Verify redirected Computers container in Active Directory

By | August 21, 2011

How to see if the default location for new computer accounts has been changed in an Active Directory domain.

Ever since Windows 2003 it has been a best practice to redirect the default location for new computer accounts in the domain. Every new AD always domain starts with the default setting of using CN=Computers, DC=Domain, DC=Com for non prestaged computers joining the domain. In this article we will look at how to see the actual setting after the change, which has not been very straightforward.

Since the original “Computers” container is not a real Organizational Unit and can not have any directly linked Group Policy objects it is often recommended to create a more suitable OU and using the redircmp command to change the location. The domain must be in Windows 2003 Domain Functional Level or higher for this to succeed.

Redirecting the computers container

(An interesting fact is that this command must connect to the domain controller holding the PDC Emulator FSMO role to commit the write. If the PDC Emulator is non reachable for any reason the change will not go through.)

Unfortunately the redircmp has no report mode to see the actual setting later on, which can be important to know when coming to a new Active Directory environment.

For Windows 2003 and Windows 2008 domains you could verify the actual setting by using either ADSIEDIT (2003) or the ordinary Users and Computers tool (only 2008). If using Windows Server 2008 just select the “Advanced Features” option in the View menu.

Connect to the domain root, select Properties on the domain name and find an attribute called “WellKnownObjects“. The value can be quite long, but look for an entry starting with B:32:AA31. At the end of the hexadecimal numbers you will find the location for new computer accounts, see above. It is however somewhat cumbersome and not very intuitive.

If using Windows Server 2008 R2 it is much simplified by using the Active Directory Modules for Powershell. Just open a Powershell prompt and use the following command line to verify the location:

Get-ADDomain | select computerscont*

As seen above the output from the command is very clear and much more easy to work with than earlier versions.

One thought on “Verify redirected Computers container in Active Directory

Leave a Reply

Your email address will not be published. Required fields are marked *