How to move AD users between OUs using Move-ADUser

Last updated on: 31/10/25

If you want to move an AD user to another OU using PowerShell, the easiest way is through the Move-ADUser cmdlet. It helps IT administrators move users to a different OU based on the needs of the organization (like department shifts) or for compliance reasons (such as applying targeted Group Policies or security controls). This article covers practical examples of moving single and multiple users efficiently while maintaining security and accountability.

PowerShell
ADUC
ADManager Plus
Native tools limitations
Why ADManager Plus
FAQs

Move AD users to another OU using PowerShell

Prerequisites

Open the PowerShell ISE as an administrator.
If the Active Directory (AD) module isn't installed, download and install the Remote Server Administration Tools package for your Windows version. Then import the module:
Import-Module ActiveDirectory
Run the following command in PowerShell to move a user to another OU. Replace username with the user's name and TargetOU with the destination OU's distinguished name:
Get-ADUser -Identity "username" | Move-ADObject -TargetPath "OU=TargetOU,DC=domain,DC=com"
To move multiple users at once, use the following script to get all users from a source OU and pipe them to Move-ADObject:
$users = Get-ADUser -Filter * -SearchBase "OU=SourceOU,DC=contoso,DC=com" | Select-Object -Property DistinguishedName foreach ($user in $users) { Move-ADObject -Identity $user.DistinguishedName -TargetPath "OU=DestinationOU,DC=contoso,DC=com" }

Examples of using Move-ADUser

Example 1: Move an AD user to another OU

This moves the user's account to a target OU within the same domain:


                                      Get-ADUser -Identity <sAMAccountName> | Move-ADObject -TargetPath "OU=<TargetOU>,DC=<domain>,DC=<tld>"

Example 2: Move the user using the distinguished name

This directly moves the user from the source OU to the target OU using their distinguished name:


                                      Move-ADObject -Identity "CN=<UserCN>,OU=<SourceOU>,DC=<domain>,DC=<tld>" -TargetPath "OU=<TargetOU>,DC=<domain>,DC=<tld>"

Example 3: Move multiple users in bulk from a CSV file

This moves multiple users to a new finance OU by importing their usernames from a CSV file:


                                      Import-Csv "C:\UsersList.csv" | ForEach-Object { 

                                          Get-ADUser -Identity $_.SamAccountName | Move-ADObject -TargetPath "OU=Finance,DC=domain,DC=com" 

                                      }

Example 4: Move all users from one OU to another

This moves every user from the source OU to the target OU:


                                      Get-ADUser -SearchBase "OU=<SourceOU>,DC=<domain>,DC=<tld>" -Filter * | ForEach-Object {
                                          Move-ADObject -Identity $_.DistinguishedName -TargetPath "OU=<TargetOU>,DC=<domain>,DC=<tld>"
                                      }

Example 5: Move the user to a child OU

This moves the user to the nested OU inside the main OU:


                                      Get-ADUser -Identity <sAMAccountName> | Move-ADObject -TargetPath "OU=<ChildOU>,OU=<ParentOU>,DC=<domain>,DC=<tld>"

Supported parameters

The following are a few parameters commonly used with the Move-ADUser cmdlet:

Parameters	Description
-Identity	Specifies the AD object (the user, computer, group, etc.) to be moved; you can use the object’s distinguished name or globally unique identifier (GUID)
-TargetPath	Defines the destination OU or container where the object should be moved to
-Server	Specifies the domain controller (DC) or AD Domain Services instance to connect to for executing the move operation
-Credential	Runs the command using alternate user credentials instead of those of the account that is currently logged in
-Partition	Identifies the AD partition that contains the object to be moved (for example, DC=domain,DC=com)
-PassThru	Returns the moved object after the command runs, allowing you to verify it or use it in subsequent commands
-Confirm	Prompts you for confirmation before executing the move, which is useful for avoiding accidental changes
-WhatIf	Simulates the command without making any changes, letting you review the outcome beforehand

Troubleshooting tips

Error: Cannot validate argument on parameter 'Identity'. The argument is null.

Solution: This means the $user or identity variable is empty or not correctly retrieved. Make sure you pass a valid object or distinguished name. For instance, use Get-ADUser $username to fetch the user and confirm the variable contains the expected object before using it in Move-ADUser.

Error: The operation could not be performed because the object's parent is either uninstantiated or deleted.

Solution: This occurs when the target OU doesn't exist, is misspelled, or was recently removed. Check the distinguished name carefully and verify the OU exists using Get-ADOrganizationalUnit.

Error: Move-ADObject: No credentials are available in the security package.

Solution: This happens when the current security context lacks required permissions, especially during cross-domain moves. Ensure you have the correct rights and consider specifying the -Credential parameter or reauthenticating with an account that has adequate privileges.

Error: The requested operation could not be performed because the directory service is not the master for that type of operation.

Solution: When moving objects across domains, ensure that both the source and target DCs are relative identifier (RID) Masters. Connect to the appropriate DC or perform the move on a DC holding the RID Master role for both domains. Verify roles using netdom query fsmo.

Error: Can't move objects with memberships across domain boundaries.

Solution: Users in domain local groups cannot be moved across domains directly. Remove them from incompatible groups first, perform the move, then reassign group memberships afterward.

Error: Access is denied.

Solution: The account running the command lacks sufficient permissions. Execute PowerShell with an account that has the necessary rights: ideally Domain Admins or delegated permissions for the relevant OUs.

Error: Move-ADObject: Source and destination for the cross-domain move operation are identical. Caller should use local move operation instead of cross-domain move operation.

Solution: This happens if the source and target OUs are the same. Verify that the source and destination distinguished names are different before attempting the move.

Move AD users between OUs using ADUC

AD Users and Computers (ADUC) is a common method of moving AD users.

Open ADUC.
Go to the source OU where the users are currently located.
Select the user account you want to move. Right-click the selected user, click Move, then select the destination OU in the dialog box.
To select multiple users, hold Shift and Ctrl while clicking. Drag and drop the selected users into the target OU on the left panel.
Click OK in the dialog box to confirm the move.

Moving an AD user into another OU in AD using ADUC.

Move AD users to another OU in bulk using ADManager Plus

You can easily move user accounts, either individually or in bulk, between OUs using ADManager Plus.

Sign in to ADManager Plus.
Go to Management > User Management.
Click Move Users under Bulk User Modification.
Click the + icon and select the target container (OU).
From the drop-down menu, select the domain in which the users are currently located. If you know the OU where the users reside, click Add OUs and select it.
Find users by name or import a CSV file.
Click Apply to move the selected users to the new OU.

Moving users between OUs in AD using ADManager Plus.

Limitations of using native tools to move AD users between OUs

Although moving AD users from one OU to another with native tools like PowerShell looks simple, it comes with a few limitations:

PowerShell scripts can get complex when updating multiple users.
Troubleshooting errors takes time and affects productivity.
The syntax, parameters, and iterations need to be correct. A typo or incorrect syntax might be difficult to spot and rectify, especially when the script is a long one.
You can move the AD user only if you know the distinguished name or the GUID of the AD account.
You cannot delegate the modification of AD accounts or other AD management tasks to help desk technicians.

Highlights of using ADManager Plus to move users between OUs

ADManager Plus makes AD management easier and faster through a single, intuitive console. Here’s why it’s a better choice for IT teams:

Move users, computers, groups, and other objects between OUs in bulk without writing PowerShell scripts.
Create templates with prefilled attributes to simplify and standardize object movement.
Automate OU restructuring tasks through scheduled workflows to save time and reduce manual effort.
Securely delegate OU and other object management tasks to technicians without granting domain admin rights.
Schedule and export detailed AD reports for auditing and compliance purposes.
Manage large-scale AD migrations with just a few clicks.

Move users to different OUs in bulk using a CSV file.

Try it now for free

FAQ

Using ADUC

Moving a computer object between OUs in ADUC doesn't involve just a single permission; it requires create rights on computer objects in the source OU and delete rights on computer objects in the target OU. However, this is considered highly privileged access.

To minimize risk, delegate these rights to a dedicated security group and review its membership regularly:

Open ADUC.
Right-click the source OU and click Delegate Control.
Add the security group or user to delegate permissions.
Select Create a custom task to delegate > Only the following objects in the folder > Computer objects.
Check Delete selected objects in this folder.
Repeat steps 1 through 4 for the target OU.
Check Create selected objects in this folder.

Using PowerShell

Run the same script for both the source and target OUs:


                                              # Replace values 

                                              $OU = 'OU=SourceOU,DC=yourdomain,DC=com' 

                                              $group = 'YOURDOMAIN\DelegatedGroup' 

                                              $groupSID = (New-Object System.Security.Principal.NTAccount($group)).Translate([System.Security.Principal.SecurityIdentifier]).Value 

                                              $ComputerObjectGUID = 'bf967a86-0de6-11d0-a285-00aa003049e2' 

                                              $rights = [System.DirectoryServices.ActiveDirectoryRights]::CreateChild -bor [System.DirectoryServices.ActiveDirectoryRights]::Delete 

                                              $rule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($groupSID, $rights, 'Allow', $ComputerObjectGUID, 'All') 

                                              $acl = Get-ACL "AD:\$OU" 

                                              $acl.AddAccessRule($rule) 

                                              Set-ACL "AD:\$OU" $acl

Using ADManager Plus

Alternatively, script-free tools like ADManager Plus can be used to do the same with just a few clicks:

Sign in to ADManager Plus.
Go to Delegation > Help Desk Delegation > Help Desk Roles.
Click + Create New Role.
Enter a role name.
Go to Computer Management, select Move Computers under Bulk Computer Modification, and click Save.
Go to Delegation > Help Desk Delegation > Help Desk Technicians.
Click + Add New Technician to create a new technician.
Assign the newly created role to that technician.

Moving users across domains requires trust and migration tools (such as AD Migration Tool (ADMT) or PowerShell) or click-and-go interface tools (like ADManager Plus) as ADUC alone cannot handle password, security identifier (SID ) history, or domain-specific attribute replication.

Using ADMT

Install ADMT on a server in the target domain.
Ensure a trust relationship exists between the source and target domains or forests.
Open ADMT and select User Account Migration Wizard.
Choose the source domain or forest and select the user accounts to be migrated.
Specify the target domain and OU for the users.
Configure migration options such as the password migration, SID history, and group memberships.
Run the migration.