Find What OU A User Is In & Get its Location in Active Directory
The task to find what OU a user is in may seem easy at first. However, once admins start to peel the layers, they realize the actual challenges. This is because an OU structure can become quite complex with multiple child OUs with a single parent. Each of these has its own set of unique users.
So naturally, newly appointed admins find it difficult to pinpoint the exact location of a user in the AD-OU maze. Especially, if they were not present during the design phase of the Active Directory in question. Moreover, doing away with this container-style structure is out of the question. OU’s are the basic building blocks on which administrators assign all policies and permissions. But before we discuss the solutions to get the user’s OU report, let’s look at the importance of knowing where your users are in the first place.
Table of Contents
Why do Admins want to Find What OU A User Is In?
Identifying the Organizational Unit of a user often coincides with the need to check user login history in an AD. Apart from this some of the other common scenarios are as follows.
Review the Active Directory Health: Active Directory can only be considered healthy if its underlying components are in their correct position. So admins must see that this is true for users as well. Therefore they must have a report ready to compare the expected user location with its real OU.
Planning on Moving Users Across OUs: Resetting user position in an AD is not new. It could be a small internal change or build towards an answer for what is active directory migration. It is because whenever a company’s demands are renewed, the change in the user’s OU is mandatory. For that admins first have to see their current location.
Remapping Orphaned Users in the AD: Although, Active Directory can’t have orphaned users in the traditional sense like users with no OU. Here orphan refers to the users who are not yet assigned a custom OU and are stuck with the default Domain Controler OU. So it is the admin’s job to identify and put them in the correct OU.
With these reasons behind us, we are ready to see the traditional methods admins have for getting the user OU data.
Scrips to Find User Location in Active Directory
We have three script categories for you to choose from. Pick the one that is most appropriate for your AD environment.
Visual Basic
set userSysInfo = CreateObject("ADSystemInfo")
set userObject = GetObject("LDAP://" & userSysInfo.UserName)
wscript.echo "DN: " & userObject.distinguishedName
PowerShell
Install the RSAT tool and use the following cmdlets.
$OUpath = 'ou=Managers,dc=enterprise,dc=com' $ExportPath = 'c:\data\users_in_ou1.csv' Get-ADUser -Filter * -SearchBase $OUpath | Select-object DistinguishedName,Name,UserPrincipalName | Export-Csv -NoType $ExportPath
Command Line
Open cmd on your machine and type:
whoami /fqdn
This is a user-level command so it gives an accurate result when run from an admin AD.
Note: Copy-pasting these scripts into a live AD environment is not recommended. Moreover, these are generalized for a wide audience so you may have to fine-tune quite a lot. So if you don’t wish to type a script or are worried about unnecessary complexity, then by all means skip these code-based methods. There is the option to use the Active Directory Users & Computer console to achieve a similar result.
Getting the OU list Using ADUC
Although using ADUC to list inactive computers is easy, the same can’t be said for checking the user OU list. The following steps explain why this is so.
- Launch the ADUC
- Turn on Advance View
- Click on the Object section
- There, you can see the OU for the user.
Follow the same path if you want to find the user location in Active Directory for the remaining users as well.
Admins have to repeat these steps for each user individually, which is quite time-consuming. Another reason to avoid this route is that there is no way to extract this information from the ADUC console. So all admins can do is view the results. However, there is yet another way to see a user’s OU data.
Get AD User from OU with A Complete PowerShell Script
# Import the Active Directory module
Import-Module ActiveDirectory
# Function to group users by their OUs, sort them, and export the results to a CSV file
function Get-UsersGroupedByOU {
# Retrieve all users in Active Directory
$allUsers = Get-ADUser -Filter * -Properties DistinguishedName
# Create a hashtable to store OU and user mappings
$ouUserMappings = @{}
# Iterate through each user
foreach ($user in $allUsers) {
# Split the distinguished name to get the OU part
$dnComponents = $user.DistinguishedName -split ","
$ouComponents = $dnComponents | Where-Object { $_ -match '^OU=' }
# Join the OU components back into a string
if ($ouComponents.Count -gt 0) {
$ou = $ouComponents -join ','
} else {
$ou = "No OU"
}
# If the OU is not already a key in the hashtable, create an entry
if (-not $ouUserMappings.ContainsKey($ou)) {
$ouUserMappings[$ou] = @()
}
# Add the user to the list of users for this OU
$ouUserMappings[$ou] += $user.SamAccountName
}
# Prepare an array to store the sorted output
$sortedOutput = @()
# Sort OUs alphabetically
$sortedOUs = $ouUserMappings.Keys | Sort-Object
# Output the users grouped by OUs and sort users within each OU alphabetically
foreach ($ou in $sortedOUs) {
Write-Output "OU: $ou"
$sortedUsers = $ouUserMappings[$ou] | Sort-Object
foreach ($user in $sortedUsers) {
Write-Output " User: $user"
# Add the result to the sorted output array
$sortedOutput += [PSCustomObject]@{
OU = $ou
User = $user
}
}
}
# Export the results to a CSV file
$csvPath = "C:\Users\Administrator\Desktop\OUWiseUserList.csv"
$sortedOutput | Export-Csv -Path $csvPath -NoTypeInformation
Write-Output "Results exported to $csvPath"
}
# Execute the function to display users grouped by OUs and export to CSV
Get-UsersGroupedByOU
Admins will receive the following CSV file, as shown in the image below.
Here we have used Excel to view the file but any spreadsheet program will do (even simple text viewers like Notepad can be used).
Automated Means to Find User Location in Active Directory
The SysTools Active Directory Reporter is the go-to method to check user OUs in the Active Directory. With an easy-to-use UI and the ability to put that information in a CSV, there is no native method that can match the speed and accuracy of the tool.
Get a preview option before the final output and filter out useful information with a date picker. Check out the next section and get the easy steps of pulling any user’s Organization Unit data.
Steps to Find What OU A User is in With the Tool
Step 1. Launch the utility on your machine and enter “administrator” under the empty space below the User ID and password.
Step 2. Post activation your task is to click on “REGISTER DOMAIN CONTROLLER”.
Step 3. Put your Domain Friendly Name and IP address in the box after that press Save & Continue.
Step 4. The domain details page opens on its own type the Actual Admin credentials and validate them.
Step 5. Click on the Report tab to open up the reporting options. Choose the all users option.
Step 6. The tool presents the filtering menu, where the options you chose previously are pre-selected. You can toggle the Workload and Category options and find user location in Active Directory easily.
Step 7. Pick a specific duration there is a list of premade timelines starting from 5 days up to a year. You can select the custom option to fine-tune your results.
Step 8. Click on the preview button to generate a tabular representation of user login details.
Step 9. Expand the Download Report button and select CSV.
Step 10. Click on the Download button in the popup.
Step 11. In the Save as dialog box, pick the storage location for the report and click Save.
Step 12. View the CSV file output on the external software of your choice.
The tool made a job a lot easier by completing all the hard work. Now, with a little adjustment to the CSV file, we can transform the results to our liking.
Steps After CSV Extraction for OU-Wide User Report
- Open the Resultant CSV in Excel
- Drag your cursor to Select your data range in User_List.
- Go to the Insert tab and click on PivotTable.
- Continue with the Default selections (i.e. New Sheet) and Hit OK.
- In the PivotTable Field List:
- Mark OU and User options in that order.
- This will automatically group users under their respective OUs.
If you do not have access to Excel, you may as well use Google Sheets or other Spreadsheet programs. However, the steps may vary slightly.
Conclusion
In this guide, users learned how to find what OU a user is in, or, in other words, get the location of the user in the Active Directory forest. Using the techniques outlined here, users no longer have to scrobble through confusing, decades-old forums. We have compiled all the scripts right here. Moreover, in our discussion, we covered how ADUC can match users with their Organizational Unit but the catch is that the information is in a view-only state. So as an alternative, we put forward the best automated solution for all AD reporting needs like this.
Frequently Asked Questions on How to Get AD User from OU
Are there any Keyboard shortcuts to speed up the retrieval of AD users from OU?
- Yes first select the header cell of the User Name column then.
- Hold Shift + Ctrl and Press the Down arrow.
- Leave the Ctrl Key and Press the Right arrow.
- Press Alt + N + V > Hit Enter.
This completes everything, from data selection to pivot table creation, in one go. After this, all that’s left is to mark the OU and Users checkboxes one after the other.
Other than PowerShell, what scripting techniques can be used to accumulate an OU user list?
If you just want to view the data, then dsquery is sufficient.
First, open a cmd instance and list out all OUs by typing:
dsquery ou
Then copy a single OU on the clipboard.
Type “dsquery user” and paste the OU path at the end.
Press enter to see the results.
You may as well use the “dsquery user” command directly. But avoid it; if you don’t then you get gibberish data containing every user on the domain, even the ones that don’t belong in any OU.
Can an Active Directory user be a member of more than one Organizational Unit?
No, an Active Directory user can only belong to a single Organizational Unit (OU) at a time. Unlike groups, which allow multi-user membership, each AD object, including users, has a single Distinguished Name (DN). Which specifies its exact location in the directory hierarchy. This DN includes only one OU path. Nested OUs do not change this; a user in a child OU is not considered a member of the parent OU but rather is just located within that nested structure.