Manage Active Directory Organizational Units (OU) with PowerShell
Similar to any other active directory object, OU structure can manage using Active Directory Administrative Center (ADAC), Active Directory Users and Computers (ADUC) MMC and PowerShell. In this post, I am going to demonstrate how to manage OU structure using PowerShell.
New Organization Unit can create using New-ADOrganizationalUnit cmdlet. The complete syntax can review using,
Get-Command New-ADOrganizationalUnit -Syntax
As the first step, I am going to create new OU called “Asia” to represent Asia Branch.
New-ADOrganizationalUnit -Name "Asia" -Description "Asia Branch"
In above command -Description defines description for new OU. When there is no path defined, it will create the OU under the root. We can review the details of the new OU using,
Get-ADOrganizationalUnit -Identity “OU=Asia,DC=rebeladmin,DC=com”
We can add/change values of OU attributes using,
Get-ADOrganizationalUnit -Identity “OU=Asia,DC=rebeladmin,DC=com” | Set-ADOrganizationalUnit -ManagedBy “Asia IT Team”
Above command will set ManagedBy Attribute to “Asia IT Team”
Tip – When you use ManagedBy attribute, make sure to use existing active directory object for the value. It can be individual user object or group object. If not, command will fail.
“Protect from Accidental Deletion” for OU object is nice small safe guard we can apply. It will prevent Accidental OU object deletion. This will be apply by default if you create OU using ADAC or ADUC.
Get-ADOrganizationalUnit -Identity “OU=Asia,DC=rebeladmin,DC=com” | Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $true
As the next step, I am going to create Sub OU under Asia OU Called “Users”.
New-ADOrganizationalUnit -Name "Users" -Path “OU=Asia,DC=rebeladmin,DC=com” -Description “Users in Asia Branch” -ProtectedFromAccidentalDeletion $true
Above command will create OU called Users under path OU=Asia,DC=rebeladmin,DC=com. It is also protected from accidental deletion.
Now we have OU structure created and next step is move objects to it. for that we can use Move-ADObject cmdlet.
Get-ADUser “tuser3” | Move-ADObject -TargetPath “OU=Users,OU=Asia,DC=rebeladmin,DC=com”
Above command will find user “tuser3” and move object to OU=Users,OU=Asia,DC=rebeladmin,DC=com
We also can move multiple object to the new OU.
Get-ADUser -Filter 'Name -like "Test*"' -SearchBase “OU=Users,OU=Europe,DC=rebeladmin,DC=com” | Move-ADObject -TargetPath “OU=Users,OU=Asia,DC=rebeladmin,DC=com”
In above command, It will first search all the user accounts what is starts with “Test” in OU=Users,OU=Europe,DC=rebeladmin,DC=com and then move all objects it found to new OU path.
Tip – If you have ProtectedFromAccidentalDeletion enable on objects, it will not allow to move object to different OU. It need to remove before object move.
If we need to remove OU object it can be done using Remove-ADOrganizationalUnit cmdlet.
Above command will remove OU=Laptops,OU=Europe,DC=rebeladmin,DC=com Organization Unit.
This marks the end of this blog post. Hope this was useful. If you have any questions feel free to contact me on firstname.lastname@example.org also follow me on twitter @rebeladm to get updates about new blog posts.