5.7. Moving an OU

Problem

You want to move an OU and all its child objects to a different location in the directory tree.

Solution

Using a graphical user interface

  1. Open the Active Directory Users and Computers snap-in.

  2. If you need to change domains, right-click on “Active Directory Users and Computers” in the left pane, select Connect to Domain, enter the domain name, and click OK.

  3. In the left pane, browse to the OU you want to move.

  4. Right-click on the OU and select Move.

  5. Select the new parent container for the OU and click OK.

Using a command-line interface

> dsmove "<OrgUnitDN>" -newparent "<NewParentDN>"

Using VBScript

set objOU = GetObject("LDAP://<NewParentDN>")
objOU.MoveHere "LDAP://<OrgUnitDN>", "<OrgUnitRDN>"

Discussion

One of the benefits of Active Directory is the ability to structure and restructure data easily. Moving an OU, even one that contains a complex hierarchy of other OUs and objects, can be done without impacting the child objects.

If any applications have a dependency on the location of specific objects, you need to ensure they are either updated with the new location or preferably, reference the objects by GUID, not by distinguished name.

You should also be mindful of the impact of inherited ACLs and applied group policy on the new parent OU.

See Also

MS KB 313066 (HOW TO: Move Users, Groups, and Organizational Units Within a Domain in Windows 2000) and MSDN: IADsContainer::MoveHere

Get Active Directory Cookbook now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.