Question about active directory and joining a new server

Ted Mittelstaedt 46 Reputation points
2022-06-13T07:48:26.64+00:00

OK I am sorry if this seems a bit newbie but here goes.

I have an existing Active Directory domain, and I built a new Windows Server on another box then joined it to the domain at the server console. By default it goes into the Active Directory foo.com\Computers OU It also becomes a member of the group Domain Computers foo.com/Users

Now, I can go into the Active Directory Users and Computers interface on the domain controller and move it from the foo.com\Computers OU to the foo.com\Servers OU. However, I notice when I do this that the server's group membership is not changed from foo.com\Domain Computers foo.com/Users. That is from a security perspective it is still treated in the GPO as a workstation. So, any GPO's (such as disable USB mass storage access) that are intended to apply to workstations, are also still applied to it.

To get it in there, on the Domain Controller I can go into the properties of the server object for that server and add the group membership to the Servers group in the Member Of tab - but if I then go to the new server, even doing a gpupdate /force, it still gets all the GPO's that apply to the workstations. I have to unjoin it, then rejoin it to get the server to actually figure out what security groups it's supposed to be in.

I am wondering if this is normal? It seems sort of dumb to me that moving a server from the Computers OU to the Servers OU does not change the actual groups the server is part of and instead you have to do a separate operation of going into the properties of the server and changing the groups in Member Of tab.

Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
5,727 questions
0 comments No comments
{count} votes

Accepted answer
  1. Anonymous
    2022-06-13T14:06:54.223+00:00

    There is no built-in Servers OU, may be something someone added. Are you trying to promo a new domain controller?

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Ted Mittelstaedt 46 Reputation points
    2022-06-13T16:04:19.363+00:00

    Arg!!! My bad!!!!! OMG!!!!

    I'm dealing with an old, old directory that I suspect originated back in 2003 Server days or possibly earlier. I distinctly recall raising the AD level to 2008R2 years ago when I setup an Exchange 2016 server for them.

    You are absolutely right, in a brand new domain (2012R2 or later, at least) the only default GPO OUs under a domain are

    Domain Controllers
    Microsoft Exchange Security Groups (if Exchange is installed)
    Group Policy Objects
    WMI FIlters
    Starter GPOs

    And the default groups in AD Users and Computers are

    Builtin
    Computers
    Domain Controllers
    ForeignSecurityPrinciples
    Managed Service Accounts
    Microsoft Exchange Security Groups (if Exchange is present)
    Users

    At least, as far as 2012R and above revisions go. I just checked with 2 other new directories I setup and they are the same.

    I guess I've been so used to looking at Active Directories that have had an SBS server on them at some point in the past that it didn't occur to me to even do a baseline check against a "normal, modern" directory. Sigh.

    SBS dumps tons of objects into the AD and if you start out with a SBS server - as many small customers did - you get a plethora of OU's in the Active Directory as well as a plethora of conditional GPOs. This directory is lacking the characteristic SBS workstation OUs - maybe someone moved those OUs up to the root of the tree - but it has dozens of different OU's that are not present in newer directories. There is NO institutional documentation on file as to where any of these came from, whether an SBS server was on the network at one time, or whether they existed from the very beginning or whether someone just added something thinking it was a good idea.

    I AM quite positive that NONE of the prior system admins had a high enough skill level to do this save one person and that one I am positive wouldn't have gone hog wild like was done here. Possibly back in the past when you setup a brand new Server 2003 Domain out of the box Microsoft creates all of these OUs? I've been involved/sucked into Windows Server/Directory system admin since NT4 days - mostly unwillingly back in the early days since early Windows Server was such a piece of dung (it's got better over the years) but I can't recall what an out-of-box factory setup of a 2003 Server AD looks like.

    In this directory there's been at least 7 prior system admins who have been mucking about in there. It's a 2008R2 level domain that didn't even have USB mass storage GPO's in it so one of the prior admins imported an administrative template into the PDC for USB - which is still a 2008R2 server that I've been working to get rid of. There has been little institutional knowledge transfer on the AD at this site although they have been very good at retaining information for other IT aspects.

    So, thank you for the tip! This one is obviously one of those Wild West, "there be dragons" directories, and I can see there will be many gopher holes to avoid stepping into in the future.

    What I was trying to do with this one is turn off the effects of a "USB mass storage disable" GPO that one of the prior admins had added. He tied it to the OU group named "Computers" which all computers - whether workstations or servers - just automatically add themselves to when they are joined to the domain. As a result it makes it impossible to stick a USB thumb drive in any machine. Adding this was a knee-jerk reaction to a virus infection they got years ago, and the admin -tried- to make it selectable, as he added 2 separate GPO's and "on" and an "exempt" one. (apparently GPO security filtering was not a thing to him) However it's -never- been selectable that I know of. This is normally not an issue but it became an issue when you are trying to run a backup of a server to a hard disk in a USB dock - which of course, is a USB mass storage device and thus disabled. I'm used to stumbling into sheep piles when troubleshooting so this is just another one. Once I figured out what was going on it was easy to fix.

    They have not had issues in the past promoing DCs. One thing that MS did right with the dcpromo wizard is that when you do a dcpromo Microsoft strips all membership in oddball OUs out of the server and puts it into the Domain Controllers group and GPO's. So as long as you run it as a Domain Admin you are gold even if you have a screwy directory.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.