Redirect the Users and Computers Containers

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

The default CN=Users and CN=Computers containers that are created when Active Directory is installed are not organizational units (OUs). Objects in the default containers are more difficult to manage because Group Policy cannot be applied directly to them. New user accounts, computer accounts, and security groups that are created by using earlier versions of user interface and command-line management tools, such as the net user and net computer commands, the net group command, the netdom add command where the /ou command is either not specified or supported, or Windows NT 4.0 tools such as User Manager for Domains, do not allow administrators to specify a target organizational unit and therefore create these objects in either the CN=Computers container or the CN=User container by default.

It is recommended that administrators who upgrade Windows NT 4.0–based and Windows 2000–based domain controllers to Windows Server 2003 redirect the well-known path for the CN=Users and CN=Computers to an OU that is specified by the administrator so that Group Policy can apply to containers that are hosting newly created objects.

Important

  • The CN=Users and CN=Computers containers are computer-protected objects. You cannot (and must not) remove them for backward compatibility purposes. However, you can rename these objects.

In Windows Server 2003 Active Directory, when the domain functional level has been raised to Windows Server 2003, you can redirect the default CN=Users and CN=Computers containers to organizational units that you specify so that each can support Group Policy, making them easier to manage.

To redirect the Users container

  1. In Active Directory Users and Computers, create an organizational unit container to which you will redirect users that were created with earlier versions of user interface and command-line management tools.

  2. At the command line, change to the system32 directory by typing:

    Cd %systemroot%\system32
    
  3. At the %systemroot%\system32 directory, type:

    Redirusr ou=newuserou,DC=domainname,dc=com
    

To redirect the Computers container

  1. In Active Directory Users and Computers, create an organizational unit container to which you will redirect computer objects that were created with earlier versions of user interface and command-line management tools.

  2. At the command line, change to the system32 directory by typing:

    Cd %systemroot%\system32
    
  3. At the %systemroot%\system32 directory, type:

    Redircmp ou=newcomputerou,DC=domainname,dc=com
    

For more information about creating an organizational unit design, see "Designing the Active Directory Logical Structure" in this book.