Home > Sample chapters

Create and Manage Users and Groups in Active Directory

Create and manage OUs

Organizational units, or OUs, are used to segregate groups of users, computers, or other objects in Active Directory without the overhead of creating a whole new domain for them. You can apply different group policies to different OUs and have different password requirements.

Create an OU

Use the New-ADOrganizationalUnit cmdlet to create a new OU. The cmdlet parameters can be used to set commonly used properties of OUs, such as DisplayName, Description, and ProtectedFromAccidentalDeletion. The only required parameter is the Name parameter.

For properties that aren’t covered by the cmdlet parameters shown in Table 3-2, use the OtherAttributes parameter. The OtherAttributes parameter accepts a hashtable with property name and property value pairs.

Table 3-2 The parameters of New-ADOrganizationalUnit

Parameter

Type

Name

String

City

String

Country

String

Credential

PSCredential

Description

String

DisplayName

String

Instance

ADOrganizationalUnit

ManagedBy

ADPrincipal

OtherAttributes

Hashtable

PassThru

Toggle

Path

String

PostalCode

String

ProtectedFromAccidentalDeletion

Boolean

Server

String

State

String

StreetAddress

String

Name

String

There are three basic ways to use New-ADOrganizationalUnit:

  1. Create an OU by specifying all details on the command line.
  2. Create an OU from a template object—either one you create or an existing OU.
  3. Use a CSV file to create multiple OUs from a list of OUs and properties.

To create a new Engineering OU for our TreyResearch.net domain, use the following command.

New-ADOrganizationalUnit -Name Engineering `
                         -Description 'Engineering department users and computers’ `
                         -DisplayName 'Engineering Department’ `
                         -ProtectedFromAccidentalDeletion $True `
                         -Path “DC=TreyResearch,DC=NET” `
                         -PassThru

Note that the path specified is actually the default path, so we could have skipped that parameter, and the same is true for the ProtectedFromAccidentalDeletion parameter, which defaults to True. Because we used the -PassThru parameter, the command returned the following.

City                     :
Country                  :
DistinguishedName        : OU=Engineering,DC=TreyResearch,DC=NET
LinkedGroupPolicyObjects : {}
ManagedBy                :
Name                     : Engineering
ObjectClass              : organizationalUnit
ObjectGUID               : c2b42af8-a80b-48c1-949d-c8dbd6d60ee9
PostalCode               :
State                    :
StreetAddress            :

And, as we can tell in Figure 3-4, the new Engineering OU is created in the root of the TreyResearch.net domain tree.

Figure 3-4

Figure 3-4 The TreyResearch.net domain, showing the new Engineering OU

Add computers and users to an OU

Now that we have an Engineering OU, we should move our engineering users and computers into that OU. You might expect that there would be a Move-ADUser cmdlet, but there isn’t, and you might even quite reasonably expect that you could use Set-ADUser with a Path parameter to do the job. But no, there isn’t a Path parameter and you can’t move users that way either. After poking around a bit, however, it occurred to me to use Windows PowerShell to help me find the solution.

Get-Command -Module ActiveDirectory -Verb Move | ft -auto CommandType,Name
CommandType     Name 
-----------     ----   
Cmdlet          Move-ADDirectoryServer   
Cmdlet          Move-ADDirectoryServerOperationMasterRole
Cmdlet          Move-ADObject

Well, I don’t want to move the directory server, nor the Flexible Single Master Operation (FSMO) roles, at least not right now, so those won’t help. But users and computers are just a form of Active Directory object, so that last item looks promising. Let’s find out what its syntax is.

syntax Move-ADObject
Syntax for Move-ADObject is:

Move-ADObject [-Identity] <ADObject> [-TargetPath] <string> [-WhatIf]
[-Confirm] [-AuthType ADAuthType>] [-Credential <pscredential>] 
[-Partition <string>] [-PassThru] [-Server <string>] 
[-TargetServer <string>] [<CommonParameters>]

That looks like it should do what we want. We need to specify the identity of the object we want to move, and the target path we want to move it to. And it supports a WhatIf parameter to make sure it’s going to do what we expect. So, I remember that one of my users is an engineering manager, but which one? Well, let’s find out.

Get-ADUser -Filter {Description -like “*Engineering*” }
DistinguishedName : CN=Harold Catz,CN=Users,DC=TreyResearch,DC=net
Enabled           : True
GivenName         : Harold
Name              : Harold Catz
ObjectClass       : user
ObjectGUID        : 944bb855-0342-4875-a8d2-8447ab6f93e5
SamAccountName    : Harold
SID               : S-1-5-21-910751839-3601328731-670513855-1133
Surname           : Catz
UserPrincipalName : Harold

Ah, yes, Harold. Of course. So, now that we know who we want to move, let’s verify where we want to move him to.

Get-ADOrganizationalUnit -Filter {Name -eq “Engineering” }
City                     :
Country                  :
DistinguishedName        : OU=Engineering,DC=TreyResearch,DC=net
LinkedGroupPolicyObjects : {}
ManagedBy                :
Name                     : Engineering
ObjectClass              : organizationalUnit
ObjectGUID               : c2b42af8-a80b-48c1-949d-c8dbd6d60ee9
PostalCode               :
State                    :
StreetAddress            :

The Distinguished Name is the target path for our move, so let’s check that we’ve got everything as we want it.

Get-ADUser -Filter {Description -like “*Engineering*” } | Move-ADObject `
           -TargetPath (Get-ADOrganizationalUnit -Filter {Name -eq “Engineering” }) `
           -WhatIf
What if: Performing the operation “Move” on target “CN=Harold 
Catz,CN=Users,DC=TreyResearch,DC=net”.

That looks like we’re moving Harold, which was the plan, so we remove the WhatIf, and issue the command again.

Get-ADUser -Filter {Description -like “*Engineering*” } | Move-ADObject `
           -TargetPath (Get-ADOrganizationalUnit -Filter {Name -eq “Engineering” })

Oops, we forgot to include the -PassThru parameter, so our move happened silently. No problem, let’s just verify that the user Harold is in the correct OU.

Get-ADUser -Identity Harold
DistinguishedName : CN=Harold Catz,OU=Engineering,DC=TreyResearch,DC=net
Enabled           : True
GivenName         : Harold
Name              : Harold Catz
ObjectClass       : user
ObjectGUID        : 944bb855-0342-4875-a8d2-8447ab6f93e5
SamAccountName    : Harold
SID               : S-1-5-21-910751839-3601328731-670513855-1133
Surname           : Catz
UserPrincipalName : Harold

And the DistinguishedName property shows that he is in the Engineering OU. Good. Now, let’s just move Harold’s desktop over to the same OU. A quick check finds that TREY-DESK-22 is assigned to Harold.

Get-ADComputer -Filter {Description -like “*Harold*” }
DistinguishedName : CN=TREY-DESK-22,CN=Computers,DC=TreyResearch,DC=net
DNSHostName       : trey-desk-22.TreyResearch.net
Enabled           : True
Name              : TREY-DESK-22
ObjectClass       : computer
ObjectGUID        : 46df71bd-ba88-4b26-9091-b8db6e07261a
SamAccountName    : TREY-DESK-22$
SID               : S-1-5-21-910751839-3601328731-670513855-1141
UserPrincipalName :

Looks like Harold only has one computer, so let’s do it by simply specifying the identity of the computer we want to move. Move-ADObject accepts the DN or the GUID for the Identity parameter, or the result of Get-ADUser, Get-ADGroup, Get-ADComputer, Get-ADServiceAccount, Get-ADOrganizationalUnit, or Get-ADFineGrainedPasswordPolicy. We’ve got both the DN and the GUID in the output from your Get-ADComputer, so after a bit of copy and paste we get the following.

Move-ADObject -Identity “46df71bd-ba88-4b26-9091-b8db6e07261a” `
              -TargetPath “ OU=Engineering,DC=TreyResearch,DC=net” `
              -PassThru
DistinguishedName              Name         ObjectClass  ObjectGUID
-----------------              ----         -----------  ----------
CN=TREY-DESK-22, OU=Engine... TREY-DESK-22  computer     46df71bd-ba88-4b26-9091-
b8db6e07261a

Even though we only moved a single computer and a single user, the same methods can be used to move hundreds or even thousands of users. Of course, making a mistake when moving one user is a nuisance, for both you and the user, but it’s fairly easily corrected. Making a mistake by moving thousands of users is still easily corrected but is likely to cause somewhat more annoyance. Therefore, always check your work before committing to large changes that will affect many users.