Active Directory Best Practice: OUs and Containers

LukeBy Luke Orellana
Virtual Systems Administrator
Trivalent Group, Inc.

Containers and organizational units (OUs) are commonly confused in Active Directory Users and Computers (ADUC), which can result in having issues with Group Policy deployments. A container is a built-in object that cannot be altered without making changes to the Active Directory schema. They are symbolized with the following icon:


The most common containers that appear in ADUC by default are the Computers and Users containers. With these, you are limited with what you can do. For example, you can’t edit permissions, delegate, or apply GPOs. An OU is like a container, but OUs can be manipulated by IT administrators by applying GPOs, permissions, child OUs, and delegates. The following icon is the symbol for an OU:


When organizing your Active Directory environment, it is best practice to use OUs instead of containers.


Why Should I Be Using OUs instead of Containers?

Because OUs can be manipulated and configured much more than containers, it is going to be much more beneficial to use OUs instead of containers to store your Active Directory objects. For example, let’s say we want to deploy a GPO to our workstations to change the default homepage for Internet Explorer. If our workstation objects were still sitting in the Computers container, we wouldn’t be able to directly apply our GPO to those workstations. Instead, we would have to apply the GPO to the root domain level since only domain level group policies can be inherited down to Containers. In this case, all of our server objects would also get the same GPO applied to them, causing them to have the same homepage as our workstations. We may not want this. So, to make things easy, we store our workstations in an OU and deploy our GPO directly to that OU.


How to Stop Workstations from Populating in the Computer Container

By default, any workstation that is added to the domain will automatically be placed in the Computers container. To change this, simply get the distinguished name of the OU you want to be the new default and then use the command redircmp, open up PowerShell as administrator, and run the following syntax:

Redircmp “OU=Workstations,OU=Contoso,DC=HVLAB,DC=lcl”

A message will appear showing that redirection was successful. Now when workstations are joined to the domain, they will automatically appear in the specified OU.
You may have an AD environment that consists of multiple OUs for each workstation type, such as Windows 7 workstations or Windows 8 workstations. If you would like to automate where these workstations are placed when joined to the domain, you could use a PowerShell script that will automatically place each workstation in their respective OU, but that is beyond the scope of this article.