Did you find this useful?
Socialize it today.


Redirecting Computer Objects to a Specific OU

Friday, October 28, 2011

When you install Active Directory (AD) on your Windows Server, soon after, you'll want to join computers to the domain. In a default installation of AD, computer accounts are put in the "CN=Computers" container. For many installations, this isn't a big deal. The AD administrator would simply move the computer account to the appropriate Organizational Unit once the computer has been joined to the domain. However, one thing you may have noticed is that the default "Computers" container does not allow you to link group policy objects. This could be very limiting especially if your organization's security policies require that you initially configure the system once it joins the domain, possibly by apply specific policies, installing software, or enabling features such as the local Windows firewall. One solution is to redirect the Computers Container.

Prerequisites

  1. The domain must be configured to run in the Windows Server 2003 domain functional level or higher.
  2. All domain controllers in the target domain must run Windows Server 2003 or newer.

Note: The "Computers" containers is a system-protected object that cannot be removed. However, the container can be renamed.

Redirecting CN=Computers to an Administrator-specified Organizational Unit

  1. Log on with Domain Administrator credentials in the domain where the CN=computers container is being redirected.
  2. Open the Active Directory Users and Computers snap-in.
  3. Create the organizational unit container where you want computers to automatically be created in.
  4. Run the Redircmp.exe file at a command prompt by using the following syntax
  5. redircmp DN
  6. example: redircmp "ou=myComputers,DC=anITKB,dc=com"

Note: Redircmp.exe is installed in the %Systemroot%\System32 folder on Windows Server 2003-based or newer computers. When Redircmp.exe is run to redirect the CN=Computers container to an organizational unit that is specified by an administrator, the CN=Computers container will no longer be a protected object. This means that the Computers container can now be moved, deleted, or renamed. If you use ADSIEDIT to view attributes on the CN=Computers container, you will see that the systemflags attribute was changed from -1946157056 to 0. This is by design.

Just as an final tip, the same process can be performed to redirect users. The command that would be used is "redirusr".

Here is a list of all of the "well known objects" used by earlier-version APIs.


B:32:6227F0AF1FC2410D8E3BB10615BB5B0F:CN=NTDS Quotas
B:32:F4BE92A4C777485E878E9421D53087DB:CN=Microsoft,CN=Program Data
B:32:09460C08AE1E4A4EA0F64AEE7DAA1E5A:CN=Program Data
B:32:22B70C67D56E4EFB91E9300FCA3DC1AA:CN=ForeignSecurityPrincipals
B:32:18E2EA80684F11D2B9AA00C04F79F805:CN=Deleted Objects
B:32:2FBAC1870ADE11D297C400C04FD8D5CD:CN=Infrastructure
B:32:AB8153B7768811D1ADED00C04FD8D5CD:CN=LostAndFound
B:32:AB1D30F3768811D1ADED00C04FD8D5CD:CN=System
B:32:A361B2FFFFD211D1AA4B00C04FD7D83A:OU=Domain Controllers
B:32:AA312825768811D1ADED00C04FD8D5CD:CN=Computers
B:32:A9D1CA15768811D1ADED00C04FD8D5CD:CN=Users

Please help us spread the word by socializing it today!

email contact us

Did you find something wrong with the information on this page? Please take a moment to report it to us so that we can continue to improve the quality of the information on this site. Click here to report an issue with this page.



Recommended Books & Training Resources

MCITP Windows Server 2008 Enterprise Administrator: Training Kit 4-Pack: Exams 70-640 70-642 70-643 70-647 Windows Server 2008 R2 Unleashed