Default containers in AD

[Serrix]

Is it possible to change the default containers in AD?
We want to put nested OUs under the Computers and Users containers and link GPs to them, unfortunately obviously we can't currently because they're not OUs.

How do most organisations get around this?
It was suggested that we create a new OU called "Workstations" and one called "User" and nest groups under there, but then we've got two containers doing nothing?...

Thanks in advance

Serrix,

My suggestion is just leave the default containers as they are. Most
organisations, especially the ones I have worked for, we just created
different OUs and move accounts/computers from default builtin to
where we want and apply GPO. For example we have XPWorksations(nested
Laptops, Desktop) VistaWorksations, W2K3Servers, UserAccts(Nested
HighSecurity, HelpDesk, etc). The default Computer Containers are just
there as defaults, if you create a new object without specifying an OU
then it goes to default user or computer depending on your created
object.

Hope this helps

Isaac

Most organizations I'm familiar with simply don't use them for newly created
accounts (for the reason you mentioned below) - especially considering that
starting with Windows 2003 Functional Level you can redirect those to an
arbitrary OU...
Refer to http://technet.microsoft.com/en-us/l.../cc785903.aspx for main
factor to consider when designing your custom OU hierarchy...

hth
Marcin

"Serrix" <Serrix.3hr5na@DoNotSpam.com> wrote in message
news:Serrix.3hr5na@DoNotSpam.com...
>
> Is it possible to change the default containers in AD?
> We want to put nested OUs under the Computers and Users containers and
> link GPs to them, unfortunately obviously we can't currently because
> they're not OUs.
>
> How do most organisations get around this?
> It was suggested that we create a new OU called "Workstations" and one
> called "User" and nest groups under there, but then we've got two
> containers doing nothing?...
>
> Thanks in advance
>
>
> --
> Serrix
> ------------------------------------------------------------------------
> Serrix's Profile: http://forums.techarena.in/members/serrix.htm
> View this thread: Default containers in AD
>
> http://forums.techarena.in
>

Serrix,

Serrix wrote:
> Is it possible to change the default containers in AD?
> We want to put nested OUs under the Computers and Users containers and
> link GPs to them, unfortunately obviously we can't currently because
> they're not OUs.
>
> How do most organisations get around this?
> It was suggested that we create a new OU called "Workstations" and one
> called "User" and nest groups under there, but then we've got two
> containers doing nothing?...

As others have already mentioned, there's nothing you can do with the
built-in containers. Create your OU structure directly under the domain
root, that's what you can do - and that's what I've all people seen
doing so far. For the user and machine propagation to the corresponding
OUs, you need to develope some procedure either a step-by-step guide for
people responsible for user creation or with some technical mechanism
like redircmp and redirusr (WinServer 2003-only) that redirect newly
created users and computers to defined OUs.

cheers,

Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste

Hello Serrix,

Leave the default setup and create your own OU structure for your needs.
Also you should not change the Default domain policy and the
Default domain controllers policy , create your own ones, so you can revert
them easy if you have problems. Do not move the DC's out of the DC' OU.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Is it possible to change the default containers in AD?
> We want to put nested OUs under the Computers and Users containers and
> link GPs to them, unfortunately obviously we can't currently because
> they're not OUs.
> How do most organisations get around this?
> It was suggested that we create a new OU called "Workstations" and one
> called "User" and nest groups under there, but then we've got two
> containers doing nothing?...
> Thanks in advance
>
> http://forums.techarena.in
>

Hello Serrix,
We have our own defined ou's and have modified the destination point once
the object (Computer or user) is created. Not a big deal and organizations
are beginning to do this more often (At least from what I have seen). We
leave the original containers alone and they are empty the new defaults go
to a special holding container with applied group policies against them.
It is up to pc support once the objects are created to move them to the
proper ou (Laptop, desktop, etc...) within the proper department.

Check out
http://technet.microsoft.com/en-us/l.../bb878028.aspx

Look for the two executables, to help you with this:
redircmp
redirusr


--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4


http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This posting
is provided "AS IS" with no warranties, and confers no rights.



> Is it possible to change the default containers in AD?
> We want to put nested OUs under the Computers and Users containers and
> link GPs to them, unfortunately obviously we can't currently because
> they're not OUs.
> How do most organisations get around this?
> It was suggested that we create a new OU called "Workstations" and one
> called "User" and nest groups under there, but then we've got two
> containers doing nothing?...
> Thanks in advance
>
> http://forums.techarena.in
>

you can redirect with tools available in the OS...

BUT....

why don't you create your own OU structure and use that? \

in addition, if you want to put computers in the correct OU, you can use
NETDOM on the client to put it in the correct OU right away

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------

"Serrix" <Serrix.3hr5na@DoNotSpam.com> wrote in message
news:Serrix.3hr5na@DoNotSpam.com...
>
> Is it possible to change the default containers in AD?
> We want to put nested OUs under the Computers and Users containers and
> link GPs to them, unfortunately obviously we can't currently because
> they're not OUs.
>
> How do most organisations get around this?
> It was suggested that we create a new OU called "Workstations" and one
> called "User" and nest groups under there, but then we've got two
> containers doing nothing?...
>
> Thanks in advance
>
>
> --
> Serrix
> ------------------------------------------------------------------------
> Serrix's Profile: http://forums.techarena.in/members/serrix.htm
> View this thread: Default containers in AD
>
> http://forums.techarena.in
>

[Serrix]

Thanks everyone, its been very helpful and i'm going to work through those links and discuss this with the other technician.
Its great to have a direct awnser though, cheers!

[FthrJACK]

Bit of an old thread but, since this thread ranks on google...


if you redirect where users and computers go by default using redirusr and redircmp then YES you can rename the default "Users" and "Computers" containers in Active Directory.


on the DC open command prompt and redirect your folders:


redirusr ou=yournewOUname, dc=yourdomainname, dc=domainsuffix
(redirusr ou=Staff, dc=Contosso, dc=local)

redircmp ou=yournewOUname, dc=yourdomainname, dc=domainsuffix
(redircmp ou=Workstations, dc=Contosso, dc=local)


If you now refresh the Active Directory tree in the MMC, or close and re-open the MMC, you can right click on the Containers for "Users" and "Computers" and you will notice the option to rename them is available.

You must not delete these folders.

Renaming them is ok though. Hope this helps :)

Hello FthrJACK,

Do not change some of the default containers. If for whatever reason your
redirection to another OU doesn't work you can not use the default mechanism.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Bit of an old thread but, since this thread ranks on google...
>
> if you redirect where users and computers go by default using redirusr
> and redircmp then YES you can rename the default "Users" and
> "Computers" containers in Active Directory.
>
> on the DC open command prompt and redirect your folders:
>
> redirusr ou=yournewOUname, dc=yourdomainname, dc=domainsuffix
> -(redirusr ou=staff, dc=contosso, dc=local)-
>
> redircmp ou=yournewOUname, dc=yourdomainname, dc=domainsuffix
> -(redircmp ou=workstations, dc=contosso, dc=local)-
>
> If you now refresh the Active Directory tree in the MMC, or close and
> re-open the MMC, you can right click on the Containers for "Users" and
> "Computers" and you will notice the option to rename them is
> available.
>
> YOU MUST NOT DELETE THESE FOLDERS.
>
> Renaming them is ok though. Hope this helps :)
>
> http://forums.techarena.in
>

[FthrJACK]

According to Technet its fine doing this, they just dont explain how:
http://technet.microsoft.com/en-us/l...55(WS.10).aspx


However, i would only recomend doing it on a new domain setup, incase you have scripts and such that explicitly point at objects.

"FthrJACK" <FthrJACK.423vfa@DoNotSpam.com> wrote in message
news:FthrJACK.423vfa@DoNotSpam.com...
>
> According to Technet its fine doing this, they just dont explain how:
> http://technet.microsoft.com/en-us/l...55(WS.10).aspx
>
>
> However, i would only recomend doing it on a new domain setup, incase
> you have scripts and such that explicitly point at objects.
>
> FthrJACK

IMHO, I really don't see the point in renaming it. I can understand
redirection, but renaming it? For aesthetics?

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.

Howdie!

FthrJACK wrote:
> According to Technet its fine doing this, they just dont explain how:
> http://technet.microsoft.com/en-us/l...55(WS.10).aspx
>
> However, i would only recomend doing it on a new domain setup, incase
> you have scripts and such that explicitly point at objects.

Yeah - you technically can do that. Microsoft does reference them using
the GUID that don't change on container rename. The question is whether
third party apps break if you rename the built-in folders.

Cheers,
Florian

"Florian Frommherz [MVP]" <florian@frickelsoft.net> wrote in message
news:%231PszHEbKHA.4780@TK2MSFTNGP04.phx.gbl...
> Howdie!
>
> FthrJACK wrote:
>> According to Technet its fine doing this, they just dont explain how:
>> http://technet.microsoft.com/en-us/l...55(WS.10).aspx
>>
>> However, i would only recomend doing it on a new domain setup, incase
>> you have scripts and such that explicitly point at objects.
>
> Yeah - you technically can do that. Microsoft does reference them using
> the GUID that don't change on container rename. The question is whether
> third party apps break if you rename the built-in folders.
>
> Cheers,
> Florian

Good point. Some third party apps may have the default container names hard
coded.

Ace

[FthrJACK]

..in which case the program isnt very well made.... which would lead me to ask the question "is this thing safe anywhere near my domain??"

:)


not just for aesthetics, i do this myself from time to time, but i still use the Container. Depending where and what its on it will either be named "Lost & Found" or i put non DC servers in there, redircmp all machines to a folder "Workstations" - depends.

users is the one that is usually wanted to move though... oh and its not just Aesthetics, its less confusing that having "Computers" "computers2"
"Workstations" "machines" etc - and some right messes ive seen.

which OU/CN is that new machine in you just added via RIS/WDS?

Ah well, each to their own i guess, the guy wanted to know how, and people where saying its not possible (as is the usual answer if you google) so i thought id reply with how since this thread does well on the google ranks.