Printable View
Is it possible to change the default containers in AD?
We want to put nested OUs under the Computers and Users containers and link GPs to them, unfortunately obviously we can't currently because they're not OUs.
How do most organisations get around this?
It was suggested that we create a new OU called "Workstations" and one called "User" and nest groups under there, but then we've got two containers doing nothing?...
Thanks in advance
I would suggest just leave the defaul containers as they are. Many organizations, just create different OUs and move accounts/computers from default built-in to where you can and apply GPO. For instance, we have XP Workstations nested on laptops, desktop, Vista Workstations, UserAccts nested on HighSecurity, HelpDesk, etc. The default Computer Containers are just there as defaults, if you create a new object without specifying an OU then it goes to default user or computer depending on your created object.
Many organizations that I know dont use them for newly created accounts, especially considering that starting with Windows 2003 Functional Level you can redirect those to an arbitrary OU. You can check out this website for some more information - http://technet.microsoft.com/en-us/l.../cc785903.aspx
Serrix,
Serrix wrote:
> Is it possible to change the default containers in AD?
> We want to put nested OUs under the Computers and Users containers and
> link GPs to them, unfortunately obviously we can't currently because
> they're not OUs.
>
> How do most organisations get around this?
> It was suggested that we create a new OU called "Workstations" and one
> called "User" and nest groups under there, but then we've got two
> containers doing nothing?...
As others have already mentioned, there's nothing you can do with the
built-in containers. Create your OU structure directly under the domain
root, that's what you can do - and that's what I've all people seen
doing so far. For the user and machine propagation to the corresponding
OUs, you need to develope some procedure either a step-by-step guide for
people responsible for user creation or with some technical mechanism
like redircmp and redirusr (WinServer 2003-only) that redirect newly
created users and computers to defined OUs.
cheers,
Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste
Thanks everyone, its been very helpful and i'm going to work through those links and discuss this with the other technician.
Its great to have a direct awnser though, cheers!
if you redirect where users and computers go by default using redirusr and redircmp then YES you can rename the default "Users" and "Computers" containers in Active Directory.
on the DC open command prompt and redirect your folders:
redirusr ou=yournewOUname, dc=yourdomainname, dc=domainsuffix
(redirusr ou=Staff, dc=Contosso, dc=local)
redircmp ou=yournewOUname, dc=yourdomainname, dc=domainsuffix
(redircmp ou=Workstations, dc=Contosso, dc=local)
If you now refresh the Active Directory tree in the MMC, or close and re-open the MMC, you can right click on the Containers for "Users" and "Computers" and you will notice the option to rename them is available.
You must not delete these folders.
Renaming them is ok though. Hope this helps :)
..in which case the program isnt very well made.... which would lead me to ask the question "is this thing safe anywhere near my domain??"
:)
not just for aesthetics, i do this myself from time to time, but i still use the Container. Depending where and what its on it will either be named "Lost & Found" or i put non DC servers in there, redircmp all machines to a folder "Workstations" - depends.
users is the one that is usually wanted to move though... oh and its not just Aesthetics, its less confusing that having "Computers" "computers2"
"Workstations" "machines" etc - and some right messes ive seen.
which OU/CN is that new machine in you just added via RIS/WDS?
Ah well, each to their own i guess, the guy wanted to know how, and people where saying its not possible (as is the usual answer if you google) so i thought id reply with how since this thread does well on the google ranks.
According to Technet its fine doing this, they just dont explain how:
http://technet.microsoft.com/en-us/l...55(WS.10).aspx
However, i would only recomend doing it on a new domain setup, incase you have scripts and such that explicitly point at objects.