When you create a new user or computer account in Active Directory the accounts are created in the CN=Users and CN=Computers containers by default. Although these accounts will inherit GPO’s linked to the domain, it is not possible to apply Group Policy directly to these containers.
There are two tools included with Windows Server 2003, Redirusr.exe and Redircmp.exe, with which you can change this behavior and cause new user and computer accounts to be created in a specific OU. Redircmp.exe and Redirusr.exe modify the wellKnown attribute on the PDC Emulator to accomplish this. These two tools are located in %windir%\system32. Before you try this you must ensure the following:
* Your domain must be running at the 2003 Domain Functional level (All DC’s must be 2003 Server)
* You need Domain or Enterprise admin privlidges
* Your PDC must be online and responding to requests
* The OUs must be created before you run these tools
To redirect any new user accounts to a specific OU run the following command:
c:\%windir%\system32\redirusr.exe containerDN
For example to redirect new user accounts to an OU called NewUserAccounts run the following command:
c:\%windir%\system32\redirusr.exe OU=NewUserAccounts,DN=thelazyadmin,DC=com
It is just as easy to redirect new computer accounts to a specific OU with this command:
c:\%windir%\system32\redircmp.exe containerDN
For example to redirect a new computer account to an OU called NewComputerAccounts run the follwing command:
c:\%windir%\system32\redircmp.exe OU=NewComputerAccounts,DC=thelazyadmin,DC=com
Automatically redirect new users and computers to a lockdown OU
Shijaz Abdulla, MVP
www.shijaz.com/windows
This article explains how to change the default container for newly created users and computer accounts in Active Directory. This is offers increased security. All machines that are joined to the domain will automatically have a computer account created in the Active Directory in the Computers OU by default. This article explains how this default container can be changed for both users and computers. You can then apply a highly restrictive policy on the lockdown OU. If the joined computer is legitimate, then you can move the computer account to the Computers OU or any other OU as per your organizational norms.
Prerequisites
* Domain functional level should be at least Windows Server 2003
* Logged on user must have domain admin privileges
Step 1. Create an OU Apply a highly restrictive GPO
1. Create an OU named Lockdown
2. Create a GPO and make it strongly, highly restrictive. (Paralyze the users & computers if you’d like!). Apply this GPO to the Lockdown OU.
(Discussing how to create and edit GPOs is out of the scope of this article)
Step 2. Redirecting new user accounts to an OU named “Lockdown”
1. Open Command Prompt.
2. Type the following command:
c:\windows\system32>
redircmp ou=mycomputers,DC=company,dc=com
Step 3. Redirecting new user accounts to an OU named “Lockdown”
1. Open Command Prompt.
2. Type the following command:
C:\windows\system32> redirusr ou=lockdown,DC=company,dc=com
Step 4. Test whether redirection works
1. Open Command Prompt.
2. Type the following commands:
net computer \\compname /add
net user username password /add
3. Open Active Directory Users & Computers. You will find that user account and the computer account you just created are redirected to the Lockdown OU.