Active Directory

How to Track Organizational Unit Changes in Active Directory

An Organizational Unit (OU) in Active Directory helps organize users, groups, and computers in a structured manner. This makes permission and policy management in Active Directory more efficient. However, even small changes in OU can impact Group Policy and security across the network. Therefore, a clear audit trail of OU changes is essential for visibility and accountability. This guide explains how to audit OU changes in Active Directory and maintain better control over the environment.

Audit All OU in Active Directory Using Event Viewer

Active Directory Permission Required

Event Log Readers Least Privilege

Administrators Most Privilege

Open Server Manager, click on Tools, and navigate to Event Viewer » Windows logs » Security.
Next, in the Actions pane, click Filter Current Log, and enter the following event IDs as comma-separated values in <All Event IDs> field.
5136,5137,5139,5141
- 5136: Create an OU
- 5137: Modify an OU
- 5139: Move an OU
- 5141: Delete an OU
Click OK to fetch all events of OU changes. Then double-click on the required event to open the Event Properties dialog box.
Review the General tab to verify the event details and ensure you consider only events where the object Class is organizationalUnit.
This helps identify details of actions performed on Organizational Units (OUs), including creation, modification, deletion, and more.

Audit All OU in Active Directory Using Event Viewer

Get All OU Changes in Active Directory Using PowerShell

Active Directory Permission Required

Domain Admins Least Privilege

Administrators Most Privilege

The PowerShell method provides a structured view of OU change events, eliminating the need to manually open and review every individual event log entry in Event Viewer.
Open PowerShell in a domain controller and import the Active Directory module using the following cmdlet.
```
Import-Module ActiveDirectory
```
Next, run the following PowerShell script to retrieve OU change events from Active Directory, including the event time, event ID, user, action performed, and affected OU location.

Windows PowerShell

 Get-WinEvent -FilterHashtable @{ 
    LogName='Security' 
    ID=5136,5137,5139,5141 
} | ForEach-Object { 
    $xml = [xml]$_.ToXml() 
    $data = @{} 
    $xml.Event.EventData.Data | ForEach-Object { 
        $data[$_.Name] = $_.'#text' 
    } 
    if ($data.ObjectClass -eq 'organizationalUnit') { 
        $OU = if ($_.Id -eq 5139) { 
            if ($data.DestObjectDN) { $data.DestObjectDN } else { '-' } 
        } else { 
            if ($data.ObjectDN) { $data.ObjectDN } else { '-' } 
        } 
        [PSCustomObject]@{ 
            Time    = $_.TimeCreated 
            EventID = $_.Id 
            Action  = switch ($_.Id) { 
                5136 {'Modified'} 
                5137 {'Created'} 
                5139 {'Moved'} 
                5141 {'Deleted'} 
            }  
            User = if ($data.SubjectUserName) {                 "$($data.SubjectDomainName)\$($data.SubjectUserName)" 
            } else { '-' } 
            OU = $OU 
        } 
    } 

} | Sort-Object Time -Descending | Format-Table -AutoSize

Get All OU Changes in Active Directory Using PowerShell

Simple & Quick
Export AD Organizational Unit Changes Using AdminDroid

AdminDroid Permission Required Delegated

Any user with the report access delegated by the Super Admin.

Log in to the AdminDroid Active Directory Companion.
Navigate to the All Organizational Unit Activities report under AD Audit » OU Administration » All OU Activities.
This report displays all Active Directory OU modifications, along with other details like event performed by, event time, operation, OU name, and more.
Use the Download option (⤓) available at the top to export the report in multiple formats such as PDF, XLS, CSV, and more.

Export AD Organizational Unit Changes Using AdminDroid

AdminDroid Active Directory Auditing Tool

Monitor Active Directory OU Lifecycle Events and Linked GPOs with AdminDroid

AdminDroid’s Active Directory auditing tool gives clear visibility into Organizational Unit (OU) lifecycle activities across the domain, including creation, modifications, and deletion. It brings all OU activities into a single place with detailed reports and insights. Here are some of the key capabilities to quickly identify and track these changes.

Track Changes in OU Attribute Values to Investigate Every Modification

Find all updated organizational unit events in Active Directory to compare old and new values, track time of change, and determine whether Group Policies or inherited permissions were impacted.

Analyze OU Activities and Gain Insights with Dedicated OU Dashboard

Utilize the Active Directory OU dashboard to view OUs linked with GPOs, moved objects, and more OU related insights for auditing and governance.

Stay Informed of Every OU Deletion in Active Directory

Get instant alerts for OU deletion to quickly detect accidental changes that may impact critical Active Directory objects, inherited policies, or user access.

Identify Incorrect GPO Assignments Across OUs in Active Directory

Review Organizational Units with direct GPO links to validate correct policy application and identify inheritance issues or conflicting policies.

Identify Inactive Users in an Active Directory OU for Cleanup and GPO Validation

Find specific users within an OU to identify inactive accounts, detect misapplied Group Policy Objects, and review incorrect or excessive delegation scopes within the OU.

Audit Restored OUs for Active Directory Data Recovery

Monitor restored organizational unit events to identify who restored deleted OUs, track the original & restored locations, and verify that GPOs are correctly reapplied after recovery.

Overall, AdminDroid’s Active Directory reports enable effective auditing of Organizational Unit changes. It delivers comprehensive insights into OU modifications, policy assignments, and configuration updates. Additionally, its integrated real-time monitoring and detailed reporting features simplify auditing and speed up investigations.

Explore a full range of reporting options

Download Live Demo

Important tips

Restrict OU creation and modification rights to authorized users using Delegation of Control Wizard to minimize accidental configuration changes and reduce attack surface.

Always use a clear and consistent OU naming format (e.g., Department-Location) to simplify identification, delegation, and auditing in Active Directory.

Delete OUs protected from accidental deletion in Active Directory to safely clean up unused objects and maintain a clean AD structure.

Common Errors and Resolution Steps

The following are the possible errors and troubleshooting hints while tracking OU changes in Active Directory.

Error Get-WinEvent : No events were found that match the specified selection criteria.

This error occurs when no OU audit events are available in the Event Viewer or if the cmdlet is executed on a server or workstation other than a domain controller.

Fix Ensure OU auditing events are available in the Security log. Then, run the cmdlet on a domain controller to retrieve OU change audit events.

Error Get-WinEvent : Could not retrieve information about the Security log. Error: Attempted to perform an unauthorized.

This error occurs when PowerShell does not have sufficient privileges to access the Security event log.

Fix Run PowerShell with an account that has permission to read the Security log, such as a Domain Admin or local Administrator on the domain controller. Then, run the cmdlet again.

Error Event Viewer cannot open the event log or custom view. Verify that Event Log service is running or query is too long

This error occurs if the Windows event log service is stopped, or event log is cleared, or the account lacks sufficient permissions to access the event log.

Fix Run Event Viewer with Administrator privileges and ensure the Windows event log service is running properly.

Active Directory

Frequently Asked Questions

Understand Organizational Unit Event Tracking and Secure Your Active Directory

How to enable advanced auditing policy for Organizational Unit (OU) changes in Active Directory?

Why auditing Organizational Unit changes is important in Active Directory?

1. How to enable advanced auditing policy for Organizational Unit (OU) changes in Active Directory?

Advanced Auditing allows you to enable specific subcategories, such as Directory Service Changes, to track exactly when and how OUs are created, modified, moved, or deleted. This reduces log noise while providing the detailed audit trail needed for security investigations, compliance reporting, and rapid detection of unauthorized or accidental OU changes.

Follow the steps below to enable advanced auditing for Organizational Unit changes in Active Directory.

Configure advanced auditing for OU changes in Active Directory

Open Server Manager and navigate to Tools » Group Policy Management.
From the left pane, expand Domains, right-click on the domain or any desired OU, and select Create a GPO in this domain, and Link it here.
Enter a descriptive name for the GPO in the New GPO window and click OK.
Then, right click on the created GPO and select Edit.
In the Group Policy Management Editor, navigate to Computer Configuration » Policies » Windows Settings » Security Settings » Advanced audit policy configuration » Audit Policies.
Click DS Access and double-click Audit Directory Service Access to capture access attempts to AD objects based on configured SACLs.
Next, select Configure the following audit events checkbox.
Enable Success and Failure events based on your needs and click Apply.
Similarly repeat steps from 6 to configure the events for Audit Directory Service Changes to track what modifications were made to Active Directory objects.
After enabling the audit policies, run the command below in the Run window or terminal on the domain controller to apply the changes.
```
gpupdate /force
```

Define OU audit entries in ADSI Edit

After enabling the above, configure auditing entries on OUs to record which Active Directory users or groups perform specific operations. This provides a detailed audit trail showing who created, deleted, moved, or modified an OU and when the action occurred. Follow the steps below to configure auditing entries and permissions for Organizational Units (OUs) using ADSI Edit.

Open the ADSI Edit console by running (adsiedit.msc) from the “Run” dialog.
Right-click on ADSI Edit node and click the Connect to option.
In the Connection Settings window, select Default naming context from the Select a well known Naming Context dropdown and click OK to connect.
Next, expand the Default Naming Context node to access the sub node. Right-click on the domain, select Properties and navigate to Security tab.
Click Advanced and navigate to Auditing section to add a new entry. Choose Add, then click on Select a principal in the Auditing Entry window.
Enter the object name (for example, Everyone) and click Check Names to validate it. Then, select OK to add the object name.
In the Permissions window, select Create All Child Objects, Delete, Delete Child, Write All Properties, Write DAC, Write Owner, and any other required audit permissions.
Select OK to save the changes.

2. Why auditing Organizational Unit changes is important in Active Directory?

In Active Directory, Organizational Units serves as the delegation boundary of your directory access. When an administrator moves a user to a different OU unexpectedly, it can break Group Policy inheritance completely. This results in sudden loss of application access and login failures that disrupt business operations. Auditing OU changes ensures every modification is recorded with timestamps. This enables IT teams to quickly identify the change, restore the correct configuration, and maintain compliance.

Here are some scenarios where auditing OU changes helps admins detect, investigate, and respond to critical Active Directory changes.

Scenarios where auditing OU changes is necessary

Identify Unauthorized OU Deletion: Deleting an OU causes all child objects to lose their policy bindings immediately. Track audit logs to identify the responsible account for investigation and recovery to prevent prolonged downtime.
Detect Privilege Escalation through OU Restructuring: Attackers may relocate user accounts into higher privileged OUs to inherit admin level permissions. Auditing uncovers such movements before elevated access is abused.
Reveal GPO Inheritance Disruption: Modifying or reorganizing OUs can break linked Group Policy Objects across the environment. Audit trails only reveal the failure events such that admins can identify the structural directory changes.
Ensure Compliance and Regulatory Requirements: Frameworks such as SOX, HIPAA, PCI DSS, and ISO 27001, requires to maintain demonstrable control over critical directory objects. OU audit logs provide clear, timestamped evidence of changes for compliance audits.
Find Lateral Movement During a Breach: Attackers often remove AD objects to establish persistence or expand access after gaining a foothold. Unusual OU changes during off hours provide early warning signs, giving security teams time to respond.