🎉 Our Microsoft 365 Reporting & Management Tool is now available in Azure Marketplace 🚀
This website uses cookies to improve your experience. We'll assume you're ok with this. Know more.
Active Directory

How to Get a List of Active Directory Users from a Specific OU

Organizational units in Active Directory help administrators logically organize users based on structure, department, and location. However, inaccurate user membership within an OU may lead to misapplied GPOs and incorrect delegation scopes, since both operate at the OU level. Therefore, it is essential to track and validate all users in an OU before applying any policies or assigning delegated permissions. This guide explains how to list users from a specific OU to ensure proper access control and maintain a well-organized directory.

Solution 1
Solution 2
Solution 3
Important Tips
Errors and Resolution Steps
FAQs

Find Users from a Specific OU in Active Directory Using ADUC

Active Directory Permission Required
Domain Users Least Privilege
Administrators Most Privilege
  • Open the Active Directory Users and Computers console and click Filter on the toolbar.
  • In the Filter Options window, select ‘Show only the following types of objects:’, and choose Users.
  • Set the Maximum number of items displayed per folder as needed to show more items (by default, the value is set to 2,000), and then click OK.
  • Next, locate and click the respective OU in the left pane to display all users from that specific organizational unit.
Find Users from a Specific OU in Active Directory Using ADUC

Export Active Directory Users from a Specific OU Using PowerShell

Active Directory Permission Required
Domain Users Least Privilege
Administrators Most Privilege
  • Although the above method helps locate users in a specific OU, you must manually browse through each sub-OU to view their users when dealing with nested structures.
  • To simplify the process, you can use PowerShell to retrieve users from a specific OU as well as its nested OUs effortlessly.
  • First, ensure the Active Directory PowerShell module is installed and imported in your environment.
  • Then, run the following cmdlet after replacing <FilePath> and <Distinguished OU Name> with the appropriate values to export all user details from the specific OU.
  • Windows PowerShell Windows PowerShell 
     Get-ADUser -Filter * -SearchBase '<Distinguished OU Name>' -SearchScope Subtree | Export-Csv -Path <FilePath> -NoTypeInformation
Export Active Directory Users from a Specific OU Using PowerShell
AdminDroid Active Directory Reporter

Uncover OU-Specific Users to Strengthen Access Visibility into Active Directory!

AdminDroid’s Active Directory reporting tool provides clear visibility into user distribution across organizational units through its comprehensive reports. These insights help you streamline user account management, enhance organizational unit structure, and strengthen overall directory security. Below are some of the standout features of AdminDroid for efficient administration of users within specific OUs.

Identify Inactive Enabled Users to Quarantine Them in a Separate OU

Regularly track inactive enabled users and isolate them in a secured organizational unit with limited access rights to minimize the risk of unauthorized access.

Analyse Active Directory Disabled User Accounts Across Each Organizational Unit

Find disabled users in each OU to remove unnecessary accounts and reactivate essential on-premises users to keep your Active Directory environment secure and efficient.

Track Users with Expired Accounts Across Every OU in Active Directory

Find and manage expired user accounts in privileged OUs to prevent access disruptions and ensure critical administrative tasks continue without interruption.

Stay Informed on Recently Deleted OU Events in Active Directory

Schedule the recently deleted OU report to receive regular updates directly in your inbox to detect unauthorized deletions of OUs and associated user accounts.

Regularly Export All OU-Wise Locked-Out Users Report in Active Directory

Export the Active Directory locked-out users in every critical OU to identify trends and patterns in lockout history and document details of frequently locked-out users.

Validate AD GPO Links and User Policy Compliance Per Organizational Unit

Use the organizational unit with direct GPO links report to find all GPOs applied to users in a specific OU and verify that policies and configurations align with organizational compliance.

Overall, AdminDroid’s Active Directory management tool enhances the process of tracking users in a specific OU. With advanced features like intuitive filters, customizable reports, and easy export options, it empowers admins to maintain precise user management in the OU quickly and efficiently.

Explore a full range of reporting options
Download Live Demo

Important tips

Apply Group Policies at the organizational unit level to enforce tailored user configurations and access settings for all users within it.

Utilize security filtering in GPOs to apply them to specific users or groups within an OU to achieve secure and flexible control over Group Policy deployment.

Use the Delegation of Control Wizard in Active Directory to allow certain users or groups to manage user accounts within a specific organizational unit.

Common Errors and Resolution Steps

The following are the possible errors and troubleshooting tips when listing users from a specific OU in Active Directory.

Error The term Get-ADUser is not recognized as the name of a cmdlet, function, script file or executable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

This error may occur if the Active Directory PowerShell module is not loaded on the DC, or if the command is executed on a system that is not a domain controller.

Fix If you're running the cmdlet on a domain controller, import the Active Directory PowerShell module using the following cmdlet. And, if you're not running the cmdlet on a domain controller, install the Remote Server Administration Tools (RSAT) on your system. 
Import-Module ActiveDirectory

Error Get-ADUser : Directory object not found.

This error occurs in PowerShell when the Get-ADUser cmdlet is executed with an incorrect OU distinguished name.

Fix First, verify that the specified OU’s distinguished name is correct by running the following cmdlet. Then run the Get-ADUser cmdlet with the correct OU distinguished name. 
Get-ADOrganizationalUnit -Filter * | Select Name, DistinguishedName

Error New-ADUser : An attempt was made to add an object to the directory with a name that is already in use.

This error occurs in PowerShell when you try to create a user account with a username that already exists in Active Directory.

Fix To resolve this issue, create the user with a different SAM account name to avoid conflicts with existing usernames.

Error You do not have sufficient privileges to delete <UserName>, or this object is protected from accidental deletion.

This error may occur when attempting to delete a user through the ADUC console if the user is protected by the Protect object from accidental deletion setting.

Fix Uncheck the ‘Protect object from accidental deletion’ option in the Object tab of the user's properties before attempting to delete the account.

Error Move-ADObject : Access is denied.

This error may occur in PowerShell when you try to move a user from a specific OU using the Move-ADObject cmdlet who is protected by the ‘Protect object from accidental deletion’ setting.

Fix To avoid this error, make sure the ‘Protect object from accidental deletion’ option in the Object tab of the user’s properties is unchecked before trying to move any user.
Active Directory
Frequently Asked Questions

Manage Active Directory Users in a Specific OU for Better User Administration

How to create users in a specific organizational unit in Active Directory?
How to move users from one OU to another in Active Directory?
How to find inactive users from a specific OU in Active Directory?
How to get a list of all users and their organizational units?
How to delegate access for users in a specific organizational unit?

1. How to create users in a specific organizational unit in Active Directory?

Administrators assign users to specific organizational units in Active Directory to ensure proper management of user accounts. Placing users directly into the appropriate OU during creation guarantees that Group Policies and access permissions are applied correctly. This structured approach helps create a secure and well-organized Active Directory environment that aligns with the organization’s hierarchy and operational goals.

Create an Active Directory user in a specific OU using ADUC

  • Open the Active Directory Users and Computers console.
  • In the left pane, navigate to the OU where you want to add the user. Then, right-click the OU and click New»User.
  • Fill in the user’s details and click Next.
  • Enter and confirm the password, choose the required account options, and click Next.
  • Review the user details and click Finish to create the user in the specific OU.
create-user-specific-ou-aduc

Create multiple AD users in a specific OU using PowerShell

  • While the above method is useful for the creation of individual users within an Active Directory OU, it is inefficient for bulk user provisioning. To create multiple users in an Active Directory OU, you can utilize PowerShell.
  • First, prepare a CSV file containing user details with fields such as Name, FirstName, LastName, Username, OUpath, and Password, as illustrated below.
create-multiple-user-specific-ou-powershell

Then, run the cmdlet below to add multiple users to a specific organizational unit in bulk. Replace <CsvFilePath> with the location of the CSV file containing user details, and <Yourdomain> with your Active Directory domain name.

$CsvPath = "<CsvFilePath>"; $Domain = "<Yourdomain>" 
Import-Csv $CsvPath | ForEach-Object { 
$UserParams = @{ Name = $_.Name; GivenName = $_.FirstName; Surname = $_.LastName; DisplayName = $_.Name; SamAccountName = $_.Username; UserPrincipalName = "$($_.Username)@$Domain"; Path = $_.OUpath; AccountPassword = (ConvertTo-SecureString $_.Password -AsPlainText -Force); Enabled = $true; ChangePasswordAtLogon = $true }; 
New-ADUser @UserParams 
}

Use AdminDroid’s pre-built agents to effortlessly onboard single or multiple users into a specific OU in Active Directory!

  • In the Onboarding Active Directory User agent, provide the required details through a form or CSV file to automatically create the account, enforce password change at next logon, and assign a manager.
  • With flexible capabilities, you can pause the workflow, verify changes, instantly roll back specific actions, and fix errors without disrupting the process.
create-user-specific-ou-admindroid

2. How to move users from one OU to another in Active Directory?

Each organizational unit in Active Directory can have its own set of policies, permissions, and administrative controls tailored to the needs of a particular department or role. As employees transfer to new departments or take on different roles, administrators must move them to the appropriate OU. This ensures they inherit the correct organizational permissions and policies.

Move an Active Directory user from one OU to another in ADUC

  • Open the Active Directory Users and Computers console.
  • In the left pane, locate the OU you want to move users from.
  • Then, right-click the respective user account and click Move.
  • In the dialog box, select the destination OU and click OK to move the user.
move-active-directory-user-ou-aduc

Move all users from one OU to another using PowerShell

PowerShell provides a faster and more efficient way to move all users from one OU to another than the ADUC console, which can be time-consuming. Run the following cmdlet to transfer all users from one OU to another in a single step.

$SourceOU="<SourceOUName>"
$TargetOU="<TargetOUName>"
Get-ADUser -SearchBase $SourceOU -Filter * | ForEach-Object {
    Move-ADObject -Identity $_.DistinguishedName -TargetPath $TargetOU
}

Replace <SourceOUName> and <TargetOUName> with the distinguished names of the source and target OUs, respectively.

Instantly relocate users between organizational units in AdminDroid 365 with a single click!

  • In addition to robust reporting, AdminDroid’s management capabilities allow you to move users between OUs directly from the report.
  • Simply select the users you want to move, click Show Actions, and then choose Move Users
  • Finally, select the OU where you want to move them and click Update.
  • For example, in the never-logged-in users report, you can easily filter and select disabled accounts and move them to the appropriate OU for quarantining.
relocate-ou-ad-user-admindroid

3. How to find inactive users from a specific OU in Active Directory?

Inactive user accounts within an organization unit can create security vulnerabilities if left unmanaged, potentially leading to unauthorized access or compliance violations. By identifying these accounts, administrators can take appropriate actions, such as disabling or removing them. This helps enforce proper organizational policies and maintain a clean, well-governed Active Directory environment.

Identify inactive users by last logon date in a designated OU

  • Open the Active Directory Users and Computers console.
  • Right-click the specific OU in the left pane and select Find.
  • Choose Common Queries from the Find drop-down.
  • In the Days since last logon field, select the number of inactive days (30, 60, 90, 120, or 180).
  • Click Find Now to display the list of inactive users in that OU within the specified period.
identify-inactive-user-specific-ou

Retrieve a list of inactive users from a particular OU using PowerShell

Run the following PowerShell cmdlet to find inactive users from a specific organizational unit. Replace <DistinguishedOUName> with the OU’s distinguished name, <InactiveDays> with the number of inactivity days, and <OutputFilePath> with the path to save the report file.

$OU="<DistinguishedOUname>"
$DaysInactive="<InactiveDays>"
$OutputFile="<OutputFilePath>"
$DateThreshold=(Get-Date).AddDays(-$DaysInactive)
Search-ADAccount -AccountInactive -UsersOnly -SearchBase $OU |
    Where-Object { $_.LastLogonDate -lt $DateThreshold } |
    Select-Object Name,SamAccountName,UserPrincipalName,Enabled,LastLogonDate |
    Export-Csv -Path $OutputFile -NoTypeInformation

The exported CSV file contains details such as user name, SAM account name, user principal name, enabled status, and last logon date.

retrieve-inactive-user-particular-ou-ps

Note: Users who have never-logged-in will not show a last activity date, as no sign-in activity has been recorded.

Gain clear visibility into Active Directory inactive users per OU with AdminDroid!

  • With AdminDroid’s inactive user report, you can easily identify inactive users in each OU.
  • It also provides details such as display name, SAM account name, logon name, account status, and more.
  • Utilize the hierarchy in the left pane to navigate through each organizational unit and its sub-OUs to view detailed inactive user information.
inactive-users-organizational-units-droid

4. How to get a list of all users and their organizational units?

While it’s important to find users in a specific OU, it’s equally important to obtain a complete list of all users along with their corresponding OUs. With this report, administrators can quickly understand user distribution and identify misplaced or redundant accounts throughout the directory OU structure. It also ensures that users reside in the correct OUs and receive the appropriate permissions.

List all users with their respective organizational unit using PowerShell

Run the cmdlet below to retrieve a list of all users and their respective organizational units.

$Output=@()
$OUs=Get-ADOrganizationalUnit -Filter *
foreach ($OU in $OUs) {
    $Users=Get-ADUser -Filter * -SearchBase $OU.DistinguishedName -SearchScope OneLevel | Select-Object Name,SamAccountName
    foreach ($User in $Users) {
        $Output+=[PSCustomObject]@{
            UserName=$User.Name
            OrganizationalUnit=$OU.Name
            SamAccountName=$User.SamAccountName
            OUPath=$OU.DistinguishedName
        }}}  
$Output | Format-Table -AutoSize

The exported CSV file contains details such as the user name, organizational unit, SAM account name, and OU path.

list-all-ou-users-ad-powershell

5. How to delegate access for users in a specific organizational unit?

In Active Directory, administrators often need to grant someone the ability to manage user accounts without giving them full domain-wide privileges. By delegating access for a specific organizational unit, you can allow selected users or groups to manage all user accounts in it. Here are some common scenarios where delegation can be helpful.

  • Reset passwords: Allow selected users or groups to reset passwords for accounts within the OU.
  • Create and delete users: Enable the delegated group to create new user accounts or remove existing accounts in the OU.
  • Modify group membership: Permit changes to group memberships for users within the OU.
  • Read all user information: Grant permission to view all user properties without making changes.

Delegate permission for users in a specific OU

  • Open the Active Directory Users and Computers snap-in.
  • Right-click the respective OU and select Delegate Control from the context menu.
  • In the Delegation of Control Wizard page, click Next to proceed.
  • Click Add to open the Select Users, Computers, or Groups dialog box.
  • Enter the name of the user or group you want to assign permissions.
  • Click Check Names to verify the entered names, then select OK twice, and click Next.
  • On the Tasks to Delegate page, choose Delegate the following common tasks and select any predefined options for managing users in that OU.
    • Create, delete, and manage user accounts.
    • Reset user passwords and force password change at next logon.
    • Read all user information.
  • You can also choose Create a custom task to delegate to define specific permissions based on your requirements.
  • Click Next, review the summary of the delegation settings, and click Finish to apply the delegated permissions to the selected OU.
delegate-control-users-specific-ou
delegate-permission-users-specific-ou

Kickstart Your Journey With
AdminDroid

Your Microsoft 365 Companion with Enormous Reporting Capabilities

Download Now
Browse All Guides
User Help Manuals Compliance Docs
All Guides 99+
Active Directory
How to Get a List of Active Directory Users from a Specific OU
Active Directory Guides
x
Delivering Reports on Time
Delivering Reports on Time
Want a desired Microsoft 365 reports every Monday morning? Ensure automated report distribution and timely delivery with AdminDroid's Scheduling to your email anytime you need.
Delivering Reports on Time
Schedule tailored reports to execute automatically at the time you set and deliver straight to the emails you choose. In addition, you can customize report columns and add inteligent filtering to the activities just from the previous day to suit your Microsoft 365 report requirements.
Set It, Schedule It, See Results- Your Reports, Your Way, On Your Time!
Time Saving
Automation
Customization
Intelligent Filtering
Give Just the Right Access to the Right People
Give Just the Right Access to the Right People
Grant fine-tuned access to any Microsoft 365 user with AdminDroid’s Granular Delegation and meet your organization’s security and compliance requirements.
Give Just the Right Access to the Right People
Create custom roles loaded with just the right permissions and give access to admins or normal users within AdminDroid. The result? A streamlined Microsoft 365 management experience that aligns your organization's security protocols and saves your invaluable time and effort.
Align, Define, Simplify: AdminDroid's Granular Delegation
Smart Organizational Control
Effortless M365 Management
Simplified Access
Advanced Alerts at a Glance
Advanced Alerts at a Glance
Receive quick notifications for malicious Microsoft 365 activities. Engage with the AdminDroid’s real-time alert policies crafted to streamline your security investigations.
Advanced Alerts at a Glance
Stay informed of critical activities like suspicious emails and high-risk logins, bulk file sharing, etc. Through creating and validating ideal alert policies, AdminDroid provides a comprehensive approach to real-time monitoring and management of potential threats within your organization.
AdminDroid Keeps You Always Vigilant, Never Vulnerable!
Proactive Protection
Real-time Monitoring
Security Intelligence
Threat Detection
Merge the Required Data to One Place
Merge the Required Data to One Place
Combine multiple required columns into one comprehensive report and prioritize the information that matters most to you with AdminDroid’s Advanced Column Customization.
Merge the Required Data to One Place
This column merging capability offers a flexible way to add different columns from various reports and collate all the essential data in one place. Want to revisit the customized report? Save it as a 'View’, and your unique report is ready whenever you need it.
Merge with Ease and Save as Views!
Custom Reporting
Unique View
Desired Columns
Easy Data Interpretation
Insightful Charts and Exclusive Dashboards
Insightful Charts and Exclusive Dashboards
Get a quick and easy overview of your tenant's activity, identify potential problems, and take action to protect your data with AdminDroid’s Charts and Dashboards.
Insightful Charts and Exclusive Dashboards
With AdminDroid charts and dashboards, visualize your Microsoft 365 tenant in ways you've never thought possible. It's not just about viewing; it's about understanding, controlling, and transforming your Microsoft 365 environment.
Explore Your Microsoft 365 Tenant in a Whole New Way!
Executive overviews
Interactive insights
Decision-making
Data Visualization
Efficient Report Exporting for Microsoft 365
Efficient Report Exporting for Microsoft 365
Downloading your reports in the right file format shouldn’t be a hassle with AdminDroid’s Report Export. Experience seamless report exporting in various formats that cater to your needs.
Efficient Report Exporting for Microsoft 365
Navigate through diverse options and export Microsoft 365 reports flawlessly in your desired file format. Tailor your reports precisely as you need them and save them directly to your computer.
Take Control, Customize and Deliver- Your Office 365 Data, Exported in Your Way!
Easy Export
Seamless Downloading
Data Control
Manage Microsoft 365

Get AdminDroid Office 365 Reporter Now!

Free Download Live Demo