When you install Active Directory (AD) on your Windows Server, soon after, you'll want to join computers to the domain.
In a default installation of AD, computer accounts are put in the "CN=Computers" container. For many installations, this isn't a
big deal. The AD administrator would simply move the computer account to the appropriate Organizational Unit once the computer has
been joined to the domain. However, one thing you may have noticed is that the default "Computers" container does not allow you to
link group policy objects. This could be very limiting especially if your organization's security policies require that you
initially configure the system once it joins the domain, possibly by apply specific policies, installing software, or enabling
features such as the local Windows firewall. One solution is to redirect the Computers Container.
- The domain must be configured to run in the Windows Server 2003 domain functional level or higher.
- All domain controllers in the target domain must run Windows Server 2003 or newer.
Note: The "Computers" containers is a system-protected object that cannot be removed. However, the
container can be renamed.
Redirecting CN=Computers to an Administrator-specified Organizational Unit
- Log on with Domain Administrator credentials in the domain where the CN=computers container is being redirected.
- Open the Active Directory Users and Computers snap-in.
- Create the organizational unit container where you want computers to automatically be created in.
- Run the Redircmp.exe file at a command prompt by using the following syntax
- redircmp DN
- example: redircmp "ou=myComputers,DC=anITKB,dc=com"
Note: Redircmp.exe is installed in the %Systemroot%\System32 folder on Windows Server 2003-based or newer
computers. When Redircmp.exe is run to redirect the CN=Computers container to an organizational unit that is specified by an
administrator, the CN=Computers container will no longer be a protected object. This means that the Computers container can now
be moved, deleted, or renamed. If you use ADSIEDIT to view attributes on the CN=Computers container, you will see that the
systemflags attribute was changed from -1946157056 to 0. This is by design.
Just as an final tip, the same process can be performed to redirect users. The command that would be used is "redirusr".
Here is a list of all of the "well known objects" used by earlier-version APIs.
Recommended Books & Training Resources