Changing the Default Container for Computers

Changing the Default Container for Computers


You want to change the container that computers are created in by default.


Using a graphical user interface
  1. Open LDP.

  2. From the menu, select Connection Connect.

  3. For Server, enter the name of a domain controller (or leave blank to do a serverless bind).

  4. For Port, enter 389.

  5. Click OK.

  6. From the menu, select Connection Bind.

  7. Enter credentials of a domain user.

  8. Click OK.

  9. From the menu, select Browse Modify.

  10. For DN, enter the distinguished name of the domainDNS object of the domain you want to modify.

  11. For Attribute, enter wellKnownObjects.

  12. For Values, enter the following:


    where <DomainDN> is the same as the DN you enter for the DN field.

  13. Select Delete for the Operation and click the Enter button.

  14. Go back to the Values field and enter the following:


    where <NewComputersParent> is the new parent container for new computer objects (e.g., ou=RAllenCorp Computers).

  15. Select Add for the Operation and click the Enter button.

  16. Click the Run button.

    The result of the operations will be displayed in the right pane of the main LDP window.

Using a command-line interface
	> redircmp "<NewParentDN>"

Using VBScript
	' This code changes the  
default computers container.
	strNewComputersParent = "<NewComputersParent>" ' e.g. OU=RAllenCorp Computers
	strDomain             = "<DomainDNSName>"      ' e.g.
	' ------ END CONFIGURATION ---------

	Const COMPUTER_WKGUID = "B:32:AA312825768811D1ADED00C04FD8D5CD:"

	set objRootDSE = GetObject("LDAP://" & strDomain & "/RootDSE")
	set objDomain = GetObject("LDAP://" & objRootDSE.Get(" 
	set objCompWK = GetObject("LDAP://" & _
	                           "<WKGUID=AA312825768811D1ADED00C04FD8D5CD," & _
	                           objRootDSE.Get("defaultNamingContext") & ">")

	objDomain.PutEx ADS_PROPERTY_DELETE, "wellKnownObjects", _
	                Array( COMPUTER_WKGUID & objCompWK.Get("distinguishedName"))
	objDomain.PutEx ADS_PROPERTY_APPEND, "wellKnownObjects", _
	                Array( COMPUTER_WKGUID & strNewComputersParent & "," &
	                       objRootDSE.Get("defaultNamingContext") )
	WScript.Echo "New default Computers container set to " & _


Most Active Directory administrators do not use the Computers container within the Domain naming context as their primary computer repository. One reason is that since it is a container and not an OU, you cannot apply Group Policy Objects to it. If you have another location where you store computer objects, you might want to consider changing the default container used to bind to the computers container by changing the well-known objects attribute, as shown in this recipe. This can be beneficial if you want to ensure computers cannot sneak into Active Directory without having the appropriate group policies applied to them. While you can also apply GPOs at the site or the domain level, forcing new computers into a particular Organizational Unit ensures that those computers receive the Group Policy settings that you want them to receive through GPOs linked at the OU level. However, this does not protect you from an administrator (whether intentionally or accidentally) explicitly creating a computer object in the incorrect OU; this only protects you from applications or utilities that do not allow or do not require you to specify an OU when creating the computer.

See Recipe 8.14 for more information on how well-known objects are specified in Active Directory.

See Also

MS KB 324949 (Redirecting the Users and Computers Containers in Windows Server 2003 Domains)

 Python   SQL   Java   php   Perl 
 game development   web development   internet   *nix   graphics   hardware 
 telecommunications   C++ 
 Flash   Active Directory   Windows