Skip to main content

PowerShell Set-ADOrganizationalUnit: Modify OU Properties

• 2 min read
powershell active-directory set-adorganizationalunit ou-management tutorial

PowerShell Set-ADOrganizationalUnit: Complete Guide to Modifying OUs

Overview

The Set-ADOrganizationalUnit cmdlet modifies organizational unit properties in Active Directory. Used for updating descriptions, managing deletion protection, and adjusting OU attributes.

Common Tasks:

  • Update OU descriptions
  • Enable/disable deletion protection
  • Change OU display names
  • Modify OU properties
  • Bulk update multiple OUs

Prerequisites:

  • PowerShell 5.1 or later
  • Active Directory PowerShell module
  • Domain Administrator permissions
  • Target OU must exist

Syntax

Set-ADOrganizationalUnit [-Identity] <ADOrganizationalUnit> [-Description <string>]
    [-ProtectedFromAccidentalDeletion <bool>] [-DisplayName <string>]
```powershell

### Key Parameters

| Parameter | Type | Description |
|-----------|------|-------------|
| `-Identity` | ADOrganizationalUnit | OU to modify |
| `-Description` | String | OU description/documentation |
| `-ProtectedFromAccidentalDeletion` | Bool | Enable/disable deletion protection |
| `-DisplayName` | String | Display name in AD |

---

## Examples

### Example 1: Update OU Description

```powershell
Set-ADOrganizationalUnit -Identity "OU=Finance,OU=Users,DC=contoso,DC=com" `
    -Description "Finance department users - managed by CFO"
```powershell

### Example 2: Enable Deletion Protection

```powershell
Set-ADOrganizationalUnit -Identity "OU=Finance,OU=Users,DC=contoso,DC=com" `
    -ProtectedFromAccidentalDeletion $true
```powershell

### Example 3: Disable Deletion Protection (Before Deletion)

```powershell
Set-ADOrganizationalUnit -Identity "OU=TestOU,DC=contoso,DC=com" `
    -ProtectedFromAccidentalDeletion $false

# Now can delete with Remove-ADOrganizationalUnit
```powershell

### Example 4: Update OU Display Name

```powershell
Set-ADOrganizationalUnit -Identity "OU=Finance,OU=Users,DC=contoso,DC=com" `
    -DisplayName "Finance Department"
```powershell

### Example 5: Bulk Update Descriptions

```powershell
Get-ADOrganizationalUnit -Filter * -SearchBase "OU=Users,DC=contoso,DC=com" |
ForEach-Object {
    $description = "Department OU - last updated $(Get-Date -Format 'yyyy-MM-dd')"
    Set-ADOrganizationalUnit -Identity $_ -Description $description
    Write-Host "✓ Updated: $($_.Name)"
}
```powershell

### Example 6: Update from CSV

```powershell
$csv = Import-Csv "C:\ou-updates.csv"

foreach ($item in $csv) {
    try {
        Set-ADOrganizationalUnit -Identity $item.OUPath `
            -Description $item.NewDescription `
            -ErrorAction Stop
        Write-Host "✓ Updated: $($item.OUPath)"
    }
    catch {
        Write-Host "✗ Failed: $($item.OUPath) - $($_.Exception.Message)"
    }
}
```powershell

**CSV Format:**
```csv
OUPath,NewDescription
"OU=Finance,OU=Users,DC=contoso,DC=com","Finance department users - Contact: CFO"
"OU=IT,OU=Users,DC=contoso,DC=com","IT department staff - Contact: IT Manager"
"OU=Sales,OU=Users,DC=contoso,DC=com","Sales team users - Contact: Sales VP"
```powershell

### Example 7: Enable Protection on All OUs

```powershell
Get-ADOrganizationalUnit -Filter * |
ForEach-Object {
    Set-ADOrganizationalUnit -Identity $_ `
        -ProtectedFromAccidentalDeletion $true
    Write-Host "✓ Protected: $($_.Name)"
}
```powershell

### Example 8: Add Contact Information to Descriptions

```powershell
function Update-OUDescription {
    param(
        [string]$OUPath,
        [string]$Manager,
        [string]$Email,
        [string]$Purpose
    )

    $description = "Purpose: $Purpose | Manager: $Manager | Email: $Email"
    Set-ADOrganizationalUnit -Identity $OUPath -Description $description
}

# Usage
Update-OUDescription `
    -OUPath "OU=Finance,OU=Users,DC=contoso,DC=com" `
    -Manager "Jane Smith" `
    -Email "jane@contoso.com" `
    -Purpose "Finance department users"
```powershell

### Example 9: Update OUs by Search Pattern

```powershell
# Update all OUs containing "temp" in name
Get-ADOrganizationalUnit -Filter "Name -like '*Temp*'" |
ForEach-Object {
    Set-ADOrganizationalUnit -Identity $_ `
        -Description "Temporary organizational unit - scheduled for removal"
    Write-Host "✓ Updated: $($_.Name)"
}
```powershell

### Example 10: Audit Trail in Description

```powershell
function Add-AuditDescription {
    param(
        [string]$OUPath,
        [string]$ChangeReason
    )

    $ou = Get-ADOrganizationalUnit -Identity $OUPath
    $timestamp = Get-Date -Format "yyyy-MM-dd HH:mm"
    $user = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name

    $newDescription = "$($ou.Description)`nModified: $timestamp by $user`nReason: $ChangeReason"

    Set-ADOrganizationalUnit -Identity $OUPath -Description $newDescription
}

# Usage
Add-AuditDescription `
    -OUPath "OU=Finance,OU=Users,DC=contoso,DC=com" `
    -ChangeReason "Updated after company restructuring"
```powershell

---

## Best Practices

✅ **Maintain Clear Descriptions**
- Include purpose of OU
- Add contact information
- Document changes with timestamps

✅ **Enable Deletion Protection**
- Protect all permanent OUs
- Document before disabling for deletion
- Use audit descriptions

✅ **Document Changes**
- Track modifications
- Include reason for changes
- Keep audit trail in description

✅ **Consistency**
- Use consistent description format
- Standard naming and documentation
- Regular review and updates

---

## Troubleshooting

### Problem: "OU Not Found"

```powershell
# Verify OU exists
Get-ADOrganizationalUnit -Filter "Name -eq 'Finance'"

# Use correct distinguished name
Get-ADOrganizationalUnit -Identity "OU=Finance,OU=Users,DC=contoso,DC=com"
```powershell

### Problem: "Access Denied"

```powershell
# Requires Domain Admin
whoami /groups | findstr "Domain Admins"

# Or delegated permissions on OU
```powershell

### Problem: Cannot Modify Protected OU

```powershell
# Even for modifications, cannot disable if truly protected
# May need to disable protection first if making major changes
```powershell

---

## FAQs

### Q: Can I rename an OU with Set-ADOrganizationalUnit?
A: No, use `Rename-ADObject` instead for the Name attribute.

### Q: What attributes can I modify?
A: Description, DisplayName, ProtectedFromAccidentalDeletion, and other standard AD properties.

### Q: How do I see current OU properties?
A: Use `Get-ADOrganizationalUnit -Identity "OU=..." -Properties *`

### Q: Can I modify OUs in other domains?
A: No, must use forest/domain specific contexts.

---

## Related Commands

- **[Get-ADOrganizationalUnit](/powershell-get-adorganizationalunit)** - Query OUs
- **[New-ADOrganizationalUnit](/powershell-new-adorganizationalunit)** - Create OUs
- **[Remove-ADOrganizationalUnit](/powershell-remove-adorganizationalunit)** - Delete OUs
- **Rename-ADObject** - Rename OUs

---

## See Also

- **[Active Directory OU Overview](/active-directory-ou)** - OU concepts
- **[PowerShell Get-ADOrganizationalUnit](/powershell-get-adorganizationalunit)** - Query OUs

---

**Last Updated:** February 6, 2026
**Difficulty Level:** Intermediate
**Reading Time:** 7 minutes

Related Articles

PowerShell Get-ADOrganizationalUnit: Query Active Directory OUs

Master PowerShell Get-ADOrganizationalUnit cmdlet. Learn to query organizational units with filters, properties, and examples for OU management.

PowerShell Move-ADObject: Move Objects Between OUs

Master PowerShell Move-ADObject cmdlet. Learn to move users, computers, groups, and other objects between OUs with examples and bulk operations.

PowerShell New-ADOrganizationalUnit: Create Active Directory OUs

Master PowerShell New-ADOrganizationalUnit cmdlet. Learn to create organizational units with protection, nesting, and bulk operations for AD structure.