How to Easily Get the Root OU of an Active Directory User with PowerShellWhile working on a PowerShell script to do some updating list items in SharePoint, I first had to get some properties from the user account in Active Directory. The end goal was to update a managed metadata field, choosing terms based on the root OU that the user resided in Active Directory. I’ve seen folks on the interwebs ask for this, but most folks just gave the parent OU using some complex LDAP query.  I found an easier way to do this with PowerShell and wanted to share.  The AD structure was like this:

    • 01-Corp
      • Information Technology
        • user accounts
    • 02-Finance
      • sub OUs
        • user accounts
    • 03-Media
      • sub OUs
        • user accounts

In the SharePoint taxonomy, there is a term set structure like this:

  • Term Set (Divisions)
    • Corporate
    • Finance
    • Media

If the user root parent OU was 01-Corp, we needed to choose the Corporate taxonomy term to use to set in the site column.  Let’s take a look at what we have to work with. To run the AD commands, you have to install the AD PowerShell module on the server, then in the PowerShell script you have to load the module by running:

import-module activedirectory

Ok that’s done, let’s look at what properties we have to figure out the OU. Run the following:

$Username = “bob.kelly”  #this is the samaccountname, or login name
$ADuser = Get-ADUser -identity $Username –properties *

This will give you a very big list, showing every property and value for the given user account. There are a couple ways we can get the data we need.  At first I was going to use the DistinguishedName property, which is like:

CN=Bob Kelly,OU=Information Technology,OU=01-Corp,DC=contoso,DC=com

So then you could do a check for that like:

if ($aduser.DistinguishedName –match “01-Corp”) {
<do some stuff> }

Ok easy enough, but I needed to be sure that the user’s root parent OU was something specific. Looking through the properties, I found CanonicalName.  It had the format: Technology/Bob Kelly

Ok cool I can work with that. Now we can do the following:

$UserOU = $ADuser.CanonicalName.ToString().Split('/')[1]

So what we’re doing is taking the CanonicalName property to a string, and splitting the string text at the first forward slash, and getting the second string in the array. If we look at the value of $UserOU, we get exactly what we want:


Sweet!  Now we can pass that into our logic to get a text value that matches the taxonomy name from the root OU name of 01-Corp. This also allows us to only perform operations if the user is in one of the 3 root OUs we want:

$UserOU = $ADuser.CanonicalName.ToString().Split('/')[1]
write-host "retrieved valid username from AD as" $ADuser.Name "with OU as" $UserOU -foregroundcolor green
        if ($userOU -match "01-Corp") {
            $OU = "Corporate"
        elseif ($userOU -match "02-Finance") {
            $OU = "Finance and Accounting"
        elseif ($userOU -match "03-Media") {
            $OU = "Media Communications"
        else {
            write-host "Account for" $ADuser.CN"is not in valid root AD OU" -foregroundcolor red

From there I use $OU to then compare to the taxonomy and proceed.

For more information on C5 Insight or this blog entry, please Contact Us.