"Users" and "Computers" objects are not OUs

I'm providing support to a client using Windows Server 2003 R2 on two DCs.

I find that the "Users" object in AD is not an OU but simply a container.
The network seems to function okay but I am unable to apply group policies to
these objects. (GPMC only shows OUs) I am also unable to delete or rename
these, unlike OUs. The client has no recollection of when or how this might
have happened.

Is there a documented/safe way to fix this, either to change these from
containers into OUs, or to delete them and recreate them as OUs.

Thanks.
Jon

Hello Jon,

The containers will not work with GPOs, that's normal, only the domain password
policy will apply to the machines inside them.

The users and computers container are not to rename as they are needed from
the system. For your needs configure your own OU strtucture and move/create
all domain user/computer accounts and security groups inside that.

This way you also have to apply the needed GPOs in the domain.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> I'm providing support to a client using Windows Server 2003 R2 on two
> DCs.
>
> I find that the "Users" object in AD is not an OU but simply a
> container. The network seems to function okay but I am unable to
> apply group policies to these objects. (GPMC only shows OUs) I am
> also unable to delete or rename these, unlike OUs. The client has no
> recollection of when or how this might have happened.
>
> Is there a documented/safe way to fix this, either to change these
> from containers into OUs, or to delete them and recreate them as OUs.
>
> Thanks.
> Jon

Howdie!

Jon L wrote:
> I find that the "Users" object in AD is not an OU but simply a container.
> The network seems to function okay but I am unable to apply group policies to
> these objects. (GPMC only shows OUs) I am also unable to delete or rename
> these, unlike OUs. The client has no recollection of when or how this might
> have happened.

This is by default. You should not rename/delete the built-in Users and
Computers containers but create your own OUs and build up a structure
you can use delegation and group policy with. Those containers are built
during DCpromo.

> Is there a documented/safe way to fix this, either to change these from
> containers into OUs, or to delete them and recreate them as OUs.

Don't mess with them. Create your own OUs and then move your users and
machines in there.

Cheers,
Florian

You cannot change them to OU's, you have to create and use new OU's. Once
these new OU's are created you can then redirect the creation of new objects
to these OU's.

http://support.microsoft.com/kb/324949



--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Jon L" <JonL@discussions.microsoft.com> wrote in message
news:53F2094A-776B-4F09-A992-40A66ADC9476@microsoft.com...
> I'm providing support to a client using Windows Server 2003 R2 on two DCs.
>
> I find that the "Users" object in AD is not an OU but simply a container.
> The network seems to function okay but I am unable to apply group policies
> to
> these objects. (GPMC only shows OUs) I am also unable to delete or
> rename
> these, unlike OUs. The client has no recollection of when or how this
> might
> have happened.
>
> Is there a documented/safe way to fix this, either to change these from
> containers into OUs, or to delete them and recreate them as OUs.
>
> Thanks.
> Jon

"Jon L" <JonL@discussions.microsoft.com> wrote in message
news:53F2094A-776B-4F09-A992-40A66ADC9476@microsoft.com...
> I'm providing support to a client using Windows Server 2003 R2 on two DCs.
>
> I find that the "Users" object in AD is not an OU but simply a container.
> The network seems to function okay but I am unable to apply group policies
> to
> these objects. (GPMC only shows OUs) I am also unable to delete or
> rename
> these, unlike OUs. The client has no recollection of when or how this
> might
> have happened.
>
> Is there a documented/safe way to fix this, either to change these from
> containers into OUs, or to delete them and recreate them as OUs.
>
> Thanks.
> Jon

Only the domain policy will apply to objects in containers. Many default
objects, like the Administrator and Guest users and the "Domain Users"
group, are in cn=Users, and they can remain there. Your own objects are best
placed in your own OU's.

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--

"Jon L" <JonL@discussions.microsoft.com> wrote in message
news:53F2094A-776B-4F09-A992-40A66ADC9476@microsoft.com...
> I'm providing support to a client using Windows Server 2003 R2 on two DCs.
>
> I find that the "Users" object in AD is not an OU but simply a container.
> The network seems to function okay but I am unable to apply group policies
> to
> these objects. (GPMC only shows OUs) I am also unable to delete or
> rename
> these, unlike OUs. The client has no recollection of when or how this
> might
> have happened.
>
> Is there a documented/safe way to fix this, either to change these from
> containers into OUs, or to delete them and recreate them as OUs.
>
> Thanks.
> Jon


As stated, and I have to state as well, this is by default. Create and
organize your user and other objects with OUs. For example, here are some
guidelines in creating an OU structure to reflect an organization:

==================================================================
==================================================================
Group Policy Objects (GPOs) Design Considerations and Guidelines

It's suggested and recommended to not change the Default Domain Policy.
Keep in mind, whatever you set at the domain level will flow downhill to
everything. I would suggest to design your OU structure to reflect your
organizaiton and/or departments, which will also help you create GPOs for
the OU design.

For example, for a company with more than one location/site, I would suggest
the following:

Domain
......Philly OU
...............Accounting
...............Sales
...............Marketing
...............Desktop
...............Users
...............Laptops
......Seattle OU
...............Accounting
...............Sales
...............Marketing
...............Desktops
...............Users
...............Laptops

I separated Laptops and Desktops because I have two different Windows Update
GPOs set. The Desktop Windows Update GPO I created runs at 3:00 AM, whereas
the Laptop Updates run at 3:30 PM while the users have the laptops in the
office. This design also allows me to create GPOs for the different offices,
or I can create one and link them to both offices. The design possibilities
are endless, especially if you control flow with Block Inheritance,
Loopback, WMI filtering, disabling the Computer or User portion of a GPO,
etc, however in many cases I do not use these features because trying to
support them 8 months later when there's a problem it is difficult to
remember what you had blocked, etc. Yes youcan use RSOP to look at what is
being applied, etc, but I find it easier to simply create another OU or a
child OU to have a different setting than the parent, such as the following,
where I created a GPO to lock the desktop with two different time settings.
The Desktops OU has a 30 minute setting, but I created a 15 Minute Timeout
OU directly beneath it. Because the identical setting isdifferent on the
child, it overrides the parent's setting. I can simply "look" at my OUs and
know what I have applied.

......Seattle OU
...............Accounting
...............Sales
...............Marketing
...............Desktops
.....................15 Minute Timeout OU
...............Users
...............Laptops

These are just suggestions, and you may find that it may work for you, or
not. Even in a single site, I still do it this way, because it is flexible.
You never know when the customer or your company may expand. If they do,
simply create another OU for the new location.

Here's a basic visual of how GPOs work, and how it would flow downhill.
http://www.fekay.com/supportblogs/gpoflow.jpg

Design Considerations for Organizational Unit Structure and Use of Group
Policy Objects
http://technet.microsoft.com/en-us/l.../cc785903.aspx

TechNet Magazine: Group Policy
http://technet.microsoft.com/en-us/m.../cc135925.aspx

Group Policy and Advanced Group Policy Management
http://technet.microsoft.com/en-us/w...y/default.aspx

Win2k3 AD OU/GPO Design Discussion
http://www.tomshardware.com/forum/19...ign-discussion

AD Scalability and GPOs
http://technet.microsoft.com/en-us/l.../cc756101.aspx
==================================================================
==================================================================

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

If you feel this is an urgent issue and require immediate assistance, please
contact Microsoft PSS directly. Please check http://support.microsoft.com
for regional support phone numbers.