How to create a container under Users in AD Users and Computers

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hello,

It sounds a stupid question but I am not familiar with the AD management. I
want, in Active Directory Users and Computers MMC, to create containers under
the default Users container, so that I am able to catergorize the users and
contacts by their functions and other characteristics.

Any idea?

Many thanks.
 
Pakeon said:
Hello,

It sounds a stupid question but I am not familiar with the AD management.
I
want, in Active Directory Users and Computers MMC, to create containers
under
the default Users container, so that I am able to catergorize the users
and
contacts by their functions and other characteristics.

Any idea?
Click to expand...

I think someone said that the User container can be modified but
generally it is a better practice to just your own OU structure for
categorizing user according to how you will Delegate Authority
or Link GPOs.

The user container is not an OU and so (at least by default) cannot
have child OUs or have linked GPOs.
 
But there does exist some folders, for example HDQ, AGENT, under the Users
container. They were created by someone else before for organizing contacts.
Now I want to create one more such kind of folder for other contacts. Do you
have idea?

Thanks in advance.
 
Pakeon said:
But there does exist some folders, for example HDQ, AGENT, under the Users
container. They were created by someone else before for organizing
contacts.
Now I want to create one more such kind of folder for other contacts. Do
you
have idea?
Click to expand...

Then perhaps someone has modified this AD to allow that.

What happens when you right-click and choose NEW?
Can you see NEW OU?
 
When I right-click on Users container and choose New, there is no NEW OU in
the context menu. Only COMPUTER, CONTACT, GROUP, PRINTER, USER, SHARED FOLDER
are there.
 
I'm guessing they used ADSIEdit, if I remember correctly you can create a
container, in the "Users" container via this utility. I wouldn't recommend
that though, I would go and create a new OU at the root of your domain as
Herb mentioned and create your OU tree structure under that new OU.

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
 
ADUC will not allow you to create containers, you need to use some other
LDAP based tool like LDP or ADSIEDIT or various command line tools.

As Herb mentioned, you generally don't want to use containers because
you can't apply group policy to them which is 50% of the good reasons
for building out a hierarchy. The other 50% of the good reasons is for
security delegation.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm
 
Well. The Users and Computers containers are not the same as an
organizational unit (OU). The only reason for having them is because of a
backward comp ability with a legacy API and to have a place to put users and
computers during an in place upgrade of an NT 4.0 Domain to Windows 2000 AD
or Windows Server 2003 AD. These containers aren't mean for any other usage.

New computer accounts that are joined to the particular domain are ending up
within the computers container, but that isn't a perferd locations since
containers can't have Group Policies linked/applied and the next level to
define policies is the domain root. This can be changed if running Windows
Server 2003 Domain Functional Level. (See
http://support.microsoft.com/kb/324949)

Using other tools like ADSIEdit or bind to the directory with what ever you
want makes the possibility to create other objects within the users and
computers containers, like another child container, how ever not an
Organizational Unit. That is because it's not an allowed child object of the
class "containers" within the Active Directory default schema. This can be
changed how ever, but I don't recommend it as long there is no really good
reason for doing so. The way to go in that case is to modify the
possibleSuperior attribute that contains a list of allowed classes as a
child object of the particular class.





--
Regards
Christoffer Andersson
Executive Consultant - TrueSec
Microsoft MVP - Directory Services
 
The only reason for having them is because of
a backward comp ability with a legacy API ...
These containers aren't mean
for any other usage.
Click to expand...

That really isn't accurate. Containers are used all over AD, it has
nothing to do with legacy API stuff. It is accurate though that by
default users/computers were placed into containers due to the inability
of GPOs to apply to them but I am not sure that actually made much sense.







--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm
 
Back
Top