Hide containers in Active Directory

By | May 30, 2011

How to hide unwanted default containers from the Users and Computers tool.

A new installation of Windows Active Directory comes with several default containers, as seen to the left on the picture above. However these default containers also makes the directory look a bit messy right from the start and when you begin to add your own OUs (organizational units) it will get worse. The bloat of containers and OUs in the root of the domain makes all of the resources harder to overview and somewhat lowers the “administrative experience”.

In this post I will show you an easy way to make the Active Directory look better when administrated by the ordinary Users and Computers tool, see picture to the right for a “cleaned” default AD, without actually anything deleted.

The key point is that almost none of the default containers are used for daily administration of Active Directory and by that there is no real point in always displaying them. As you may be aware of there is many more containers by default, but is only visible when selecting “Advanced Features” on the View menu. These “hidden” folders is the kind which we quite rarely need to access and Microsoft has determined that we do not need to see them every day. The question might be what determines if an object should be visible always or only in the Advanced View?

The answer is the value of an attribute that is available on all objects called “showInAdvancedViewOnly” which could be TRUE or FALSE. By toggling this attribute we could clean up more containers from the view in Users and Computers. This option has been available since Windows 2000, but is not really well known.

In Windows 2000 and Windows 2003 we had to use ADSIEDIT from Support Tools to change this attribute, but in 2008 we have the new tab “Attribute Editor” on all objects, available if the Advanced view is selected.

So which containers could be made invisible?

Builtin: Home of several default Domain Local groups like Account Operators, Backup Operators, Event Log Readers, Guests, Server Operators and many others. These are very rarely changed and is not needed on a daily basis and could very well be hidden. If we need to modify these memberships we can easily turn on the Advanced View and edit the groups.

ForeignSecurityPrincipals: This container is for security principals from trusted external domain and will rarely (if ever) be modified by administrators. Could be hidden.

Users: Despite the name no users should be created in this container. Here are important groups like Domain Admins, Enterprise Admins and Schema Admins kept. These groups should very rarely be changed and editing membership of those could be called an advanced option and is suitable for the Advanced View only.

Managed Service Accounts: Exists only on Windows 2008 R2 and used for better and more secure management accounts used by services. If used it will not be needed for daily administration.

Computers: Default place for new computers added to the domain. Highly recommended to use the redircmp command to redirect to a real OU with GPO capabilities. Once done and existing computer accounts moved away, this container is not needed and should be hidden.

So just use the Attribute Editor tab on each of these containers and set “showInAdvancedViewOnly” to TRUE, then turn off Advanced Features on the View menu to have a very clean Active Directory.

This is only necessary to do once on each container since the attribute will be replicated together with normal Active Directory replication.

When adding your own organizational units, see example above, you could then have a directory structure with a good, clear overview of your resources and when needing to change any of the advanced options just enable the Advanced Features.

Leave a Reply

Your email address will not be published. Required fields are marked *