Share via

Can I move all the computers in their AD container to an OU?

Jim 386 Reputation points
2024-10-10T20:37:01.02+00:00

I want to start using GPO's to manage the computers in our domain. I currently have ~40 computers in the "Computer" container in AD. I would like to simply select them all and right click and move them to an OU I created called "Client Computers". Should I be concerned about any major issues I might encounter? I have moved a couple with no issues.

The only thing I can find that it affects are Group Policies, but that would be moving them in the other direction as far as I can tell.

These are the things to consider that I found:

  1. Group Policies: Moving computers to an OU allows you to apply Group Policies (GPOs) specifically to that OU. This is beneficial for managing settings and configurations for the computers.
    1. What I want anyway.
  2. Protected Objects: The default CN=Computers container is a system-protected object. If you redirect the CN=Computers container to an OU, it will no longer be protected, meaning it can be moved, deleted, or renamed.
    1. I am the only person that does anything with AD, nobody else has rights. Plus, as it is now I can just I can just right click on any computer in the container and delete it there. So I don't know where this "protection" is.
  3. Dependencies: Ensure that no applications or services rely on the computers being in the default CN=Computers container. Some applications may have dependencies on specific security principals being located in default containers.
    1. This is a simple setup. 2 DC's, one of which is a file server for about 250Gb of files. About 40 user accounts. No apps.
  4. Accidental Deletion: Be cautious, as moving objects to an OU makes them subject to accidental deletions by privileged users, including administrators.
    1. Again, I fail to see the difference. Are they referring to the actual OU and not the contents? I assume I can just go into the Advanced Settings and mark it as "Protect object from accidental deletion." Which I have.

Thanks for any advice.

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Yanhong Liu 14,325 Reputation points Microsoft External Staff
    2024-10-14T02:14:26.4066667+00:00

    Hello

    Thank you for posting in Q&A forum.

    Mobile computers generally have the following risks.

    1. GPO

    If you have any policy link to this OU and apply to this computer, you need to link policy to new OU after you remove computer

    1. security right

    If you set some right for this OU to limit user access, you should change OU's right after you remove computer.

    1. APP bind

    Here may have some APPS get computer info by search this OU. if you have this setting, you should change this setting.

    Best regards

    Yanhong

    =====================================

    If the answer is helpful, please click "Accept answer" and upvote it

    0 comments
  2. Marcin Policht 86,845 Reputation points MVP Volunteer Moderator
    2024-10-10T21:25:53.3466667+00:00

    Your understanding of the considerations when moving computers from the default CN=Computers container to an OU like "Client Computers" is solid. Here’s a summary of key points and clarifications to help you decide:

    1. Group Policies: Moving the computers to an OU is beneficial for applying GPOs tailored specifically to those systems. Since your goal is to manage the computers using GPOs, this move aligns with your intention. There’s no concern as long as the GPOs you need are applied correctly to the "Client Computers" OU.
    2. Protected Objects: The CN=Computers container is system-protected, but as you pointed out, it doesn't provide significant protection from changes like deletions—admins with the right permissions can delete objects there too. The "protection" is more about the container’s static role in the system. Moving the computers to an OU allows more flexibility and targeted GPO application, so this shouldn't be a concern in your environment.
    3. Dependencies: In simple environments (like yours with no complex apps or services tied to security principals in the default container), there are typically no issues with moving computers to an OU. For advanced setups, some apps might hardcode dependencies on the CN=Computers container, but this doesn’t apply in your case.
    4. Accidental Deletion: You’re correct. The concern here is mainly about the OU itself being deleted, which could affect all contained objects. However, you can set the OU as protected from accidental deletion (as you’ve already done), and this protection extends to its contents. So, this risk is mitigated.

    In general, you shouldn’t face any issues when moving the computers to the "Client Computers" OU. The key is to ensure that GPOs are applied as expected and to verify no critical applications rely on the default container (which doesn’t seem to be the case in your setup). You've taken the right precautions by protecting the OU from accidental deletion.

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.