Redirect Users and Computers

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

The default CN=Users and CN=Computers containers that are created when Active Directory is installed are not organizational units. Objects in the default containers are more difficult to manage because Group Policy cannot be applied directly to them. New user accounts, computer accounts, and security groups that are created by using earlier versions of user interface and command-line management tools, do not allow administrators to specify a target organizational unit and, therefore, to create these objects in either the CN=Computers container or the CN=User container by default. Examples of these earlier versions include the net user and net computer commands, the net group command, the netdom add command where the /ou parameter is either not specified or supported, or Windows NT 4.0 tools such as User Manager for Domains.

It is recommended that administrators who upgrade Windows NT 4.0–based and Windows 2000–based domain controllers to Windows Server 2003 redirect the well-known path for the CN=Users and CN=Computers containers to an organizational unit specified by the administrator so that Group Policy can apply to containers hosting newly created objects.

Important

  • The CN=Users and CN=Computers containers are computer-protected objects. For backward compatibility reasons, you cannot (and must not) remove them. However, you can rename these objects.

In Windows Server 2003 Active Directory, when the domain functional level has been raised to Windows Server 2003, you can redirect the default CN=Users and CN=Computers containers to organizational units that you specify so that each can support Group Policy, making them easier to manage.

To redirect the Users container

  1. In Active Directory Users and Computers, create an organizational unit container to which you will redirect user created with earlier versions of user interface and command-line management tools.

  2. At the command line, change to the System32 folder by typing:

    cd %systemroot%\system32
    
  3. At the %systemroot%\System32 folder, type the following, where newuserou is the name of the new user OU and domainname is the name of the domain:

    redirusr ou=newuserou,DC=domainname,dc=com
    

To redirect the Computers container

  1. In Active Directory Users and Computers, create an organizational unit container to which you will redirect computer objects created with earlier versions of user interface and command-line management tools.

  2. At the command line, change to the System32 folder by typing:

    cd %systemroot%\system32
    
  3. At the %systemroot%\System32 folder, type the following, where newcomputerou is the name of the new computer OU and domainname is the name of the domain:

    redircmp ou=newcomputerou,DC=domainname,dc=com
    

For more information about creating an organizational unit design, see "Designing the Active Directory Logical Structure" in this book.