Computers & ProgrammingComputers & NetworkingWindows Server

Redirecting Computer Objects to a Specific OU

When you install Active Directory (AD) on your Windows Server, soon after, you’ll want to join computers to the domain. In a default installation of AD, computer accounts are put in the CN=Computers container. For many installations, this isn’t a big deal.

The AD administrator would simply move the computer account to the appropriate Organizational Unit once the computer has been joined to the domain. However, one thing you may have noticed is that the default “Computers” container does not allow you to link group policy objects.

This could be very limiting especially if your organization’s security policies require that you initially configure the system once it joins the domain, possibly by applying specific policies, installing software, or enabling features such as the local Windows firewall. One solution is to redirect the Computers Container.


  1. The domain must be configured to run in the Windows Server 2003 domain functional level or higher.
  2. All domain controllers in the target domain must run Windows Server 2003 or newer.

Note: The “Computers” containers is a system-protected object that cannot be removed. However, the container can be renamed.

Redirecting CN=Computers to an Administrator-specified Organizational Unit

  1. Log on with Domain Administrator credentials in the domain where the CN=computers container is being redirected.
  2. Open the Active Directory Users and Computers snap-in.
  3. Create the organizational unit container where you want computers to automatically be created in.
  4. Run the Redircmp.exe file at a command prompt by using the following syntax: redircmp DN
  5. Example: redircmp "ou=myComputers,DC=anITKB,dc=com"

Note: Redircmp.exe is installed in the %Systemroot%\System32 folder on Windows Server 2003-based or newer computers. When Redircmp.exe is run to redirect the CN=Computers container to an organizational unit that is specified by an administrator, the CN=Computers container will no longer be a protected object.

This means that the Computers container can now be moved, deleted, or renamed. If you use ADSIEDIT to view attributes on the CN=Computers container, you will see that the systemflags attribute was changed from -1946157056 to 0. This is by design.

Just as a final tip, the same process can be performed to redirect users. The command that would be used is redirusr.

Here is a list of all of the “well-known objects” used by earlier-version APIs.

  • B:32:6227F0AF1FC2410D8E3BB10615BB5B0F:CN=NTDS Quotas
  • B:32:F4BE92A4C777485E878E9421D53087DB:CN=Microsoft,CN=Program Data
  • B:32:09460C08AE1E4A4EA0F64AEE7DAA1E5A:CN=Program Data
  • B:32:22B70C67D56E4EFB91E9300FCA3DC1AA:CN=ForeignSecurityPrincipals
  • B:32:18E2EA80684F11D2B9AA00C04F79F805:CN=Deleted Objects
  • B:32:2FBAC1870ADE11D297C400C04FD8D5CD:CN=Infrastructure
  • B:32:AB8153B7768811D1ADED00C04FD8D5CD:CN=LostAndFound
  • B:32:AB1D30F3768811D1ADED00C04FD8D5CD:CN=System
  • B:32:A361B2FFFFD211D1AA4B00C04FD7D83A:OU=Domain Controllers
  • B:32:AA312825768811D1ADED00C04FD8D5CD:CN=Computers
  • B:32:A9D1CA15768811D1ADED00C04FD8D5CD:CN=Users

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top