Modify an Active Directory organizational unit.
Syntax
Set-ADOrganizationalUnit [-Identity] ADOrganizationalUnit
[-Add <hashtable>] [-City string] [-Clear string[]] [-Country string]
[-Description string] [-DisplayName string] [-ManagedBy ADPrincipal]
[-Partition string] [-PostalCode string] [-ProtectedFromAccidentalDeletion bool]
[-Remove hashtable] [-Replace hashtable] [-State string]
[-StreetAddress string] [-AuthType {Negotiate | Basic}]
[-Credential PSCredential] [-PassThru] [-Server string]
[-Confirm] [-WhatIf] [CommonParameters]
Set-ADOrganizationalUnit -Instance ADOrganizationalUnit
[-AuthType {Negotiate | Basic}]
[-Credential PSCredential] [-PassThru] [-Server string]
[-Confirm] [-WhatIf] [CommonParameters]
Key
-Add hashtable
Specify values to add to an object property.
Use this parameter to add one or more values to a property that cannot be modified
using a cmdlet parameter. To modify an object property, you must use the LDAP provider name.
Specify multiple values to a property by specifying a comma-separated list of values
and more than one property by separating them using a semicolon.
The format for this parameter is
-Add @{Attribute1LDAPName=value1, value2, ...;
Attribute2LDAPName=value1, value2, ...; AttributeNLDAPName=value1, value2, ...}
For example, to remove the value "555-222-2222" and add the values "555-222-1111" and "555-222-3333
" to Phone-Office-Other attribute (LDAP provider name: 'otherTelephone'), and add the value "555-222-9999" to Pho
ne-Mobile-Other (LDAP provider: 'otherMobile'), set the Add and Remove parameters as follows.
-Add @{otherTelephone='555-222-1111', '555-222-3333'; otherMobile='555-222-9999' } -Remove @{otherTelephone='
555-222-2222'}
When you use the -Add, -Remove, -Replace and -Clear parameters together, the operations will be
performed in the order: Remove, then Add, then Replace, then clear.
-AuthType {Negotiate | Basic}
The authentication method to use: Negotiate (or 0), Basic (or 1)
A Secure Sockets Layer (SSL) connection is required for Basic authentication.
-City string
The user’s town or city.
The LDAP provider name (ldapDisplayName) of this property is "l".
-Clear string[]
An array of object properties that will be cleared in the directory.
Use this parameter to clear one or more values of a property that cannot be modified
using a cmdlet parameter. To modify an object property, you must use the LDAP provider name.
Modify more than one property by specifying a comma-separated list.
The format for this parameter is
-Clear Attribute1LDAPName, Attribute2LDAPName
For example, to clear the value for the Phone-Office-Other attribute
(LDAP provider name: 'otherTelephone') set the Clear parameter as follows.
-Clear otherTelephone
-Country string
The country or region code for the user’s language of choice (2 character code ISO 3166).
The LDAP provider Name (ldapDisplayName) of this property is "c".
-Credential PSCredential
The user account credentials to use to perform this task.
The default credentials are those of the currently logged on user unless the
cmdlet is run from an Active Directory PowerShell provider drive.
If the cmdlet is run from such a provider drive, the account associated with the drive is the default.
Type a user name, such as "User64" or "Domain64\User64" or specify a
PSCredential object such as one generated by Get-Credential
If a user name is specified, the cmdlet will prompt for a password.
-Description string
A description of the object.
-DisplayName string
The display name of the object.
-Identity ADOrganizationalUnit
An AD organizational unit object. Most often this will be a Distinguished Name (e.g. OU=demo,DC=SS64,DC=com)
The identity may also be given as a GUID, Security Identifier or sAMAccountName.
The cmdlet searches the default naming context or partition to find the object.
If two or more objects are found, the cmdlet returns a non-terminating error.
The AD OU object may also be passed through the pipeline or set via a variable.
-Instance ADOrganizationalUnit
A modified copy of a OU object to use to update the actual AD OU object.
When this parameter is used, any modifications made to the modified copy of
the object are also made to the corresponding AD object.
The cmdlet only updates the object properties that have changed.
The -Instance parameter can only update OU objects that have been retrieved
by using Get-ADOrganizationalUnit. When you specify the -Instance parameter, you
cannot specify other parameters that set properties on the object.
The following is an example of how to use Get-ADOrganizationalUnit to retrieve an
instance of the AD OU object. The object is modified by using the PowerShell
command line. Then the Set-ADOrganizationalUnit cmdlet saves the changes to the AD object.
Step 1: Retrieve a local instance of the object.
$ouInstance = Get-ADOrganizationalUnit -Identity "OU=Houston,DC=corp,DC=SS64,DC=com"
Step 2: Modify one or more properties of the object instance.
$ouInstance.ManagedBy= "CN=FlightControl,CN=Users,DC=corp,DC=SS64,DC=com"
Step3: Save your changes to "Houston".
Set-ADOrganizationalUnit -Instance $ouInstance
-ManagedBy ADPrincipal
The user or group that manages the object by providing one of the following property values.
Note: The identifier in parentheses is the LDAP provider name for the property.
Distinguished Name
Example: CN=demo1,OU=Europe,CN=Users,DC=corp,DC=ss64,DC=com
GUID (objectGUID)
Example: 599c3d2e-f72d-4d20-8a88-030d99495f20
Security Identifier (objectSid)
Example: S-1-5-64-3265277888-301567356-523410843-1244
SAM Account Name (sAMAccountName)
Example: demo1
-Partition string
The distinguished name of an AD partition.
string must be one of the naming contexts on the current directory server.
The cmdlet searches this partition to find the object defined by the -Identity parameter.
Examples:
-Partition "CN=Configuration,DC=Europe,DC=Test,DC=SS64,DC=COM"
-Partition "CN=Schema,CN=Configuration,DC=Europe,DC=Test,DC=SS64,DC=COM"
In many cases, a default value will be used for -Partition if no value is specified.
-PassThru switch
Return the new or modified object.
By default (i.e. if -PassThru is not specified), this cmdlet does not generate any output.
-PostalCode string
The user’s postal code or zip code.
-ProtectedFromAccidentalDeletion bool
Whether to prevent the object from being deleted.
When this property is set to true, you cannot delete the corresponding object without
first changing the value of this property.
Possible values: $false or 0, $true or 1
-Remove hashtable
Remove values of an object property.
Use this parameter to remove one or more values of a property that cannot be modified
using a cmdlet parameter. To remove an object property, you must use the LDAP provider name.
You can remove more than one property by specifying a semicolon-separated list.
The format for this parameter is
-Remove @{Attribute1LDAPName=value[]; Attribute2LDAPName=value[]}
For example, to add the values blue and green and remove the value pink from a property with a LDAP
display name of FavColors, set the Add and Remove parameters as follows.
-Add @{FavColors=Blue,Green} -Remove {FavColors=Pink}
-Replace hashtable
Specify values for an object property that will replace the current values.
Use this parameter to replace one or more values of a property that cannot be modified
using a cmdlet parameter. To modify an object property, you must use the LDAP provider name.
You can modify more than one property by specifying a comma-separated list.
The format for this parameter is
-Replace @{Attribute1LDAPName=value[], Attribute2LDAPName=value[]}
-Server string
The AD Domain Services instance to connect to, this may be a Fully qualified domain name,
NetBIOS name, Fully qualified directory server name (with or without port number)
-State string
The user’s or Organizational Unit’s state or province.
-StreetAddress string
The organizational unit’s street address.
-Confirm
Prompt for confirmation before executing the command.
-WhatIf
Describe what would happen if you executed the command without actually executing the command.
Set-ADOrganizationalUnit modifies the properties of an AD Organizational Unit. You can modify commonly used property values by using the cmdlet parameters. Property values that are not associated with cmdlet parameters can be modified by using the -Add, -Replace, -Clear and -Remove parameters.
The -Identity parameter specifies the AD organizational unit to modify. Identify an OU by its distinguished name (DN) or GUID. Alternatively set the -Identity parameter to an object variable or pass an object through the pipeline. e.g. from Get-adOrganizationalUnit
The -Instance parameter provides a way to update an OU object by applying the changes made to a copy of the object. To get a copy of an object use Get-adOrganizationalUnit, then use Set-ADOrganizationalUnit -Instance to save any changes made back to the original OU object. When the -Instance parameter is specified do not also pass the -Identity parameter.
For more information see help about_ActiveDirectory_Instance.
Set the description of an OrganizationalUnit:
PS C:\> Set-ADOrganizationalUnit -Identity "OU=UserAccounts,DC=SS64,DC=com" -Description "This OU holds all of the users accounts of SS64.com"
Set the 'ProtectedFromAccidentalDeletion' property on an OU to $false:
PS C:\> Set-ADOrganizationalUnit -Identity "OU=UserAccounts,DC=SS64,DC=com" -ProtectedFromAccidentalDeletion $false
Sets the Country, City and co (friendlyCountryName) properties on an OrganizationalUnit:
PS C:\> Set-ADOrganizationalUnit -Identity "OU=AsiaPacific,OU=Sales,OU=UserAccounts,DC=SS64,DC=com" -Country "AU" -StreetAddress "45 Martens Place" -City Balmoral -Replace @{co="Australia"}
Edit the properties of an Organizational Unit:
$WarehouseOU = Get-ADOrganizationalUnit "OU=Warehouse,OU=UserAccounts,DC=SS64,DC=com"
$WarehouseOU.Country = "UK"
$WarehouseOU.StreetAddress = "22 Taylor St."
$WarehouseOU.City = "Seahouses, Northumberland"
$WarehouseOU.PostalCode = "NE68 7RB"
$WarehouseOU.co ="United Kingdom"
Set-ADOrganizationalUnit -Instance $WarehouseOU
“Never trust a man who, when left alone with a tea cosy, doesn’t try it on” ~ Billy Connolly
Get-adOrganizationalUnit - Get one or more AD OUs.
New-adOrganizationalUnit - Create a new AD OU.
Remove-adOrganizationalUnit - Remove an AD OU.