In the AD structure of the MS windows server product line, the default containers for creating the security accounts for users and computers are of object class CN instead of OU which is more desirable. OUs have significant advantages over CN since they can support Group Policy assignments directly to the OU level, delegation, protection against accidental deletion and better recovery scenarios.
Creating the OU
In order to gain those advantages of the OU structure you need to create one first. To create an OU you simply have to:
- Open Active directory users and computers (DSA.MSC)
- Right click on the domain name (Note that OUs can be nested)
- Select New –> Organizational Unit
- Enter a name for the OU and press OK.
In the simplest scenario you could create an OU with your company’s name (like MyCompany) and inside that OU one called Computers and one called Users. Now you are able to move the users and the computers accounts to the respective OUs to gain the advantages mentioned previously.
Altering the default container
To complete the procedure, you need to redirect the default containers for creating users and computers. This will save you time and frustration when creating user and computer objects through command line utilities like net user, net computer, netdom add, etc and the domain join user interface in widows operating systems.
Note, that in order to redirect the default users and computers containers your domain must be at least at Windows 2003 functional level.
To alter the default container for your users account (redirusr.exe) to an OU called Users inside an OU called MyCompany to the Mydomain.local domain, type:
c:\windows\system32\redirusr ou=Users,ou=MyCompany,dc=Mydomain,dc=local
To alter the default container for your computers account (redircmp.exe) to an OU called Computers inside an OU called MyCompany to the Mydomain.local domain, type:
c:\windows\system32\redircmp ou=Computers,ou=MyCompany,dc=Mydomain,dc=local
