How to see if the default location for new computer accounts has been changed in an Active Directory domain.
Ever since Windows 2003 it has been a best practice to redirect the default location for new computer accounts in the domain. Every new AD always domain starts with the default setting of using CN=Computers, DC=Domain, DC=Com for non prestaged computers joining the domain. In this article we will look at how to see the actual setting after the change, which has not been very straightforward.
Since the original “Computers” container is not a real Organizational Unit and can not have any directly linked Group Policy objects it is often recommended to create a more suitable OU and using the redircmp command to change the location. The domain must be in Windows 2003 Domain Functional Level or higher for this to succeed.
(An interesting fact is that this command must connect to the domain controller holding the PDC Emulator FSMO role to commit the write. If the PDC Emulator is non reachable for any reason the change will not go through.)
Unfortunately the redircmp has no report mode to see the actual setting later on, which can be important to know when coming to a new Active Directory environment.
For Windows 2003 and Windows 2008 domains you could verify the actual setting by using either ADSIEDIT (2003) or the ordinary Users and Computers tool (only 2008). If using Windows Server 2008 just select the “Advanced Features” option in the View menu.
Connect to the domain root, select Properties on the domain name and find an attribute called “WellKnownObjects“. The value can be quite long, but look for an entry starting with B:32:AA31. At the end of the hexadecimal numbers you will find the location for new computer accounts, see above. It is however somewhat cumbersome and not very intuitive.
If using Windows Server 2008 R2 it is much simplified by using the Active Directory Modules for Powershell. Just open a Powershell prompt and use the following command line to verify the location:
Get-ADDomain | select computerscont*
As seen above the output from the command is very clear and much more easy to work with than earlier versions.
thank you for your information!
hi
do you know if i want to move some computers to a ou and other computers to another ou how can i do that?
for example move clients to “client ou” and move all servers in “server ou” Automaticly.
Hello,
there is unfortunately no built-in way to do that, but it is possible to write a script that looks at the computer names of new joined objects and move them to the correct OU. Then schedule this script to run like every five minutes.
Regards, Rickard
thanks so much