Using PowerShell, I was building a script to identify a subset of the groups in a given organizational unit (OU). As you may know, these are built up of subsections with the prefixes CN (common name) and DC (Domain Component). In order to have the script run successfully, you need to specify the OU using the full path, which looks something like this: CN=Users,DC=Fabrikam,DC=com
.
The easiest and quickest way I know of finding this path, is by searching for one of the members (be it user or group) using PowerShell:
When searching for a user:
Get-ADUser ChewDavid
DistinguishedName : CN=Chew David,OU=NorthAmerica,OU=Sales,OU=UserAccounts,DC=FABRIKAM,DC=COM
Enabled : True
GivenName : David
Name : Chew David
ObjectClass : user
ObjectGUID : e1418d64-096c-4cb0-b903-ebb66562d99d
SamAccountName : ChewDavid
SID : S-1-5-21-2889043008-4136710315-2444824263-3544
Surname : David
UserPrincipalName :
When searching for a group:
Get-ADGroup -Identity Administrators
DistinguishedName : CN=Administrators,CN=Builtin,DC=Fabrikam,DC=com
GroupCategory : Security
GroupScope : DomainLocal
Name : Administrators
ObjectClass : group
ObjectGUID : 02ce3874-dd86-41ba-bddc-013f34019978
SamAccountName : Administrators
SID : S-1-5-32-544
In both cases, we can then read the OU out of the results. For the user in this example, it is OU=NorthAmerica,OU=Sales,OU=UserAccounts,DC=FABRIKAM,DC=COM
, whereas it is CN=Builtin,DC=Fabrikam,DC=com
for the group.
By posting a comment, you consent to our collecting the information you enter. See privacy policy for more information.