By default, when you join a new computer or server to the Active Directory domain (through the properties of the computer), it creates the computer object in the Computers root container. Suppose you use a complex Active Directory Organizational Unit (Active Directory OU) structure in your domain with various Group Policies, delegated containers, and policies permissions to other users. In that case, you must transfer computers from the default Computers container to another OU.
How to Move Objects in Active Directory Using the ADUC Console?
Before diving into the PowerShell side, how do admins typically move computers and other objects to different OUs? With the GUI.
The following instructions will show you how to move a computer object from the Computers container to another OU using the Active Directory Users and Computers snap-in.
- Press WIN+R and run dsa.msc.
- Expand the domain root and select the Computers container.
- Find the computer object or objects you want to move. If there are multiple computers to move, you can select them with CTRL+Click. Once you’re satisfied with the selection, right-click on them and click Move.
- When the Move dialog box shows up, select the OU to which you want to move the computer object(s). In this example, I’ll want to move it to the USA → Florida → Computers container and click OK.
Hint. You can move the computer between the OU with simple drag & drop operations in ADUC.
Moving a Computer to a Different OU with PowerShell
You can also move computers between OUs using the PowerShell cmdlet Move-ADObject, which is included in the PowerShell Active Directory module. Using this cmdlet, you can move an object or several objects (user, computer, Active Directory group) to another OU.
The –Identity parameter accepts the object identifier to be moved. The valid identifiers are:
- Distinguished Name — “CN=PC001,OU=Computers,OU=Florida,OU=USA,DC=theitbros,DC=com”
- GUID (objectGUID) — “9905308d-7d7c-4a71-8113-ea90a9693894”
Note. The Move-ADObject cmdlet does not accept SamAccountName as a valid identifier.
Find the Computer Identity
To move a computer, you must know its identity. You must get the DN or GUID of the computer object. You can get the computer’s DN or GUID using the Get-ADComputer cmdlet.
Get-ADComputer -Identity PC001
Copy the DistinguishedName or ObjectGUID value.
Related. Check our tutorial Active Directory LDAP Query Examples.
Find the Target OU Path
Next, let’s find the target OU path. There’s no exact way to get the specific OU unless you already know the exact path. What we can do is run the Get-ADOrganizationalUnit cmdlet with a filter.
Since we’re looking for the “California>Computers” OU, we can filter the name “COMPUTERS”.
Get-ADOrganizationalUnit -Filter 'Name -like "COMPUTERS"' | ` Format-Table Name, DistinguishedName, ObjectGUID
You may get multiple results, so you should look for the specific one from the list and copy the DN or GUID.
Move the Computer to OU
Once you have the computer and OU paths, it’s time to move the computer. For example, to move the computer PC001 from the “Florida>Computers” OU to “California>Computers”, run the below command.
Move-ADObject ` -Identity 'CN=PC001,OU=Computers,OU=Florida,OU=USA,DC=theitbros,DC=com' ` -TargetPath 'OU=Computers,OU=California,OU=USA,DC=theitbros,DC=com'
Let’s break down the command:
- Move-ADObject is the cmdlet used to move an AD object.
- Identity ‘CN=PC001,OU=Computers,OU=Florida,OU=USA,DC=theitbros,DC=com’ specifies the object’s identity to be moved. In this case, the object being moved is a computer with the Common Name (CN) “PC001” located in the OU structure: Computers -> Florida -> USA -> theitbros.com.
- TargetPath ‘OU=Computers,OU=California,OU=USA,DC=theitbros,DC=com’ specifies the target path where the object will be moved. In this example, the target path is the OU structure: Computers -> California -> USA -> theitbros.com.
Another approach is to pipe the Get-AdComputer result to Move-AdObject.
Get-ADComputer -Identity PC001 | ` Move-ADObject -TargetPath 'OU=Computers,OU=California,OU=USA,DC=theitbros,DC=com'
But note that this method does not have error handling. If the computer name you specified is wrong or does not exist, the command fails.
Cross-Domain Computer Move using PowerShell
The Move-ADObject cmdlet can move a computer object from one domain to another within the AD forest. Moving a computer between Active Directory domains requires you to specify a source and target DC.
Both the source and target DC need to be the owner of the RID Master FSMO role in their domains. Below is an example of moving the computer between AD domains.
Get-ADComputer -Identity PC001 | ` Move-ADObject ` -TargetPath "OU=Computers,DC=TargetDomain,DC=tld" ` -TargetServer "TargetDC.TargetDomain.tld " ` -Server "SourceDC.SourceDomain.tld"
Moving Multiple Computers to a Different OU with PowerShell
While PowerShell scripting is the de-facto way to automate Active Directory tasks, such as moving computers to other OUs, sometimes a mix of interactive and automated approaches is what the job requires.
Selecting Computers and OU from a Grid
If you need to move several computers from the Computers container to other OUs, you can select the computers and OU from a grid instead of manually compiling them in a list. How? Let me show you using this example.
- First, run the following command to list all computers in a grid. This example searches the entire domain:
$ADComputers = Get-ADComputer -Filter * | ` Select-Object -Property Name, DistinguishedName | ` Sort-Object -Property Name | ` Out-GridView -PassThru -Title "Select Computers to Move" | ` Select-Object -ExpandProperty DistinguishedName
- The grid shows up listing all AD computers. Select all the computers you wish to move to another OU and click OK. In this example, I’m selecting four servers to move.
The DistinguishedName of your selected computers is now stored in the $ADComputers variable. - Next, run the below command to display all OUs in another grid:
$ADOU = Get-ADOrganizationalUnit -Filter * -Properties CanonicalName | ` Select-Object -Property CanonicalName, DistinguishedName | ` Sort-Object -Property CanonicalName | ` Out-GridView -PassThru -Title "Select the target OU" | ` Select-Object -ExpandProperty DistinguishedName
- Once the grid lists all OUs, select the target OU for the move and click OK:
Note. Do not select multiple OUs.
In this step, I’ll select the ‘OU=Servers,OU=California,OU=USA,DC=theitbros,DC=com’ container.
The OU you selected is now stored in the $ADOU variable. - Optionally, we can preview the list of computers and the OU to confirm our selection:
$ADComputers $ADOU
- Finally, run the following command to move the computers to the selected OU:
$ADComputers | ForEach-Object { Move-ADObject -Identity $_ -TargetPath $ADOU -Verbose }And watch as PowerShell moves the selected computers to the target OU.
The OU you selected is now stored in the $ADOU variable.
Using File as Input
Another way to run a bulk computer move is by compiling a list of computers in a text or CSV file.
- First, create a new file called computers.txt and fill it with the computer names to move.
- Next, define the target OU in your script. In this example, the target is the London>Servers OU:
$TargetOU = "OU=Servers,OU=London,OU=UK,DC=theitbros,DC=com"
- Import the computer names from the computers.txt file into the $ADComputers variable:
$ADComputers = Get-Content .\computers.txt
- Finally, run this script to move the computers:
foreach ($computerName in $ADComputers) { try { if (($currentComputer = Get-ADComputer -Identity $computerName -ErrorAction Stop)) { Move-ADObject -Identity $currentComputer -TargetPath $TargetOU -ErrorAction Stop "OKAY: Moved $($computerName) to $TargetOU" | Out-Default } } catch { "FAIL: $($_.Exception.Message)" | Out-Default } }This script includes error-handling logic to test if the computer name exists before attempting the move. It returns a status of whether the move was successful or failed.
Moving Multiple Active Directory Users to Another OU Using PowerShell
The Move-ADObject cmdlet can also move Active Directory users between Organizational Units.
Moving Users Based on Attribute
Run the following PowerShell one-liner to move a user account to a new OU. This command moves the user ‘ohill’ to the Florida Users OU.
Get-ADUser -Identity ohill | ` Move-ADObject ` -TargetPath "OU=Users,OU=Florida,OU=USA,DC=theitbros,DC=com" ` -WhatIf
Hint. The -WhatIf switch is used to preview the operation without executing it.
Sometimes you may need to move multiple user accounts based on some user properties from a specific AD container to a new OU. In this example, you can use the -Filter parameter to filter which user accounts will be moved.
Suppose you want to move users whose City attribute value equals London to the London OU; here’s an example:
Get-ADUser -Filter 'City -eq "London"' | ` Move-ADObject ` -TargetPath "OU=Users,OU=London,OU=UK,DC=theitbros,DC=com" ` -WhatIf
Moving Users from a List
You can bulk-move AD users to another OU from a text file. In this example, the text file called users.txt contains a list of usernames.
Now run the following script to move the users to the target OU. Replace the $TargetOU with your target OU path.
$TargetOU = "OU=Users,OU=California,OU=USA,DC=theitbros,DC=com"
$ADUsers = Get-Content .\users.txt
foreach ($username in $ADUsers) {
try {
if (($currentUser = Get-ADUser -Identity $username -ErrorAction Stop)) {
Move-ADObject -Identity $currentUser -TargetPath $TargetOU -ErrorAction Stop
"OKAY: Moved $($username) to $TargetOU" | Out-Default
}
}
catch {
"FAIL: $($_.Exception.Message)" | Out-Default
}
}
You will see a similar output to the below screenshot.
Conclusion
In conclusion, PowerShell is a powerful tool for system administrators to manage and organize their Active Directory environment efficiently. The ability to move computers to specific Organizational Units (OUs) through PowerShell streamlines administrative tasks and saves time. By using the Move-ADObject cmdlet, administrators can automate organizing computers within the network, reducing manual errors and ensuring consistency.
PowerShell’s capability to move computers to OUs offers several benefits. It automates repetitive tasks, maintaining consistency and scalability across the network. Additionally, administrators can customize the process to meet their specific requirements, incorporating it into scheduled tasks or workflows. This flexibility enables them to automate movements based on predefined conditions or events.
While this blog post focused on moving computers to OUs, it’s important to highlight that PowerShell provides a comprehensive range of functionalities for Active Directory management. By leveraging PowerShell’s extensive cmdlet library, administrators can automate various administrative tasks, from user management to group policy management. Mastering PowerShell empowers administrators to enhance productivity, reduce errors, and contribute to a more efficient and organized IT environment.
