Default containers in AD

"FthrJACK" <FthrJACK.4240zb@DoNotSpam.com> wrote in message
news:FthrJACK.4240zb@DoNotSpam.com...
>
> .in which case the program isnt very well made.... which would lead me
> to ask the question "is this thing safe anywhere near my domain??"
>
> :)
>
>
> not just for aesthetics, i do this myself from time to time, but i
> still use the Container. Depending where and what its on it will either
> be named "Lost & Found" or i put non DC servers in there, redircmp all
> machines to a folder "Workstations" - depends.
>
> users is the one that is usually wanted to move though... oh and its
> not just Aesthetics, its less confusing that having "Computers"
> "computers2"
> "Workstations" "machines" etc - and some right messes ive seen.
>
> which OU/CN is that new machine in you just added via RIS/WDS?
>
> Ah well, each to their own i guess, the guy wanted to know how, and
> people where saying its not possible (as is the usual answer if you
> google) so i thought id reply with how since this thread does well on
> the google ranks.
>
>
> --
> FthrJACK

I wouldn't discount a third party app just because it hard codes something
like this.

I see what you mean about computers, computers2, etc. They that leads me to
believe that you are just creating OUs on the root, which is just how I
interpreted your post.

For example, in my installations, I don't mess with the default containers.
I create a sub-structure OU. For example, this is for a small company:

CompanyName OU
Users
Computers
Workstations
Servers
Laptops
Termed Users
Groups
Contacts
etc

Larger company with locations:

Philly OU
Users
Computers
Workstations
Servers
Laptops
Termed Users
Groups
Contacts
Seattle OU
Users
Computers
Workstations
Servers
Laptops
Termed Users
Groups
Contacts
etc

This way I can control GPO targeting as well as WSUS targeting.

To each their own, I guess. :-)

Ace

"FthrJACK" <FthrJACK.423vfa@DoNotSpam.com> wrote in message
news:FthrJACK.423vfa@DoNotSpam.com...
>
> According to Technet its fine doing this, they just dont explain how:
> http://technet.microsoft.com/en-us/l...55(WS.10).aspx
>
>
> However, i would only recomend doing it on a new domain setup, incase
> you have scripts and such that explicitly point at objects.
>

As a third party software developer, just about the only container/OU I can
depend on is the "cn=Users" container. If I need to create a service
account, for example to run my SQL Server instance, this is the best
location. During installation if I detect a domain, I create the account
there. I would need to investigate how to handle the situation where this is
renamed. Off hand, the best way I can think of is to use the well-known RID
to find the Administrator user (which is more likely to be renamed), then
find the parent container of that account. I doubt many developers would go
to the trouble.

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--

"Richard Mueller [MVP]" <rlmueller-nospam@ameritech.nospam.net> wrote in
message news:edFqUfFbKHA.3768@TK2MSFTNGP04.phx.gbl...
>
> "FthrJACK" <FthrJACK.423vfa@DoNotSpam.com> wrote in message
> news:FthrJACK.423vfa@DoNotSpam.com...
>>
>> According to Technet its fine doing this, they just dont explain how:
>> http://technet.microsoft.com/en-us/l...55(WS.10).aspx
>>
>>
>> However, i would only recomend doing it on a new domain setup, incase
>> you have scripts and such that explicitly point at objects.
>>
>
> As a third party software developer, just about the only container/OU I
> can depend on is the "cn=Users" container. If I need to create a service
> account, for example to run my SQL Server instance, this is the best
> location. During installation if I detect a domain, I create the account
> there. I would need to investigate how to handle the situation where this
> is renamed. Off hand, the best way I can think of is to use the well-known
> RID to find the Administrator user (which is more likely to be renamed),
> then find the parent container of that account. I doubt many developers
> would go to the trouble.
>
> --
> Richard Mueller
> MVP Directory Services
> Hilltop Lab - http://www.rlmueller.net
> --
>
>


Or worse, if the default Administrator account was moved to an OU somewhere
else in the structure.

Ace