If you create user or computer objects programmatically and do not specify a target OU, the objects will be created in their default container. Also, whenever you join a new computer to the domain the computer object will always be created in the default Computers container, unless you pre-stage the computer object in an OU.
It's important to note that the Computers and Users containers are just that, containers. They are not OUs. Consequently, you cannot apply Group Policy objects directly to these containers. These containers will, however, inherit GPOs from parent objects, such as the Default Domain Policy.
A lot of my customers have large OU structures where user and computer objects are always placed in specific OUs so that the objects get the correct GPOs. Typically, the default Users and Computers containers are empty for these customers. Even so, user or computer objects will sometimes be created in the default containers for various reasons. This can cause problems for these objects because GPOs are not applied correctly.
Here's how to change the default container that Active Directory will use for new user and computer objects:
- Log into a Domain Controller (Windows Server 2003, 2008 or 2008 R2) as a Domain Admin
- Open a CMD prompt
- To change the default container for user objects, enter:
where Container-DN is the distinguished name of the container that will become the default location for newly created user objects.
ReDirUsr "OU=Managed Users,DC=mydomain,DC=com"
- To change the default container for computer objects, enter:
where Container-DN is the distinguished name of the container that will become the default location for newly created computer objects.
Please note that the domain functional level must be at least Windows Server 2003 for these commands to work.
ReDirCmp "OU=Managed Computers,DC=mydomain,DC=com"