Re: Default containers in AD

Hello FthrJACK,

Do not change some of the default containers. If for whatever reason your
redirection to another OU doesn't work you can not use the default mechanism.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Bit of an old thread but, since this thread ranks on google...
>
> if you redirect where users and computers go by default using redirusr
> and redircmp then YES you can rename the default "Users" and
> "Computers" containers in Active Directory.
>
> on the DC open command prompt and redirect your folders:
>
> redirusr ou=yournewOUname, dc=yourdomainname, dc=domainsuffix
> -(redirusr ou=staff, dc=contosso, dc=local)-
>
> redircmp ou=yournewOUname, dc=yourdomainname, dc=domainsuffix
> -(redircmp ou=workstations, dc=contosso, dc=local)-
>
> If you now refresh the Active Directory tree in the MMC, or close and
> re-open the MMC, you can right click on the Containers for "Users" and
> "Computers" and you will notice the option to rename them is
> available.
>
> YOU MUST NOT DELETE THESE FOLDERS.
>
> Renaming them is ok though. Hope this helps
>
> http://forums.techarena.in
>

"FthrJACK" <> wrote in message
news:...
>
> According to Technet its fine doing this, they just dont explain how:
> http://technet.microsoft.com/en-us/l...55(WS.10).aspx
>
>
> However, i would only recomend doing it on a new domain setup, incase
> you have scripts and such that explicitly point at objects.
>
> FthrJACK

IMHO, I really don't see the point in renaming it. I can understand
redirection, but renaming it? For aesthetics?

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.

Howdie!

FthrJACK wrote:
> According to Technet its fine doing this, they just dont explain how:
> http://technet.microsoft.com/en-us/l...55(WS.10).aspx
>
> However, i would only recomend doing it on a new domain setup, incase
> you have scripts and such that explicitly point at objects.

Yeah - you technically can do that. Microsoft does reference them using
the GUID that don't change on container rename. The question is whether
third party apps break if you rename the built-in folders.

Cheers,
Florian

"Florian Frommherz [MVP]" <> wrote in message
news:%...
> Howdie!
>
> FthrJACK wrote:
>> According to Technet its fine doing this, they just dont explain how:
>> http://technet.microsoft.com/en-us/l...55(WS.10).aspx
>>
>> However, i would only recomend doing it on a new domain setup, incase
>> you have scripts and such that explicitly point at objects.
>
> Yeah - you technically can do that. Microsoft does reference them using
> the GUID that don't change on container rename. The question is whether
> third party apps break if you rename the built-in folders.
>
> Cheers,
> Florian

Good point. Some third party apps may have the default container names hard
coded.

Ace

"FthrJACK" <> wrote in message
news:...
>
> .in which case the program isnt very well made.... which would lead me
> to ask the question "is this thing safe anywhere near my domain??"
>
>
>
>
> not just for aesthetics, i do this myself from time to time, but i
> still use the Container. Depending where and what its on it will either
> be named "Lost & Found" or i put non DC servers in there, redircmp all
> machines to a folder "Workstations" - depends.
>
> users is the one that is usually wanted to move though... oh and its
> not just Aesthetics, its less confusing that having "Computers"
> "computers2"
> "Workstations" "machines" etc - and some right messes ive seen.
>
> which OU/CN is that new machine in you just added via RIS/WDS?
>
> Ah well, each to their own i guess, the guy wanted to know how, and
> people where saying its not possible (as is the usual answer if you
> google) so i thought id reply with how since this thread does well on
> the google ranks.
>
>
> --
> FthrJACK

I wouldn't discount a third party app just because it hard codes something
like this.

I see what you mean about computers, computers2, etc. They that leads me to
believe that you are just creating OUs on the root, which is just how I
interpreted your post.

For example, in my installations, I don't mess with the default containers.
I create a sub-structure OU. For example, this is for a small company:

CompanyName OU
Users
Computers
Workstations
Servers
Laptops
Termed Users
Groups
Contacts
etc

Larger company with locations:

Philly OU
Users
Computers
Workstations
Servers
Laptops
Termed Users
Groups
Contacts
Seattle OU
Users
Computers
Workstations
Servers
Laptops
Termed Users
Groups
Contacts
etc

This way I can control GPO targeting as well as WSUS targeting.

To each their own, I guess. :-)

Ace

"FthrJACK" <> wrote in message
news:...
>
> According to Technet its fine doing this, they just dont explain how:
> http://technet.microsoft.com/en-us/l...55(WS.10).aspx
>
>
> However, i would only recomend doing it on a new domain setup, incase
> you have scripts and such that explicitly point at objects.
>

As a third party software developer, just about the only container/OU I can
depend on is the "cn=Users" container. If I need to create a service
account, for example to run my SQL Server instance, this is the best
location. During installation if I detect a domain, I create the account
there. I would need to investigate how to handle the situation where this is
renamed. Off hand, the best way I can think of is to use the well-known RID
to find the Administrator user (which is more likely to be renamed), then
find the parent container of that account. I doubt many developers would go
to the trouble.

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--

"Richard Mueller [MVP]" <rlmueller-> wrote in
message news:...
>
> "FthrJACK" <> wrote in message
> news:...
>>
>> According to Technet its fine doing this, they just dont explain how:
>> http://technet.microsoft.com/en-us/l...55(WS.10).aspx
>>
>>
>> However, i would only recomend doing it on a new domain setup, incase
>> you have scripts and such that explicitly point at objects.
>>
>
> As a third party software developer, just about the only container/OU I
> can depend on is the "cn=Users" container. If I need to create a service
> account, for example to run my SQL Server instance, this is the best
> location. During installation if I detect a domain, I create the account
> there. I would need to investigate how to handle the situation where this
> is renamed. Off hand, the best way I can think of is to use the well-known
> RID to find the Administrator user (which is more likely to be renamed),
> then find the parent container of that account. I doubt many developers
> would go to the trouble.
>
> --
> Richard Mueller
> MVP Directory Services
> Hilltop Lab - http://www.rlmueller.net
> --
>
>


Or worse, if the default Administrator account was moved to an OU somewhere
else in the structure.

Ace