Administration of Default Containers and OUs
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Every Active Directory domain contains a standard set of OUs and containers that are created during the installation of Active Directory. These include the following:
Domain container, which serves as the root container to the hierarchy.
Builtin container, which holds the default service administrator accounts.
Users container, which is the default location for new user accounts and groups created in the domain.
Computers container, which is the default location for new computer accounts created in the domain.
Domain Controllers OU, which is the default location for the computer accounts for domain controllers computer accounts.
The forest owner controls these default OUs and containers.
Figure 2.38 shows the default containers and OUs in a standard Active Directory domain. For more information about resource OUs, see "Creating Resource OUs" later in this chapter.
Figure 2.38 Default Containers and OUs in an Active Directory Domain
The domain container is the root container of the hierarchy of a domain. Changes to the policies or the ACL on this container can potentially have domain-wide impact. Do not delegate control of this container; it must be controlled by the service administrators.
Users and Computers Containers
When you perform an in-place domain upgrade from Windows NT 4.0, existing users and computers are automatically placed into the Users and Computers containers. If you are creating a new Active Directory domain, the Users and Computers containers are the default locations for all new user accounts and non-domain controller computer accounts in the domain.
If you need to delegate control over users or computers, do not modify the default settings on the Users and Computers containers. Instead, create new OUs as needed and move the user and computer objects from their default containers and into the new OUs. Delegate control over the new OUs as needed. It is not recommended that you modify who controls the default containers.
Also, you cannot apply Group Policy settings to the default Users and Computers containers. To apply Group Policy to users and computers, create new OUs and move the user and computer objects into those OUs. Apply the Group Policy setting to the new OUs.
Optionally, you can redirect the creation of objects that are placed in the default containers to be placed in containers of your choice. For more information about redirecting the default location of new objects, see "Upgrading Windows NT 4.0 Domains to Windows Server 2003 Active Directory" in this book.
Well-known Users and Groups and Built-in Accounts
By default, several well-known users and groups and built-in accounts are created in a new domain. It is recommended that management of these accounts remains under the control of the service administrators. Do not delegate management of these accounts to an individual who is not a service administrator. Table 2.10 lists the well-known users and groups and built-in accounts that need to remain under the control of the service administrators.
Table 2.10 Accounts That Need to Remain Under the Control of the Service Administrators
|Well-known Users and Groups||Built-in Accounts|
Group Policy Creator Owners
Schema Admins (forest root domain only)
Enterprise Admins (forest root domain only)
Incoming Forest Trust Builders
Pre-Windows 2000 Compatible Access
Domain Controller OU
When domain controllers are added to the domain, their computer objects are automatically added to the Domain Controller OU. This OU has a default set of policies applied to it. To ensure that these policies are applied uniformly to all domain controllers, it is recommended that you do not move the computer objects of the domain controllers out of this OU. Failure to apply the default policies can cause a domain controller to fail to function properly.
By default, the service administrators control this OU. Do not delegate control of this OU to individuals other than the service administrators.