When you install Active Directory (AD) on your Windows Server, soon after, you’ll want to join computers to the domain. In a default installation of AD, computer accounts are put in the
CN=Computers container. For many installations, this isn’t a big deal.
The AD administrator would simply move the computer account to the appropriate Organizational Unit once the computer has been joined to the domain. However, one thing you may have noticed is that the default “Computers” container does not allow you to link group policy objects.
This could be very limiting especially if your organization’s security policies require that you initially configure the system once it joins the domain, possibly by applying specific policies, installing software, or enabling features such as the local Windows firewall. One solution is to redirect the Computers Container.
- The domain must be configured to run in the Windows Server 2003 domain functional level or higher.
- All domain controllers in the target domain must run Windows Server 2003 or newer.
Note: The “Computers” containers is a system-protected object that cannot be removed. However, the container can be renamed.
CN=Computers to an Administrator-specified Organizational Unit
- Log on with Domain Administrator credentials in the domain where the
CN=computerscontainer is being redirected.
- Open the Active Directory Users and Computers snap-in.
- Create the organizational unit container where you want computers to automatically be created in.
- Run the
Redircmp.exefile at a command prompt by using the following syntax:
Redircmp.exe is installed in the
%Systemroot%\System32 folder on Windows Server 2003-based or newer computers. When
Redircmp.exe is run to redirect the
CN=Computers container to an organizational unit that is specified by an administrator, the
CN=Computers container will no longer be a protected object.
This means that the Computers container can now be moved, deleted, or renamed. If you use ADSIEDIT to view attributes on the
CN=Computers container, you will see that the systemflags attribute was changed from
0. This is by design.
Just as a final tip, the same process can be performed to redirect users. The command that would be used is
Here is a list of all of the “well-known objects” used by earlier-version APIs.