Modifying Computer Objects with Active Directory - Changing the Default Container for Computers

Problem

You want to change the container that computers are created in by default.

Solution

Using a graphical user interface

1. Open LDP.

2. From the menu, select Connection -> Connect.
   
3. For Server, enter the name of a domain controller (or leave blank to do a serverless bind).
   
4. For Port, enter 389.
   
5. Click OK.
   
6. From the menu, select Connection -> Bind.
   
7. Enter credentials of a domain user.
   
8. Click OK.
   
9. From the menu, select Browse -> Modify.
   
10. For DN, enter the distinguished name of the domainDNS object of the domain you want to modify.
    
11. For Attribute, enterwellKnownObjects.
    
12. For Values, enter the following: 
    
      B:32:AA312825768811D1ADED00C04FD8D5 CD:CN=Computers,<DomainDN >
    
    where<DomainDN>is the same as the DN you enter for the DN field.
    
13. Select Delete for the Operation and click the Enter button.
    
14. Go back to the Values field and enter the following: 
      
     B:32:AA312825768811D1ADED00C04FD8D5CD: <NewComputersParent>,<DomainDN>
    
    where <NewComputersParent>is the new parent container for new computer objects (e.g.,ou=RAllenCorp Computers).
    
15. Select Add for the Operation and click the Enter button.
    
16. Click the Run button.
    
    The result of the operations will be displayed in the right pane of the main LDP window.

Using a command-line interface

  > redircmp "<NewParentDN>"

 Using VBScript

  ' This code changes the default computers container.
  ' ------ SCRIPT CONFIGURATION ------
  strNewComputersParent = "<NewComputersParent>" ' e.g. OU=RAllenCorp Computers
  strDomain             = "<DomainDNSName>" ' e.g. rallencorp.com
  ' ------ END CONFIGURATION ----------

  Const COMPUTER_WKGUID = "B:32:AA312825768811D1ADED00C04FD8D5CD:"
  ' ADS_PROPERTY_OPERATION_ENUM
  Const ADS_PROPERTY_APPEND = 3
  Const ADS_PROPERTY_DELETE = 4

  set objRootDSE = GetObject("LDAP://" & strDomain & "/RootDSE")
  set objDomain = GetObject("LDAP://" & objRootDSE.Get("defaultNamingContext"))
  set objCompWK = GetObject("LDAP://" & _
 "<WKGUID=AA312825768811D1ADED00C04FD8D5CD," & _
objRootDSE.Get("defaultNamingContext") & ">")

  objDomain.PutEx ADS_PROPERTY_DELETE, "wellKnownObjects", _
      Array( COMPUTER_WKGUID & objCompWK.Get("distinguishedName"))
  objDomain.PutEx ADS_PROPERTY_APPEND, "wellKnownObjects", _
                    Array( COMPUTER_WKGUID & strNewComputersParent & "," &
    objRootDSE.Get("defaultNamingContext") )
  objDomain.SetInfo
  WScript.Echo "New default Computers container set to " & _
                strNewComputersParent

Discussion

Most Active Directory administrators do not use the Computers container within the Domain naming context as their primary computer repository. One reason is that since it is a container and not an OU, you cannot apply Group Policy Objects to it. If you have another location where you store computer objects, you might want to consider changing the default container used to bind to the computers container by changing the well-known objects attribute, as shown in this recipe. This can be beneficial if you want to ensure computers cannot sneak into Active Directory without having the appropriate group policies applied to them. While you can also apply GPOs at the site or the domain level, forcing new computers into a particular Organizational Unit ensures that those computers receive the Group Policy settings that you want them to receive through GPOs linked at the OU level. However, this does not protect you from an administrator (whether intentionally or accidentally) explicitly creating a computer object in the incorrect OU; this only protects you from applications or utilities that do not allow or do not require you to specify an OU when creating the computer.

See Recipe 8.14 for more information on how well-known objects are specified in Active Directory.

See Also

MS KB 324949 (Redirecting the Users and Computers Containers in Windows Server 2003 Domains)

Next: Listing All the Computer Accounts in a Domain >>
 

More Windows Scripting Articles
More By O'Reilly Media

Comments On: Modifying Computer Objects with Active Directory

· This article is an excerpt from the "Active Directory Cookbook, Second Edition,"...   >>> Post your comment now!

Buy this book...

This article is excerpted from chapter eight of the Active Directory Cookbook, Second Edition, written by Robbie Allen and Laura E. Hunter (O'Reilly; ISBN: 059610202X). Check it out today at your favorite bookstore. Buy this book now.