Change Default Domain Users to OU level users

Posted on 2007-04-03
Medium Priority
Last Modified: 2008-05-31
I have a domain that spans many sites.  I have set up AD to geographically indicate where each site is based on the continent they are located.  Every site has an admin there and the OU for that site has delegated control to him/her to administer their respective site.  Each site OU has four containers, Groups, Users, Computers, and Servers.  I would like to change something....   When a site admin creates a new user, I would like it to default to the Users folder in that site's OU instead of Domain Users or Users.  I hope this makes sense and how do I accomplish that?

Question by:TIA_IT
LVL 70

Expert Comment

ID: 18845580
Ref: http://support.microsoft.com/kb/324949
Redirecting CN=Users to an administrator-specified organizational unit
1. Log on with domain administrator credentials in the z domain where the CN=Users container is being redirected.
2. Transition the domain to the Windows Server 2003 domain functional level in either the Active Directory Users and Computers snap-in (Dsa.msc) or the Domains and Trusts (Domains.msc) snap-in. For additional information about increasing the domain functional level, click the following article number to view the article in the Microsoft Knowledge Base:
322692 (http://support.microsoft.com/kb/322692/) How to raise domain and forest functional levels in Windows Server 2003  
3. Create the organizational unit container where you want users that are created with earlier-version APIs to reside (if the desired OU container does not already exist).
4. Run Redirusr.exe from the command prompt by using the following syntax, where container-dn is the distinguished name of the organizational unit that will become the default location for newly-created user objects created by down-level APIs:
c:\windows\system32\redirusr container-dn
Redirusr is installed in the %SystemRoot%\System32 folder on new and upgraded Windows Server 2003-based computers. For example, to change the default location for users created with down-level APIs such as Net User to the OU=Users OU container in the CORP.COM domain, use the following syntax:
c:\windows\system32>redirusr ou=myusers,DC=company,dc=com
LVL 30

Expert Comment

ID: 18845633
Keep in mind that redirusr will only allow you to redirect to a single OU; it does not have the necessary logic to say "Houston users should go in the Houston OU, Charlotte Users should go in the Charlotte OU", etc.  For that level of granularity you'll need some sort of provisioning system, either home-grown or purchased from a third-party vendor.

Redirusr will allow you to say "All new users created will go to the NewUsersOU rather than the Users Containter", nothing more.

Hope this helps.

Laura E. Hunter - Microsoft MVP: Windows Server - Networking

Author Comment

ID: 18845736
Laura, actually that's what I'm looking for.  My Boston admin has a BST OU and a Users folder. When he creates a new user, that user gets bst+first initial+lastname and I would like that user account to be located in the Users folder in BST with memberships of BST-GG-ALL_USERS.    Same would go for any other of the 135 sites that we have.  The site admin creates the user, and the new account gets created in the respective OU for that site under Users, along with defaulted membership to the global group for ALL_USERS for that site.

So what I'm asking for is a third party deal?
LVL 30

Accepted Solution

LauraEHunterMVP earned 2000 total points
ID: 18845805
There's unfortunately nothing native to AD, including redirusr, that will give you the kind of business logic that you're describing.  

If you want to stick with free tools, you would need to do something like run a scheduled task every hour that searches through the AllUsersOU, and if it finds a user with the first 3 letters of BST, moves that user to the BST OU.  This would be reactive rather than proactive, but it would still accomplish the same thing.

I don't have one single script handy that will do all of that logic from beginning to end, but you could certainly cobble together the vbscript to do the search & move logic from a book like the Active Directory Cookbook.  (Shameless plug, I wrote it.  ;-)  However, the un-annotated VBScript code is available for free here: http://techtasks.com/code/viewbook/2)


LVL 71

Expert Comment

by:Chris Dent
ID: 19708205

No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I will leave the following recommendation for this question in the Cleanup Zone:
ACCEPT: LauraEHunterMVP {18845805}

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

Experts Exchange Cleanup Volunteer

Featured Post

Free tool for managing users' photos in Office 365

Easily upload multiple users’ photos to Office 365. Manage them with an intuitive GUI and use handy built-in cropping and resizing options. Link photos with users based on Azure AD attributes. Free tool!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

I’m willing to make a bet that your organization stores sensitive data in your Windows File Servers; files and folders that you really don’t want making it into the wrong hands.
Seizing the Operation Master Roles in Windows Server 2016 in case of FSMO holder failure.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question