Rename "Users" OU

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I need to rename the "Users" OU to something else and then create a new OU
called "Users."

The issue is that an application MUST hold its accounts in the users OU, but
managing these accounts intermixed with domain users and and default accounts
is getting very muddy.

Are there any problems with renaming the OU (and leaving all the "normal"
domain accounts in the new OU) and recreating the OU just for the sake of the
application?

Thanks in advance!
 
By default the users container isn't an Organizational Unit but just a
container for objects. I don't know of a requirement as far as the SID is
concerned (There is no well known ID that I know of it), that doesn't mean
someone else might know of one though. As a matter of fact there is a best
practices on OU's by Microsoft, checkout the link below.

I would definitely make sure you have a container (or OU) available with the
name of users before you create a new user in your domain though unless
during your creation you specify a new container for it to be placed into.

http://support.microsoft.com/default.aspx?scid=kb;en-us;324949


--


Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
http://www.pbbergs.com/

This posting is provided "AS IS" with no warranties, and confers no rights.
 
Thank you much!!

Paul Bergson said:
By default the users container isn't an Organizational Unit but just a
container for objects. I don't know of a requirement as far as the SID is
concerned (There is no well known ID that I know of it), that doesn't mean
someone else might know of one though. As a matter of fact there is a best
practices on OU's by Microsoft, checkout the link below.

I would definitely make sure you have a container (or OU) available with the
name of users before you create a new user in your domain though unless
during your creation you specify a new container for it to be placed into.

http://support.microsoft.com/default.aspx?scid=kb;en-us;324949


--


Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
http://www.pbbergs.com/

This posting is provided "AS IS" with no warranties, and confers no rights.
Click to expand...
 
Actually the user's container has a Well known GUID. The SID is a security
identifier - containers are not security principals, so no SID.

--
Thanks,
Brian Desmond
Windows Server MVP

www.briandesmond.com
 
Fred-

You can actually have an OU called users alongside the users CN you're
speaking of. They're actually named differently (one being OU=users the
other being CN=users). My advice is a) not to tinker with the builtin object
(the users container) and b) to tell this app vendor to screw off and fix
their application.

--
Thanks,
Brian Desmond
Windows Server MVP

www.briandesmond.com
 
I'd like to tell them a bit more than that ( because of other issues ) but I
have to make it work.

Thanks for the input.
 
Hi,

I thought sure you could, since the relative distinguished names would be
cn=Users and ou=Users. However, when I tried Active Directory refused to
allow it. I think the issue might be the "fully qualified domain name of the
object", which would be identical.

I've created OU's and groups with the same name, but it fails if they have
the same "fully qualified domain name" (they are in the same location in
AD). This corresponds to the canonicalName attribute, which is a constructed
attribute. I don't see in the documentatino where this needs to be unique,
but it must be. For example, you can have as many users as you want with the
same common name, and thus the same RDN, as long as they are in different
containers/OU's.

I agree with Brian that the application developer should fix their
application.

--
Richard
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net

"Jorge de Almeida Pinto [MVP]"
 
I remembered this because in the following scenario. it won't work either!

root domain: ADCORP.LAN
child domain: CHILD.ADCORP.LAN

try to create an OU named CHILD in ADCORP.LAN

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
 
What am I thinking? Yes of course. This makes total sense.

Thanks Brian

--


Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
http://www.pbbergs.com/

This posting is provided "AS IS" with no warranties, and confers no rights.
 
It *is* possible to change both the Users container and the Computers
container in Active Directory to become OUs. However, I'd recommend against
it for a number of reasons I won't go into here. Additionally, I wouldn't
add users to the Users container, nor would I move any of the default
objects in the container out of it.

My favorite practice is to create a Top-level OU that has the same name as
the single-part domain name. For example, if I created a domain called
foo.com, I'd naturally create a Top-level container called Foo and use that
to place the users and sub containers. It makes scripting a bit easier as
well, since a call to RootDSE for the domain name returns the same name for
the container that most users are in - with a bit of adjustment ..

-ds
 
I'm with Dave on this one (BTW - hope you're doing well my friend), create
another "top" and don't use the built-in container (notice that it is a
container and not an OU) to group your users. If the application can't
handle it, set the developer straight. When it comes to design, the only
question you have to think about is how you want to work with your AD, not
how the managers/dev want it to look like in a ADUC perspective.

That's my 2 cents...

My 3rd cent...
DSA builds the hierarchy from the parent-child relationships (and also
provides APIs for access calls). And the Database layer provides the
abstraction layer (object view) and follow the parent references and
concatenates the successive RDN to form DN and thus define the hierarchy.

Regards,
/Jimmy
--
Jimmy Andersson, Principal Advisor - Q Advice AB
Microsoft MVP - Directory Services & Security
---------------- www.qadvice.com -----------------
 
I agree with you guys that an app DEV should create apps the right way....

However that is the perfect world and in this world my experience is like:
Company X bought an app Y that uses AD. The company also paid a crap load of
money for the app. The requirements of the app and its implementation suck
in such a way that you need to do stupid things to get it working.
Now you are the AD specialist (by the way you have hired as a consultant by
the company X) and you go like: no way! Fix the app first!
App vendor goed like: yeah yeah, next version....
Company X goes like: implement that app because we paid a crap load of money
for it and we don't care what you need to do to get it working

The "best app" I have ever seen is one that needed domain admin rights with
a prescribed user account and password

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
 
Nope incorrect, the RDN has to be unique outside of the rdn descriptor. The OU=
or CN= will not be used for the uniqueness check.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm
 
Move your domain users and default accounts (except the Exchange crap) out of
the cn=users to something else.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm
 
Back
Top