Wednesday, January 27, 2016

Redirecting the Users and Computers Containers in AD

By default, when you create a new user or join a new computer to your domain, the Active Directory (AD) object for that new user or new computer is put in the default Users or Computers container under the root of your AD domain.

To see what is the default location for these objects in AD, you can run the following PowerShell command.

Get-ADDomain | Select-Object ComputersContainer, UsersContainer | Format-List


The Users and Computers containers in AD are not Organizational Units (OUs) and hence you cannot apply Group Policy Objects (GPOs) to them. To get around this many administrators design their own Active Directory structure with OUs for users and computers. We've created an example of an AD structure below. When you do this, you may want to change the default location of where your new user or computer objects are created.


I know we've used PowerShell to check the default location of where these objects are created however we will not be using PowerShell to redirect these object to their new location. At the time of writing, the PowerShell way looks way more complicated as there are no PowerShell equivalent cmdlets. We'll be using the commands redirusr and redircmp.

Redirecting Users to another OU


To redirect new user objects in Active Directory to another organisational unit, use the command.
redirusr <CONTAINER-DN>
For example in our AD structure, we would enter the following;
redirusr "OU=User Accounts,OU=Users,OU=Unit34.co,DC=Unit34,DC=co"

Redirecting Computers to another OU


To redirect new computer objects in Active Directory to another organisational unit, use the command.
redircmp <CONTAINER-DN>
For example in our AD structure, we would enter the following;
redircmp "OU=Computers,OU=Unit34.co,DC=Unit34,DC=co"

No comments:

Post a Comment