Home
PowerShell
How to get a list of OUs in AD

How to get a list of OUs in AD

Last updated on: 09/06/26

Listing organizational units (OUs) is one of the most common AD management tasks, whether you are auditing directory structure, verifying delegation boundaries, or cleaning up an environment. There are three practical ways to do it: the Get-ADOrganizationalUnit PowerShell cmdlet, the Active Directory Users and Computers (ADUC) console, and ADManager Plus.

PowerShell
ADUC
ADManager Plus
Why ADManager Plus
FAQ

What is Get-ADOrganizationalUnit?

Get-ADOrganizationalUnit is a cmdlet in the Active Directory PowerShell module that retrieves a single OU by its identity or performs a search to return multiple OUs. An OU is a container used to group users, computers, groups, and other OUs so you can apply Group Policy and delegate permissions at the OU level. Administrators query OUs programmatically to audit the Active Directory hierarchy and structure, confirm delegation, and keep the directory organized.

Each OU is identified by its distinguished name (DN), and the cmdlet returns OU objects whose properties such as Name, canonicalName, and ProtectedFromAccidentalDeletion can be formatted, filtered, and exported. To list the users or computers inside an OU, use Get-ADUser scoped to an OU.

How to list all OUs in a domain

A comprehensive way to list every OU in the domain is to combine the -Filter parameter with Format-Table. The wildcard filter * matches all OUs.


									Get-ADOrganizationalUnit -Filter * | Format-Table Name, DistinguishedName -AutoSize

If a query returns nothing, the domain simply has no OUs that match and the cmdlet returns an empty result rather than an error, so wrap large scripts in error handling if you act on the output.

The * wildcard tells the cmdlet to skip filtering and return everything, while Format-Table trims the output to two columns so a 400-OU forest fits on screen. Add -AutoSize so column widths adapt to your console.

Using the Filter parameter to query OUs

The -Filter parameter narrows results using PowerShell expression language syntax. You can filter by name, by any OU object property, and with wildcards. To retrieve OUs whose name starts with Sales, execute:


									Get-ADOrganizationalUnit -Filter "Name -like 'Sales*'" | 

									Format-Table Name, DistinguishedName -AutoSize

Filter by a specific property


									Get-ADOrganizationalUnit -Filter "ProtectedFromAccidentalDeletion -eq '$true'" ` 

  									-Properties ProtectedFromAccidentalDeletion

Use the -Properties parameter to pull extended attributes that are not returned by default, and pipe to Format-Table or Select-Object to choose which columns appear.

Retrieving specific OUs with Identity, SearchBase, and SearchScope

To return a single OU, pass its DN to -Identity using:


									Get-ADOrganizationalUnit -Identity "OU=Sales,DC=skyy,DC=com" -Properties *

To restrict a search to a subtree, set -SearchBase to the parent DN. You can build the SearchBase dynamically with Get-ADDomain to retrieve the domain's DN.


									Get-ADOrganizationalUnit -Filter * -SearchBase "OU=Departments,DC=skyy,DC=com"

Controlling query depth with SearchScope

The -SearchScope parameter controls how deep the search goes from the SearchBase.

Base: Feturns only the SearchBase object itself.
OneLevel: Returns only the immediate child OUs.
Subtree: Returns the SearchBase and every nested OU below it.


									Get-ADOrganizationalUnit -Filter * -SearchBase "OU=Departments,DC=skyy,DC=com" ` 

  									-SearchScope OneLevel

Querying remote domains with Server and Credential

Target a specific domain controller (DC) with -Server, and pass alternate credentials with -Credential for cross-domain or delegated queries:


									$cred = Get-Credential   # e.g. SKYY\sjacobs 

									Get-ADOrganizationalUnit -Filter * -Server "dc01.skyy.com" -Credential $cred

Here, Steve Jacobs (sjacobs) supplies delegated credentials to query a remote skyy.com DC.

Exporting OU data to CSV

To export OUs, select the properties you need and pipe to Export-Csv. Specify UTF-8 encoding to avoid character issues and -NoTypeInformation to omit the type header:


									Get-ADOrganizationalUnit -Filter * -Properties CanonicalName, ProtectedFromAccidentalDeletion | 

									Select-Object Name, DistinguishedName, CanonicalName, ProtectedFromAccidentalDeletion | 

									Export-Csv "C:\Reports\skyy-OUs.csv" -NoTypeInformation -Encoding UTF8

Each additional format or column requires editing and re-running the script. ADManager Plus, by contrast, offers one-click export to CSV, PDF, HTML, CSVDE, and XLSX. You can also generate OU reports with ADManager Plus.

Finding empty OUs and managing OU cleanup

An empty OU contains no child objects and is a candidate for removal during cleanup. You can detect them by testing each OU for child objects with Get-ADObject:


									Get-ADOrganizationalUnit -Filter * | ForEach-Object { 

									$children = Get-ADObject -Filter * -SearchBase $_.DistinguishedName -SearchScope OneLevel 

									if (($children | Measure-Object).Count -eq 0) { $_.DistinguishedName } 

									}

Before deleting an OU, check the ProtectedFromAccidentalDeletion property. When this is set to $true, AD blocks deletion until you clear it. Also confirm which Group Policy Objects (GPOs) are linked to the OU, since removing or restructuring an OU changes policy application and use Get-GPInheritance to audit which GPOs are linked to an OU before you make changes. Regular OU auditing keeps the directory tidy and avoids orphaned containers.

Getting OUs using ADSI Searcher

In large directories, use -ResultPageSize to control how many objects are returned per page and -ResultSetSize to cap the total number of objects returned. Use -Partition to target application partitions rather than the default domain partition.

Using ADSI Searcher without the AD module

When RSAT cannot be installed, the built-in ADSI DirectorySearcher queries the directory without the AD module:


									$searcher = [adsisearcher]"(objectClass=organizationalUnit)" 

									$searcher.SearchRoot = [adsi]"LDAP://DC=skyy,DC=com" 

									$searcher.PageSize = 1000 

									$searcher.FindAll() | ForEach-Object { $_.Properties.distinguishedname }

Viewing OUs in ADUC

The ADUC console is the fastest way to visually navigate through the OU tree for a single domain. It renders the OU hierarchy visually, which makes it ideal for quick navigation rather than reporting.

Steps to view OUs in ADUC

Press Win + R, type dsa.msc, and press Enter.
On the View menu, enable Advanced Features so system containers and the full OU tree are visible.
Expand your domain node in the left pane to see the OUs as folders with a distinct OU icon.
Expand any OU to view nested OUs and the objects they contain.
Right-click an OU and choose Properties to see its attributes; on the Object tab you can confirm whether Protect object from accidental deletion is enabled.

Checking GPO links in ADUC

To see which GPOs apply to an OU, open the Group Policy Management Console and select the OU. The Linked Group Policy Objects tab lists the GPOs in precedence order. This is the counterpart to running Get-GPInheritance in PowerShell.

Listing OUs using ADManager Plus

ADManager Plus, an AD reporting tool, is the script-free alternative to PowerShell and ADUC. Instead of writing and maintaining PowerShell scripts, you select a report, pick a domain, and generate results you can export in multiple formats in a few clicks.

Log in to ADManager Plus.
Navigate to Reports > Contact & OU Reports > OU General Reports > All OUs.
Select the domain and click Generate.
Click Export As to export the report as CSV, PDF, HTML, CSVDE, or XLSX.

The All OUs report showing a list of OUs and their details

Get started

Troubleshooting common errors

The term Get-ADOrganizationalUnit is not recognized
This means the Active Directory module is not loaded in the current session. Confirm it is installed and then import it:

Get-Module -ListAvailable ActiveDirectory Import-Module ActiveDirectory

If the command returns nothing, the module is not installed. Enable RSAT or run Install-WindowsFeature RSAT-AD-PowerShell on Windows Server.
Unable to contact the server or Unable to find a default server
This occurs because PowerShell cannot reach a DC. This usually happens on a non-domain-joined machine or when the DNS cannot resolve the domain. Specify a reachable DC explicitly with -Server.

Get-ADOrganizationalUnit -Filter * -Server "dc01.skyy.com"

Verify name resolution with nslookup dc01.skyy.com and confirm the Active Directory Web Services service is running on the target DC, since the AD cmdlets depend on it.
Access is denied when querying or deleting OUs
The account running the query lacks read rights on the target OU or DC. Run PowerShell as a user with directory read access, or pass alternate credentials with -Credential:

$cred = Get-Credential # e.g. SKYY\sjacobs Get-ADOrganizationalUnit -Filter * -Credential $cred

For example, Mark Jacob (mjacob) may have read access to one OU subtree but not another. Scope the query to the OU he is delegated over with -SearchBase to avoid access errors on branches he cannot read.
Cannot delete OU; access denied despite having admin rights
When deletion fails even for an administrator, the OU is almost always protected from accidental deletion. Clear the flag and then delete using:

Set-ADOrganizationalUnit -Identity "OU=Sales,DC=skyy,DC=com" ` -ProtectedFromAccidentalDeletion $false Remove-ADOrganizationalUnit -Identity "OU=Sales,DC=skyy,DC=com"

Nested child OUs may also be protected. Clear protection on every nested OU first, then use -Recursive on the removal as it does not bypass ProtectedFromAccidentalDeletion.

Limitations of using ADUC and PowerShell methods

Requires the AD module and rights: Scripts run only where RSAT or AD DS role is available and the account has read access to the directory.
Every change means editing the script: Adding attributes or changing the export format requires rewriting and re-running the script, which is time-consuming.
Format handling is manual: Each output format needs its own logic, increasing LDAP query complexity.
Troubleshooting needs expertise: Debugging filters, scopes, and credentials requires solid AD and scripting knowledge.

Why teams choose ADManager Plus

Script-free reporting: Generate OU lists and details from a GUI without writing or maintaining PowerShell.
One-click multi-format export: Export the same report to CSV, PDF, HTML, CSVDE, and XLSX without editing any code.
Built-in reporting and scheduling: Use prebuilt OU reports and schedule them to run and deliver automatically.
Centralized OU management: Create, modify, move, and clean up OUs and manage delegation from one console, ideal for retrieving details of OUs at scale.

FAQ

It retrieves an OU by its identity or searches AD to return multiple OUs, so administrators can audit structure, verify delegation, and report on OUs.

Run the command below.


											Get-ADOrganizationalUnit -Filter * | Format-Table Name, DistinguishedName -AutoSize

The -Filter * value matches every OU in the domain.

Pipe the cmdlet through Select-Object to choose columns, then to Export-Csv "C:\OUs.csv" -NoTypeInformation -Encoding UTF8.

Loop through OUs and use Get-ADObject scoped to each OU's DN at OneLevel; an OU with no child objects is empty and can be cleaned up.

Query the ProtectedFromAccidentalDeletion property:


											Get-ADOrganizationalUnit -Identity "OU=Sales,DC=skyy,DC=com" -Properties ProtectedFromAccidentalDeletion

Manage and report on OUs from a single console

Try it now for free

Related features:

Related Powershell Guides: