Active Directory & Office 365 Reporting Tool

Create Active Directory OU Reports with PowerShell. An organizational unit (OU) is an Active Directory(AD) container where users, groups, computers, and other OUs can be stored. Each AD domain can have its organizational unit hierarchy. This article will cover OU management and how to use Windows PowerShell scripts to move, create, delete, and generate OU reports in AD and link and enforce a Group Policy to an OU.

Create Active Directory OU Reports with Powershell


If we want to follow along with the following example scripts in this article, we’ll need to install the prerequired components:

Well, how to Create Active Directory OU Reports with PowerShell? Let’s find out.

Understanding the Organizational Unit Commands

A Microsoft Active Directory domain container that can hold users, groups, and computers is an organizational unit (OU). It is the smallest unit to which a Windows system administrator can assign a Group Policy setting or account permission. An organizational unit may contain multiple OUs, but each attribute within the containing OU must be distinct.

Objects from other domains cannot be contained within Active Directory organizational units. The sections that follow will go over the fundamental commands for managing OUs.

Create OUs in Active Directory with PowerShell

We can create a new organizational unit in AD by using the New-ADOrganizationalUnit command and specifying the name of a new OU object. Windows PowerShell will default create the Organizational Unit in the domain root. For example, the following command will create an OU named IT on the Domain Controller (DC):

					New-ADOrganizationalUnit “IT”

If we need a different OU LDAP path, use the -Path cmdlet parameter to specify its distinguished name (DN):

					New-ADOrganizationalUnit “IT” –Path “OU=Users,DC=InfraSOS,DC=com”

Move an OU in an Active Directory with PowerShell

If we need to move an OU to another location, use the Move-ADObject cmdlet. It is essential to note that we must not protect the target OU from accidental deletion. If so, use the following command to remove the protection:

					Set-ADOrganizationalUnit -Identity "OU=IT,OU=Users,DC=InfraSOS,DC=Com" -ProtectedFromAccidentalDeletion $False

Now we can move the OU to another location:

					Move-ADObject -Identity "OU=Regions,OU=Managers,DC=InfraSOS,DC=Com" -TargetPath "OU=IT,DC=InfraSOS,DC=Com"

Renaming an OU in an Active Directory with PowerShell

Use the Rename-ADObject cmdlet to rename an organizational unit. The Identity parameter specifies the AD object to be renamed and requires either the DN or GUID. For example, this command changes the name of the IT OU to Marketing:

					Rename-ADObject -Identity "OU=Regions,OU=IT,DC=InfraSOS,DC=COM" -NewName Marketing

We can also use the Get-ADOrganizationalUnit cmdlet with the -Filter parameter, which doesn’t require the entire LDAP path to the OU. However, that cmdlet will search the whole AD, and the script will apply the command’s action to all Organizational Units with the search term in their names:

					Get-ADOrganizationalUnit -Filter "Name -eq 'Zones'" | Rename-ADObject -NewName Area

We will discuss more of the Get OU commands once we start generating reports.

Applying a Group Policy to an OU in an Active Directory with PowerShell

To assign a Group Policy to an Organizational Unit, we can use the New-GPLink command, which links the specified Group Policy Object (GPO) and the Organizational Unit. In addition, we can identify any of the following properties for the link:

  • Enabled – If the link has an Enabled status, the GPO’s processed settings are applied when Group Policy for the site, domain, and OU.
  • Enforced –  If the link has an Enforced status, we cannot block the OU at a lower-level container.
  • Order – The Order status specifies the precedence of the GPO settings.

For example, the following command links the Block GPO to the IT Organizational Unit with the link both enabled and enforced:

					New-GPLink -Name "Block" -Target "OU=Districts,OU=IT, DC=InfraSOS, DC=com" -LinkEnabled Yes -Enforced Yes

Move Users and Computers to a New OU in an AD with PowerShell

After we’ve created an Organizational Unit and optionally linked it to a GPO, we’ll populate it with users and computers. The Move-ADObject cmdlet in PowerShell moves any object or set of active directory objects to a different OU. The Identity parameter indicates which object should relocate Active Directory object or container.

It is crucial to note that we must enter the object’s full LDAP path or SID; we cannot use its SamAccountName. The following example shows how to move a user to the IT OU:

					Move-ADObject -Identity "CN=marion,CN=Users,DC=InfraSOS,DC=com" -TargetPath "OU=IT,OU=Users,DC=InfraSOS,DC=com"

Use the exact syntax to move computer objects. For example, the following command will transfer computer DESKTOP-01 to the Computers container:

					Move-ADObject -Identity "CN=DESKTOP-01,OU=Computers,DC=InfraSOS,DC=com" -TargetPath "CN=Workstations,DC=InfraSOS,DC=com"

Improve your Active Directory Security & Azure AD with OU Reports

Try us out for Free, Access to all features. – 200+ AD Report templates Available. Easily customise your own AD reports.

Mass Move AD Computers and Users to Another OU

If we have a predefined list of objects to move, we can save it as a text file and then import it to Active Directory. Prepare your list by adding one AD object per line. The text file containing the list should look something like this:

example users list

Use this PowerShell script for moving AD user accounts listed in a text file:

					$destOU =  "OU=Users,OU=IT,DC=InfraSOS,DC=com"
$usersList = Get-Content -Path "C:\temp\users.txt" 

$usersList  | ForEach-Object {
     $userName  = (Get-ADUser -Identity $_.Name).distinguishedName
     Move-ADObject  -Identity $userName  -TargetPath $destOU 

To move AD computer accounts listed in a text file, use the following PowerShell script:

					$computers = Get-Content -Path "C:\Temp\Computers.txt"

$destOU =  "OU=Computers,OU=IT,DC=InfraSOS,DC=com" 
ForEach( $computer in $computers){
    Get-ADComputer $computer |
    Move-ADObject -TargetPath $destOU

Remove an OU from Active Directory with PowerShell

The Remove-ADOrganizationalUnit cmdlet removes an OU. However, we must not protect the OU from accidental deletion. Using the Get-ADOrganizationalUnit and Set-ADOrganizationalUnit cmdlets, we can remove the unexpected deletion option for every OU with the word Zones in its name:

					Get-ADOrganizationalUnit -filter "Name -eq 'Zones'" | Set-ADOrganizationalUnit  -ProtectedFromAccidentalDeletion $False

Use the following cmdlet to remove every OU that contains Zones in its name from AD:

					Get-ADOrganizationalUnit -filter "Name -eq 'Zones'" | Remove-ADOrganizationalUnit –Recursive

The system will prompt us to confirm the deletion:

Note that the -Recursive parameter removes both the OU and all of its child objects. AD will delete the child objects even if protection from deletion is on for them.

Managing Organizational Units in AD

Now that we discussed the basic commands and parameters involving Organizational Units, we will discuss further how we can generate OU reports with PowerShell.

Get a List of all OUs with PowerShell ​

We will use the Get-ADOrganizationalUnit cmdlet. First, sort by CanonicalName. This command displays an OU structure that is easier to read.

					Get-ADOrganizationalUnit -Properties CanonicalName -Filter * | 
Sort-Object CanonicalName | 
Format-Table CanonicalName, DistinguishedName

The following is an example output in PowerShell when we run the command:

The output with all of the OUs in AD is an excellent list. But how do we know if the OU contains any users?

Get a List of All OUs, Including User Count, with PowerShell

We like to use PowerShell to get a list of the OUs, including the user count. This command will tell us if there are any users in the OU.

					Get-ADOrganizationalUnit -Properties CanonicalName -Filter * | 
Sort-Object CanonicalName |
ForEach-Object {
        Name          = Split-Path $_.CanonicalName -Leaf
        CanonicalName = $_.CanonicalName
        UserCount     = @(Get-AdUser -Filter * -SearchBase $_.DistinguishedName -SearchScope OneLevel).Count

It will display output with the UserCount column property. If the UserCount property value is zero, the OU has no users. It will not appear if the OU contains a computer object. This command will only check and display a user count.

Export OUs in AD to a CSV file with PowerShell

We want to export the list of OUs in AD now that we’ve seen it. So, the script will use PowerShell to get the Organizational Units and export them to a text file.

					$results = Get-ADOrganizationalUnit -Properties CanonicalName -Filter * | Sort-Object CanonicalName |
ForEach-Object {
        Name          = Split-Path $_.CanonicalName -Leaf
        CanonicalName = $_.CanonicalName
        UserCount     = @(Get-AdUser -Filter * -SearchBase $_.DistinguishedName -SearchScope OneLevel).Count
$results | Out-File C:\export_OUs.txt -Encoding UTF8

Change the last line to the following command if we want to export to a CSV file:

					$results | Export-Csv -Path C:\export_OUs.csv -NoTypeInformation -Encoding UTF8

Find the exported file in the specified location after running the above command.

Thank you for reading Create Active Directory OU Reports with PowerShell. We shall conclude now. 

Create Active Directory OU Reports with PowerShell Conclusion

Now that we have learned how to manage OUs in Active Directory using PowerShell scripts, we can automate various operations related to OU management and generate reports accordingly. Please make sure that before we try out these commands, enable the Active Directory Recycle Bin feature to roll back any errant deletions easily. It’s also intelligent to track all changes to your organizational units carefully.

Do check out our PowerShell content in our blog here. 


Try InfraSOS for FREE

Invite your team and explore InfraSOS features for free

Marion Mendoza

Marion Mendoza

Windows Server and VMware SME. Powershell Guru. Currently working with Fortune 500 companies responsible for participating in 3rd level systems support across the enterprise. Acting as a Windows Server engineer and VMware Specialist.

Leave a comment

Your email address will not be published. Required fields are marked *