By default, users and computers will be placed in containers in AD. These containers don’t support the use of GPOs, which is one of the reasons to create OUs to hold the objects instead. To verify what the default user and computer container is, we’ll leverage Powershell. First, we’ll check the computers container:
PS C:\Users\Administrator> Get-ADDomain | select computerscont* ComputersContainer ------------------ CN=Computers,DC=iselab,DC=local
Then, we’ll check the users container:
PS C:\Users\Administrator> Get-ADDomain | select userscont* UsersContainer -------------- CN=Users,DC=iselab,DC=local
Now, in my lab I have created iselab users and iselab computers where I want the user- and computer objects to be placed:
We’re going to user some Powershell to modify where the user- and computer objects get placed, but first we’ll get the Distinguished Name (DN) of these OUs. To do this, we’ll first have to enable Advanced Features under View:
This will display some additional containers:
Now right click the OU, such as iselab computers, and select Properties:
This will display the following window:
Now go to Attribute Editor tab, double click distinguishedName and right click and select Copy:
Then, we’ll user Powershell to redirect to this OU:
PS C:\Users\Administrator> redircmp "OU=iselab computers,DC=iselab,DC=local" Redirection was successful.
Let’s verify what the default OU is:
PS C:\Users\Administrator> Get-ADDomain | select computerscont* ComputersContainer ------------------ OU=iselab computers,DC=iselab,DC=local
Repeat the same process for users:
PS C:\Users\Administrator> redirusr "OU=iselab users,DC=iselab,DC=local" Redirection was successful.
Let’s verify:
PS C:\Users\Administrator> Get-ADDomain | select userscont* UsersContainer -------------- OU=iselab users,DC=iselab,DC=local
That’s it! Users- and computers will now be placed in these OUs and we’ll be able to leverage GPOs. Something that is needed when for example auto enrolling users- and computers in auto enrollment services for certificates.