Create Active Directory OU Reports with PowerShell. An organizational unit (OU) is an Active Directory(AD) container where users, groups, computers, and other OUs can be stored. Each AD domain can have its organizational unit hierarchy. This article will cover OU management and how to use Windows PowerShell scripts to move, create, delete, and generate OU reports in AD and link and enforce a Group Policy to an OU.
Create Active Directory OU Reports with Powershell
Preqrequisites
If we want to follow along with the following example scripts in this article, we’ll need to install the prerequired components:
- Domain functional level – Windows Server 2016.
- Remote Server Administration Tools (RSAT) for Active Directory installed on your domain-joined workstation.
- The latest PowerShell version, or at least PowerShell 5. x and above are required to execute the scripts.
Well, how to Create Active Directory OU Reports with PowerShell? Let’s find out.
Understanding the Organizational Unit Commands
A Microsoft Active Directory domain container that can hold users, groups, and computers is an organizational unit (OU). It is the smallest unit to which a Windows system administrator can assign a Group Policy setting or account permission. An organizational unit may contain multiple OUs, but each attribute within the containing OU must be distinct.
Also Read Deploy Azure AD Monitoring Tool
Create OUs in Active Directory with PowerShell
We can create a new organizational unit in AD by using the New-ADOrganizationalUnit command and specifying the name of a new OU object. Windows PowerShell will default create the Organizational Unit in the domain root. For example, the following command will create an OU named IT on the Domain Controller (DC):
New-ADOrganizationalUnit “IT”
If we need a different OU LDAP path, use the -Path cmdlet parameter to specify its distinguished name (DN):
New-ADOrganizationalUnit “IT” –Path “OU=Users,DC=InfraSOS,DC=com”
Move an OU in an Active Directory with PowerShell
If we need to move an OU to another location, use the Move-ADObject cmdlet. It is essential to note that we must not protect the target OU from accidental deletion. If so, use the following command to remove the protection:
Set-ADOrganizationalUnit -Identity "OU=IT,OU=Users,DC=InfraSOS,DC=Com" -ProtectedFromAccidentalDeletion $False
Now we can move the OU to another location:
Move-ADObject -Identity "OU=Regions,OU=Managers,DC=InfraSOS,DC=Com" -TargetPath "OU=IT,DC=InfraSOS,DC=Com"
Renaming an OU in an Active Directory with PowerShell
Use the Rename-ADObject cmdlet to rename an organizational unit. The Identity parameter specifies the AD object to be renamed and requires either the DN or GUID. For example, this command changes the name of the IT OU to Marketing:
Rename-ADObject -Identity "OU=Regions,OU=IT,DC=InfraSOS,DC=COM" -NewName Marketing
We can also use the Get-ADOrganizationalUnit cmdlet with the -Filter parameter, which doesn’t require the entire LDAP path to the OU. However, that cmdlet will search the whole AD, and the script will apply the command’s action to all Organizational Units with the search term in their names:
Get-ADOrganizationalUnit -Filter "Name -eq 'Zones'" | Rename-ADObject -NewName Area
We will discuss more of the Get OU commands once we start generating reports.
Applying a Group Policy to an OU in an Active Directory with PowerShell
To assign a Group Policy to an Organizational Unit, we can use the New-GPLink command, which links the specified Group Policy Object (GPO) and the Organizational Unit. In addition, we can identify any of the following properties for the link:
- Enabled – If the link has an Enabled status, the GPO’s processed settings are applied when Group Policy for the site, domain, and OU.
- Enforced – If the link has an Enforced status, we cannot block the OU at a lower-level container.
- Order – The Order status specifies the precedence of the GPO settings.
For example, the following command links the Block GPO to the IT Organizational Unit with the link both enabled and enforced:
New-GPLink -Name "Block" -Target "OU=Districts,OU=IT, DC=InfraSOS, DC=com" -LinkEnabled Yes -Enforced Yes
Move Users and Computers to a New OU in an AD with PowerShell
After we’ve created an Organizational Unit and optionally linked it to a GPO, we’ll populate it with users and computers. The Move-ADObject cmdlet in PowerShell moves any object or set of active directory objects to a different OU. The –Identity parameter indicates which object should relocate Active Directory object or container.
It is crucial to note that we must enter the object’s full LDAP path or SID; we cannot use its SamAccountName. The following example shows how to move a user to the IT OU:
Move-ADObject -Identity "CN=marion,CN=Users,DC=InfraSOS,DC=com" -TargetPath "OU=IT,OU=Users,DC=InfraSOS,DC=com"
Use the exact syntax to move computer objects. For example, the following command will transfer computer DESKTOP-01 to the Computers container:
Move-ADObject -Identity "CN=DESKTOP-01,OU=Computers,DC=InfraSOS,DC=com" -TargetPath "CN=Workstations,DC=InfraSOS,DC=com"
Improve your Active Directory Security & Azure AD with OU Reports
Try us out for Free, Access to all features. – 200+ AD Report templates Available. Easily customise your own AD reports.
Mass Move AD Computers and Users to Another OU
If we have a predefined list of objects to move, we can save it as a text file and then import it to Active Directory. Prepare your list by adding one AD object per line. The text file containing the list should look something like this:
Use this PowerShell script for moving AD user accounts listed in a text file:
$destOU = "OU=Users,OU=IT,DC=InfraSOS,DC=com"
$usersList = Get-Content -Path "C:\temp\users.txt"
$usersList | ForEach-Object {
$userName = (Get-ADUser -Identity $_.Name).distinguishedName
Move-ADObject -Identity $userName -TargetPath $destOU
}
To move AD computer accounts listed in a text file, use the following PowerShell script:
$computers = Get-Content -Path "C:\Temp\Computers.txt"
$destOU = "OU=Computers,OU=IT,DC=InfraSOS,DC=com"
ForEach( $computer in $computers){
Get-ADComputer $computer |
Move-ADObject -TargetPath $destOU
}
Also Read Check out Active Directory Group Reports
Remove an OU from Active Directory with PowerShell
The Remove-ADOrganizationalUnit cmdlet removes an OU. However, we must not protect the OU from accidental deletion. Using the Get-ADOrganizationalUnit and Set-ADOrganizationalUnit cmdlets, we can remove the unexpected deletion option for every OU with the word Zones in its name:
Get-ADOrganizationalUnit -filter "Name -eq 'Zones'" | Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $False
Use the following cmdlet to remove every OU that contains Zones in its name from AD:
Get-ADOrganizationalUnit -filter "Name -eq 'Zones'" | Remove-ADOrganizationalUnit –Recursive
The system will prompt us to confirm the deletion:
Note that the -Recursive parameter removes both the OU and all of its child objects. AD will delete the child objects even if protection from deletion is on for them.
Also Read Use Active Directory Reporting Tool
Managing Organizational Units in AD
Now that we discussed the basic commands and parameters involving Organizational Units, we will discuss further how we can generate OU reports with PowerShell.
Get a List of all OUs with PowerShell
We will use the Get-ADOrganizationalUnit cmdlet. First, sort by CanonicalName. This command displays an OU structure that is easier to read.
Get-ADOrganizationalUnit -Properties CanonicalName -Filter * |
Sort-Object CanonicalName |
Format-Table CanonicalName, DistinguishedName
The following is an example output in PowerShell when we run the command:
The output with all of the OUs in AD is an excellent list. But how do we know if the OU contains any users?
Also Read See the Active Directory Group Reports
Get a List of All OUs, Including User Count, with PowerShell
We like to use PowerShell to get a list of the OUs, including the user count. This command will tell us if there are any users in the OU.
Get-ADOrganizationalUnit -Properties CanonicalName -Filter * |
Sort-Object CanonicalName |
ForEach-Object {
[pscustomobject]@{
Name = Split-Path $_.CanonicalName -Leaf
CanonicalName = $_.CanonicalName
UserCount = @(Get-AdUser -Filter * -SearchBase $_.DistinguishedName -SearchScope OneLevel).Count
}
}
It will display output with the UserCount column property. If the UserCount property value is zero, the OU has no users. It will not appear if the OU contains a computer object. This command will only check and display a user count.
Also Read Deploy Office 365 User Reports
Export OUs in AD to a CSV file with PowerShell
We want to export the list of OUs in AD now that we’ve seen it. So, the script will use PowerShell to get the Organizational Units and export them to a text file.
$results = Get-ADOrganizationalUnit -Properties CanonicalName -Filter * | Sort-Object CanonicalName |
ForEach-Object {
[pscustomobject]@{
Name = Split-Path $_.CanonicalName -Leaf
CanonicalName = $_.CanonicalName
UserCount = @(Get-AdUser -Filter * -SearchBase $_.DistinguishedName -SearchScope OneLevel).Count
}
}
$results | Out-File C:\export_OUs.txt -Encoding UTF8
Change the last line to the following command if we want to export to a CSV file:
$results | Export-Csv -Path C:\export_OUs.csv -NoTypeInformation -Encoding UTF8
Find the exported file in the specified location after running the above command.
Thank you for reading Create Active Directory OU Reports with PowerShell. We shall conclude now.
Also Read Check out the Office 365 Management Tool
Create Active Directory OU Reports with PowerShell Conclusion
Now that we have learned how to manage OUs in Active Directory using PowerShell scripts, we can automate various operations related to OU management and generate reports accordingly. Please make sure that before we try out these commands, enable the Active Directory Recycle Bin feature to roll back any errant deletions easily. It’s also intelligent to track all changes to your organizational units carefully.
Do check out our PowerShell content in our blog here.
Try InfraSOS for FREE
Invite your team and explore InfraSOS features for free
- Free 15-Days Trial
- Easy Setup
- Full Access to Enterprise Plan
