Where are new computer accounts placed by default?

Very short post on a tip that some may find useful or have forgotten about over the years.

Ever wanted to change the default container that a new user object or computer object is provisioned/created in Active Directory? Creating a new user object or joining a new computer to the domain will result in the object either ending up in default CN=Users,DC=domain,DC=local container or the CN=Computers,DC=domain,DC=local container respectively. Often I find that I want the default location to be an Organisational Unit (OU) where I have already linked some group policy objects and these default locations are not great as they need some manual intervention after each object is created to ensure they end up in the correct OU from a GPO perspective.

Some readers may also be used to Windows Small Business Server (SBS) handling this automation, putting objects into the SBSComputers or SBSUsers paths.

To set this up the steps are really easy; we just use the redirect command on any Windows Domain Controller to perform the action for the whole domain. 

1. Open the Command Prompt with Administrator elevation on any of your DC’s.
2. Change the directory to C:\> cd C:\Windows\System32\

If you are wanting to set the default path for ‘User Objects’ then: 

• Run the command C:\> redirusr “OU=,DC=,DC=com”

If you are wanting to set the default path for ‘Computer Objects’ then:

• Run the command C:\> redircmp “OU=,DC=,DC=com”

Tips:

• Make sure to use the quotation marks as OU paths with spaces will make the command fail if your don’t surround them in quotes first.
• These commands work on domains with Windows 2000 domain-function level or higher.
• If your unsure about an exact OU path, I find the easiest way to copy and paste the correct path is to enable Advanced Mode in Active Directory Users & Computers MMC and then right-click the OU of choice select ‘Properties’ then select the ‘Attributes Editor’ tab. From here you will be able to see the distinguished name property for the OU, double-click this and copy and paste the value to get the full valid path to the selected OU.

When you join a machine to the domain, by default it will be placed in the Computers container under the root of the domain. This can be undesirable, particularly if you want to apply distinct Group Policy to machines when they are initially joined to the domain. Fortunately, Active Directory lets you change the default location for new Computer accounts. The best way to make this change is with the redircmp tool that is included with Windows Server. For example, to redirect new computers in the cohovines.com domain to an Organizational Unit called NewComputers, run this command:

redircmp "OU=NewComputers,DC=cohovines,DC=com"

Under the covers, the redircmp tool updates an attribute of the domain NC head object called wellKnownObjects. The wellKnownObjects attribute contains a list of well known GUIDs and a distinguished name for each GUID. By using GUIDs, the path to an object can be dynamic without the client needing to be aware of anything other than the GUID for the object it is searching for. In this case, the aa312825-7688-11d1-aded-00c04fd8d5cd GUID is how Active Directory keeps track of the default location for new computer objects. You can use a tool like LDP to look at the wellKnownObjects attribute of the domain as shown below: