Creating Active Directory OUs with PowerShell
Normally, I think of using PowerShell for ongoing and repetitive tasks. Using PowerShell scripts and tools creates a more efficient work environment. For rare tasks that you only need to do once, it doesn’t make sense to invest time in building a PowerShell-based solution, especially if doing the task manually isn’t that complicated. In my mind, creating an Active Directory organizational unit (OU) falls into that category. It’s rather trivial to open up Active Directory Users and Computers to create a new OU.
So why use PowerShell? One scenario is to quickly build a test environment that includes an Active Directory domain. With a PowerShell script you can create hundreds of OUs in seconds. Another scenario is if you need a control mechanism. Instead of manually creating a new OU in the traditional manner, you can spend a little extra time creating a PowerShell script to do it. This script can be reviewed, tested, and include as much documentation as you need. The script becomes a resource document that indicates what was done and why. It may only be a few lines of PowerShell commands, but it serves as a record. So how do we do this?
First, you need the most current version of the Remote Server Administration Tools (RSAT) for your desktop. Everything I’m going to show you can and should be accomplished from your admin desktop. There’s no need to log on to a server. When you configure RSAT, make sure you include the Active Directory PowerShell module.
What is “Inside Microsoft Teams”?
“Inside Microsoft Teams” is a webcast series, now in Season 4 for IT pros hosted by Microsoft Product Manager, Stephen Rose. Stephen & his guests comprised of customers, partners, and real-world experts share best practices of planning, deploying, adopting, managing, and securing Teams. You can watch any episode at your convenience, find resources, blogs, reviews of accessories certified for Teams, bonus clips, and information regarding upcoming live broadcasts. Our next episode, “Polaris Inc., and Microsoft Teams- Reinventing how we work and play” will be airing on Oct. 28th from 10-11am PST.
For now, I’m going to assume you are running your PowerShell session with credentials that have permissions to create an OU. The cmdlet, New-ADOrganizationalUnit, is pretty straightforward.
All you need to do is specify the name of the new OU.
New-ADOrganizationalUnit -Name "Petri Users"
By default, PowerShell will create the OU off of the domain root. You can use PowerShell to get the newly created OU.
Get-ADOrganizationalUnit -Identity "OU=Petri Users,DC=globomantics,DC=Local"
Here’s the new OU in Active Directory Users and Computers.
By default, the cmdlet doesn’t write anything to the pipeline unless you use the –Passthru parameter. And if you want to create the OU in a location other than the domain root, you need to specify the distinguished name of the parent container.
New-ADOrganizationalUnit -Name Vendors -Path "OU=Employees,DC=Globomantics,DC=Local" -Description "Temporary vendor accounts" -PassThru
Let’s say that you need to create many OUs. If you look at help for New-ADOrganizationalUnit, you’ll see that many of the parameters can be passed by property name. This means if you pipe in an object with a matching property name, the PowerShell will assign that value to the corresponding parameter.
The benefit is that I can take a spreadsheet like this:
Notice that the column headings correspond to parameter names. While you could write code to read the Excel spreadsheet, it’s much easier to export to a CSV and use that within PowerShell.
I can test using –Whatif, which is important because some of the locations are child OUs, and I need to make sure the parents are created first.
If I am satisfied, I can run the command to create the OU structure.
import-csv s:\offices.csv | New-ADOrganizationalUnit –PassThru
Within a matter of seconds, I created and configured 15 new organizational units. Here’s the final result in Active Directory Users and Computers:
In the next article, we’ll explore ways of modifying and removing OUs. In the meantime, I hope you’ll fire up your test environment and try these commands out. Need a test AD, go ahead and create one, and let me know how it goes.