By default, when you join a new computer or server to the Active Directory domain (through the properties of the computer), it creates the computer object in the Computers root container. If you use a complex Active Directory Organizational Unit (Active Directory OU) structure in your domain with various Group Policies, delegated container, and policies permissions to other users, you need to transfer computers from the default Computers container to another OU.
How to Move Objects in Active Directory Using the ADUC Console?
You can move the computer object from the Computers container to another OU using the Active Directory Users and Computers snap-in (dsa.msc).
- Expand the domain root and select the Computers container;
- Find the computer name you want to move, right-click on it, and select Move;
- Select the OU to which you want to move this computer. For example, we want to move it to USA > Florida > Computers, and click Ok;
Hint. You can move the computer between the OU with simple drag & drop operations in ADUC, take the computer object with the mouse, and drag it to the desired OU.
Moving Computers to a Different OU with PowerShell
You can also move computers between OUs using the PowerShell cmdlet Move-ADObject (it is a part of the PowerShell Active Directory module). Using this cmdlet, you can move an object or several objects (user, computer, Active Directory group) to another OU.
The –Identity parameter specifies the name of the object to be moved. You can specify the SID of the object or the full LDAP path, but not the SamAccountName.
For example, to move the computer NY-PC-B32-23from Florida OU to the container California > Computers, run the command:
Move-ADObject –Identity “CN=ny-pc-b32-23,OU=Computers,OU=Florida,OU=USA,DC=theitbros,DC=com” -TargetPath "OU=Computers,OU=California,OU=USA,DC=theitbros,DC=com"
If you specify the computer’s name (SamAccountName) instead of distinguishedName computer name (ldap), an error will appear:
Move-ADObject : Cannot find an object with identity
In order not to specify the full LDAP path to the source object when moving the computer, you can use the Get-ADComputer cmdlet. This cmdlet allows you to find a computer object in the AD domain by its hostname.
Get-ADComputer “ny-pc-b32-23” |Move-ADObject -TargetPath "OU=Computers,OU= Florida,OU=USA,DC=theitbros,DC=com" -Verbose
As you can see, the command syntax has become much simpler.
You can copy the OU’s distinguishedName (DN) from the OU properties in the ADUC console. Go to the Attribute Editor tab, double click the distinguishedName attribute, and copy the attribute value to the clipboard.
Hint. The Move-ADObject cmdlet can be used to move a computer object from one domain to another within the AD forest. If you are moving a computer between Active Directory domains, you should specify a source and target DC. Both the source and target DC need to be the owner of the RID Master FSMO role in their domains:
Get-ADComputer “ny-pc-b32-23” |Move-ADObject -TargetPath "OU=Computer,DC=testdomain,DC=com" -TargetServer "TargetDC.testdomain.com " -Server "LocalDC.theitbros.com"
If you need to move several computers from the Computers container to other OUs, you can use the following PowerShell script to move bulk computer objects. In the grid table that opens, select the computers you want to move, select destination OU, and click OK. The selected computers will be moved to a new location.
$ADComps= Get-ADComputer -Filter * -SearchBase "Cn=computers,DC=test,dc=com"| Select-Object -Property Name |sort -Property name | Out-GridView -PassThru –title “Select Computers to Move”| Select -ExpandProperty Name
$ADOUs= Get-ADOrganizationalUnit -Filter * | Select-Object -Property DistinguishedName | Out-GridView -PassThru –title “Select Target OU”| Select-Object -ExpandProperty DistinguishedName
Foreach($ou in $ADOUs){
Foreach($comp in $ADComps){
get-adcomputer $comp |Move-ADObject -TargetPath "$ou" -Verbose }
}
To bulk move Active Directory computer accounts listed in the text/csv file, you can use the following PowerShell script:
$computers = Get-Content C:\PS\Computers.txt
$TargetOU = "OU=Computers,OU= Florida,OU=USA,DC=theitbros,DC=com"
ForEach($computer in $computers){
Get-ADComputer $computer |Move-ADObject -TargetPath $TargetOU
}
Bulk Move Active Directory Users to Another OU Using PowerShell
The Move-ADObject cmdlet can also be used to move Active Directory users between Organizational Units.
If you want to move an individual user account to a new OU, use the following PowerShell one-liner:
Get-ADUser m.decker1| Move-ADObject -targetpath “OU=Users,OU=London,OU=UK,DC=theitbros,DC=com” –whatif
Hint. We use the PowerShell WhatIf cmdlet parameter to check the action the cmdlet should take before applying the changes.
Sometimes you may need to move multiple user accounts based on some user properties from a specific AD container to a new OU. Use the -Filter option to set criteria for selecting user accounts. In this example, we want to move all users from a specific organizational unit for which London is set as the city attribute in Active Directory to the London OU.
Get-ADuser -Filter {( city -eq "London") -and (Enabled -eq "true")}| Move-ADOobject --targetpath “OU=Users,OU=London,OU=UK,DC=theitbros,DC=com”
You can bulk move AD users to another OU from a CSV file. In this example, the CSV file should contain a list of user accounts in the SamAccountName column.
$UserList = Import-Csv -Path "C:\PS\userlist.csv"
$TargetOU = “OU=Users,OU=London,OU=UK,DC=theitbros,DC=com”
$UserList | ForEach-Object {
$User_DN = (Get-ADUser -Identity $_.SamAccountName).DistinguishedName
Move-ADObject -Identity $User_DN -TargetPath $TargetOU -Confirm
}
We used the –Confirm option in order to prompt for confirmation before moving each user.
