Managing Containers and Organizational Units

A default Active Directory domain comes with default containers and a default Organizational Unit (OU). The default containers serve as default locations when you create objects, for instance, the Computers container, and for important objects, for example, the Builtin container. The default Domain Controllers OU serves as the location for domain controller objects.

The following containers are available by default:

Builtin
Computers
ForeignSecurityPrincipals
Keys
LostAndFound
Managed Service Accounts
NTDS Quotas
Program Data
System
TPM devices
Users

In Active Directory users and computers ( dsa.msc), some of these default containers are hidden from sight, unless you check the Advanced Features option in the View menu.

We can easily spot the default structure by using the Active Directory Administrative Center (dsac.exe) and Active Directory Users and Computers (dsa.msc), but it's not that hard using Windows PowerShell either. Simply type the following lines of PowerShell to get a list of the OUs in the Active Directory domain that you've signed in to:

Import-Module ActiveDirectory

Get-ADOrganizationalUnit -filter * | ft name

Containers and OUs don't have security identifiers (SIDs), so they can't be used as security principals to directly grant access to resources.

The configuration partition of the Active Directory database can get messy during the life cycle of the domain. As complexity is the archenemy of every admin, there needs to be a way to organize or even segregate objects.

This chapter serves up the following recipes:

Creating an OU
Deleting an OU
Modifying an OU
Delegating control of an OU
Modifying the default location for new user and computer objects