Get the OU of an AD object via parsing

đź’ˇ
Parsing consists in analyzing and slicing data or a character string to extract certain information, for example using functions or regular expressions. It is often used when you want to retrieve a specific part of a text.

In Active Directory, you often want to know the organizational unit (OU) of an object (user, computer, group).
The classic approach is to parse the DistinguishedName using regular expressions (regex).

Here's an example of oneliner parsing for an AD object:

($user = Get-ADUser -Identity bastien -Properties CN).DistinguishedName -replace [regex]::Escape("CN=$($user.CN),"), ''

In Active Directory, you often need to know the organizational unit (OU) of an object (user, computer, group). The classic approach is to parse the DistinguishedName using a regular expression (regex)... which can be complex.
An example of parsing for an AD object:

$ouPath = ($user = Get-ADUser -Identity bastien -Properties CN).DistinguishedName -replace [regex]::Escape("CN=$($user.CN),"), ''

# Output the OU path
$ouPath

Result: 

OU=Users,OU=_Company,DC=itprotips,DC=local

This method works, but it remains fragile and difficult to understand for the uninitiated. It depends on the exact format of the DN, and can fail with complex names.

L’attribut msDS-parentdistname

The msDS-parentdistname attribute is a calculated (constructed) attribute that directly contains the OU or parent container of an Active Directory object.
It is therefore possible to cleanly retrieve a user's OU without manipulating character strings.

PowerShell example

Get-ADUser bastien -Properties msDS-parentdistname | Format-List Name, DistinguishedName, 'msDS-parentdistname'

Result:

Name                : bastien
DistinguishedName   : CN=bastien,OU=Users,OU=_Company,DC=itprotips,DC=local
msDS-parentdistname : OU=Users,OU=_Company,DC=itprotips,DC=local

You can also use it for multiple objects and any type of object:

Get-ADUser -Filter * -Properties msDS-parentdistname | Select-Object SamAccountName, 'msDS-parentdistname'

Get-ADComputer -Filter * -Properties msDS-parentdistname | Select-Object SamAccountName, 'msDS-ParentDistName'
Get-ADObject -Filter * -Properties msDS-parentdistname | Select-Object SamAccountName, 'msDS-ParentDistName'
Get-ADObject -Filter * -Properties msDS-parentdistname | Select-Object SamAccountName, 'msDS-ParentDistName'
Get-ADOrganizationalUnit -Filter * -Properties msDS-parentdistname | Select-Object SamAccountName, 'msDS-ParentDistName'

Advantages over DN parsing

  • Reliability: avoids errors caused by malformed DNs or OUs containing commas.
  • Readability: clearer within a script.
  • Performance: avoids unnecessary parsing operations.

Limitations

  • The msDS-parentdistname attribute is a calculated attribute: it is only available on Windows Server 2012 R2 and higher domain controllers.
    It is not a replicated attribute; it is calculated directly at the DC level.
  • This is not a replicated attribute; it is calculated directly at the DC level.

Attribute description at schema level

cn: ms-DS-Parent-Dist-Name
lDAPDisplayName: msDS-parentdistname
attributeID: 1.2.840.113556.1.4.2203
attributeSyntax: 2.5.5.1
omSyntax: 127
omObjectClass: 1.3.12.2.1011.28.0.714
isSingleValued: TRUE
schemaIdGuid: b918fe7d-971a-f404-9e21-9261abec970b
systemOnly: TRUE
searchFlags: 0
systemFlags: FLAG_ATTR_NOT_REPLICATED | FLAG_ATTR_IS_CONSTRUCTED | 
 FLAG_ATTR_IS_OPERATIONAL | FLAG_SCHEMA_BASE_OBJECT
showInAdvancedViewOnly: TRUE
[MS-ADLS]: Attribute msDS-parentdistname
This attribute specifies the distinguished name (DN) of the parent object of the current object. cn:
Microsoft Learn
Active Directory
Previous Post Récupérer l’OU parente d’un objet

Comments

banner-Bastien Perez
Bastien Perez's avatar

Freelance Microsoft 365 - Active Directory - Modern Workplace

France