Tag Archives: OU

Manage Active Directory Organizational Units (OU) with PowerShell

Similar to any other active directory object, OU structure can manage using Active Directory Administrative Center (ADAC), Active Directory Users and Computers (ADUC) MMC and PowerShell. In this post, I am going to demonstrate how to manage OU structure using PowerShell. 

New Organization Unit can create using New-ADOrganizationalUnit cmdlet. The complete syntax can review using,

Get-Command New-ADOrganizationalUnit -Syntax

As the first step, I am going to create new OU called “Asia” to represent Asia Branch. 

New-ADOrganizationalUnit -Name "Asia" -Description "Asia Branch"

In above command -Description defines description for new OU. When there is no path defined, it will create the OU under the root. We can review the details of the new OU using,

Get-ADOrganizationalUnit -Identity “OU=Asia,DC=rebeladmin,DC=com”

oup1

We can add/change values of OU attributes using, 

Get-ADOrganizationalUnit -Identity “OU=Asia,DC=rebeladmin,DC=com” | Set-ADOrganizationalUnit -ManagedBy “Asia IT Team”

Above command will set ManagedBy Attribute to “Asia IT Team”

Tip – When you use ManagedBy attribute, make sure to use existing active directory object for the value. It can be individual user object or group object. If not, command will fail. 

 “Protect from Accidental Deletion” for OU object is nice small safe guard we can apply. It will prevent Accidental OU object deletion. This will be apply by default if you create OU using ADAC or ADUC. 

Get-ADOrganizationalUnit -Identity “OU=Asia,DC=rebeladmin,DC=com” | Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $true

As the next step, I am going to create Sub OU under Asia OU Called “Users”.

New-ADOrganizationalUnit -Name "Users" -Path “OU=Asia,DC=rebeladmin,DC=com” -Description “Users in Asia Branch” -ProtectedFromAccidentalDeletion $true

Above command will create OU called Users under path OU=Asia,DC=rebeladmin,DC=com. It is also protected from accidental deletion. 

Now we have OU structure created and next step is move objects to it. for that we can use Move-ADObject cmdlet. 

Get-ADUser “tuser3” | Move-ADObject -TargetPath “OU=Users,OU=Asia,DC=rebeladmin,DC=com”

Above command will find user “tuser3” and move object to OU=Users,OU=Asia,DC=rebeladmin,DC=com

We also can move multiple object to the new OU. 

Get-ADUser -Filter 'Name -like "Test*"' -SearchBase “OU=Users,OU=Europe,DC=rebeladmin,DC=com” | Move-ADObject -TargetPath “OU=Users,OU=Asia,DC=rebeladmin,DC=com”

In above command, It will first search all the user accounts what is starts with “Test” in OU=Users,OU=Europe,DC=rebeladmin,DC=com and then move all objects it found to new OU path. 

Tip – If you have ProtectedFromAccidentalDeletion enable on objects, it will not allow to move object to different OU. It need to remove before object move.

If we need to remove OU object it can be done using Remove-ADOrganizationalUnit cmdlet. 

Remove-ADOrganizationalUnit “OU=Laptops,OU=Europe,DC=rebeladmin,DC=com”

Above command will remove OU=Laptops,OU=Europe,DC=rebeladmin,DC=com Organization Unit. 

This marks the end of this blog post. Hope this was useful. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Step-by-Step Guide to create Organizational Unit (OU) in Azure AD Domain Service Managed Domain

Organizational unit in active directory is a container where you can place users, computers, groups and other organization units even. OU are helps to create logical structure of the AD. You can use it to assign group policies and manage the resources.  This is common procedure in in-house domain environment, but what about the Azure managed domain? Can engineers use same method?

Answer is YES, but with some limitations. It is managed domain so you do not have full control over the functions such as complex group policies etc. I will explain those in later article but for the Organizational units, we can create those and manage those in azure managed domain. There is no option in azure portal to create this, this need to be created using a PC, server which is connected to the Azure Ad managed domain.

I wrote an article about adding a VM to the Azure managed domain. It is good place to start with http://www.rebeladmin.com/2016/05/step-step-guide-manage-azure-active-directory-domain-service-aad-ds-managed-domain-using-virtual-server/ . To create OU, you must have this done before start.

You also need be a member of AAD DC Administrators group.

Let’s see how we can create OU.

In my demo I am using a windows 2016 TP5 server which is connected to managed domain. Also I logged in as a member of AAD DC Administrators group.

ou1

Also I have already installed AD DS and AD LDS Tools (Remote server administration tools > Role administration tools > AD DS and AD LDS Tools)

ou2

To start the process, go to Server Manager > Tools > Active Directory Administrative Center

ou3

In left hand side in the console click on the managed domain

ou4

In the right hand under the Tasks click on New > Organizational Unit

ou5

In next window we can provide the information about new OU and click OK to complete.

ou6

Then you can see the new OU added.

ou7

By default the user account I used for to create the OU got full permissions to control the OU.

ou8

Now you can create new users, groups under this OU. But keep in mind you CANNOT move any users, groups which is already under AADDC users OU. It’s the default OU for the users, groups added via azure portal.

ou13

Also the users and groups added under new OU will not be visible on azure portal. It’s only valid inside the managed domain environment.

Hope this article was helpful. If you got any questions feel free to contact me on rebeladm@live.com