Query Details
AD User Device Object OU Moves
Query
# Active Directory - User or Device object OU moves ## Query Information ### Description Use the below query to find Active Directory User or Device Object OU moves #### References ### Microsoft Defender XDR ```kql IdentityDirectoryEvents | where ActionType == @"Account Path changed" | extend FROMAccountPath = parse_json(AdditionalFields)["FROM Account Path"] | extend TOAccountPath = parse_json(AdditionalFields)["TO Account Path"] | project Timestamp, TargetAccountUpn, TargetDeviceName, FROMAccountPath, TOAccountPath ```
Explanation
This query is designed to identify when a user or device object in Active Directory has been moved from one Organizational Unit (OU) to another. Here's a simple breakdown of what the query does:
-
Data Source: It looks at events from
IdentityDirectoryEvents, which contains information about changes in Active Directory. -
Filter: It specifically filters for events where the action type is "Account Path changed," indicating that an account's location within the directory structure has been altered.
-
Extract Information:
- It extracts the original and new paths of the account using
FROMAccountPathandTOAccountPathby parsing additional fields in the event data.
- It extracts the original and new paths of the account using
-
Output: The query then selects and displays the following information:
Timestamp: When the change occurred.TargetAccountUpn: The user principal name of the account that was moved.TargetDeviceName: The name of the device associated with the account, if applicable.FROMAccountPath: The original path of the account in Active Directory.TOAccountPath: The new path of the account in Active Directory.
This query helps administrators track and audit changes to the structure of their Active Directory by showing when and where user or device objects have been moved.
Details
Alex Verboon
Released: May 19, 2025
Tables
Keywords
Operators