Computers & ProgrammingComputers & NetworkingWindows Server

Redirecting Computer Objects to a Specific OU

February 23, 2022

When you install Active Directory (AD) on your Windows Server, soon after, you’ll want to join computers to the domain. In a default installation of AD, computer accounts are put in the CN=Computers container. For many installations, this isn’t a big deal.

The AD administrator would simply move the computer account to the appropriate Organizational Unit once the computer has been joined to the domain. However, one thing you may have noticed is that the default “Computers” container does not allow you to link group policy objects.

This could be very limiting especially if your organization’s security policies require that you initially configure the system once it joins the domain, possibly by applying specific policies, installing software, or enabling features such as the local Windows firewall. One solution is to redirect the Computers Container.

Prerequisites

  1. The domain must be configured to run in the Windows Server 2003 domain functional level or higher.
  2. All domain controllers in the target domain must run Windows Server 2003 or newer.

Note: The “Computers” containers is a system-protected object that cannot be removed. However, the container can be renamed.

Redirecting CN=Computers to an Administrator-specified Organizational Unit

  1. Log on with Domain Administrator credentials in the domain where the CN=computers container is being redirected.
  2. Open the Active Directory Users and Computers snap-in.
  3. Create the organizational unit container where you want computers to automatically be created in.
  4. Run the Redircmp.exe file at a command prompt by using the following syntax: redircmp DN
  5. Example: redircmp "ou=myComputers,DC=anITKB,dc=com"

Note: Redircmp.exe is installed in the %Systemroot%\System32 folder on Windows Server 2003-based or newer computers. When Redircmp.exe is run to redirect the CN=Computers container to an organizational unit that is specified by an administrator, the CN=Computers container will no longer be a protected object.

This means that the Computers container can now be moved, deleted, or renamed. If you use ADSIEDIT to view attributes on the CN=Computers container, you will see that the systemflags attribute was changed from -1946157056 to 0. This is by design.

Just as a final tip, the same process can be performed to redirect users. The command that would be used is redirusr.

Here is a list of all of the “well-known objects” used by earlier-version APIs.

  • B:32:6227F0AF1FC2410D8E3BB10615BB5B0F:CN=NTDS Quotas
  • B:32:F4BE92A4C777485E878E9421D53087DB:CN=Microsoft,CN=Program Data
  • B:32:09460C08AE1E4A4EA0F64AEE7DAA1E5A:CN=Program Data
  • B:32:22B70C67D56E4EFB91E9300FCA3DC1AA:CN=ForeignSecurityPrincipals
  • B:32:18E2EA80684F11D2B9AA00C04F79F805:CN=Deleted Objects
  • B:32:2FBAC1870ADE11D297C400C04FD8D5CD:CN=Infrastructure
  • B:32:AB8153B7768811D1ADED00C04FD8D5CD:CN=LostAndFound
  • B:32:AB1D30F3768811D1ADED00C04FD8D5CD:CN=System
  • B:32:A361B2FFFFD211D1AA4B00C04FD7D83A:OU=Domain Controllers
  • B:32:AA312825768811D1ADED00C04FD8D5CD:CN=Computers
  • B:32:A9D1CA15768811D1ADED00C04FD8D5CD:CN=Users

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Paul Burch
Paul BurchAuthor

Paul is a passionate programmer who enjoys writing about all things technical. He likes getting into the nitty-gritty of technology and describing it in a way that anybody can understand.

Latest Posts
What Is Synacor Youtube Tv
What Is Synacor YouTube TV?
October 16, 2023
Why Did Apbassing Quit Youtube
Why Did Apbassing Quit YouTube?
October 16, 2023
How To Upload Mp3 To Youtube
How To Upload MP3 to YouTube
October 16, 2023
Related Posts
Ado Command Object
ADO Command Object
February 24, 2022
Modifying The Behavior Of Inter-Site Replication
Modifying the Behavior of Inter-Site Replication
February 22, 2022
Cidr And Subnetting
CIDR and Subnetting
February 11, 2022
Scroll to Top