing organization * **Note**\ During set up, AWS Control Tower performs pre-checks to avoid common issues. However, if you are currently using the AWS Landing Zone solution for AWS Organizations, check with your AWS solutions architect before you try to enable AWS Control Tower in your organization to determine if AWS Control Tower may interfere with your current landing zone deployment. Also, see [What if the account does not meet the prerequisites?](https://github.com/kevinslin/aws-reference-notes/blob/main/services/aws_control_tower/enroll-account.md#fulfill-prerequisites) for information about moving accounts from one landing zone to another. ## Nested OUs * **Tip**\ You can make use of control inheritance to help stay within an OU's SCP quota. For example, you can enable a control at the top-level OU of an OU hierarchy, instead of enabling directly for a nested OU. * **Note**\ The status **Inherited** indicates that the control was applied to an OU higher in the tree, and it is enforced on this OU, but it was not added directly to this OU. ## Register an OU to enroll multiple accounts * **Note**\ If you don't already have an AWS Control Tower landing zone, start by setting up a landing zone, either in a new organization created by AWS Control Tower, or in an existing AWS Organizations organization. For more details about how to set up a landing zone, see [Getting started with AWS Control Tower](https://github.com/kevinslin/aws-reference-notes/blob/main/services/aws_control_tower/getting-started-with-control-tower.md). ## Update organizations * **Tip**\ When you re-register an OU, or when you're updating your landing zone version and multiple member accounts, you may see a failure message mentioning the **StackSet-AWSControlTowerExecutionRole**. This StackSet in the management account can fail because the **AWSControlTowerExecution** IAM role already exists in all enrolled member accounts. This error message is expected behavior, and it can be disregarded. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://awsnotes.dendron.so/management-and-governance/aws-control-tower/topics/organizations.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.