Change Default Domain Users to OU level users

I have a domain that spans many sites.  I have set up AD to geographically indicate where each site is based on the continent they are located.  Every site has an admin there and the OU for that site has delegated control to him/her to administer their respective site.  Each site OU has four containers, Groups, Users, Computers, and Servers.  I would like to change something....   When a site admin creates a new user, I would like it to default to the Users folder in that site's OU instead of Domain Users or Users.  I hope this makes sense and how do I accomplish that?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Brian PiercePhotographerCommented:
Redirecting CN=Users to an administrator-specified organizational unit
1. Log on with domain administrator credentials in the z domain where the CN=Users container is being redirected.
2. Transition the domain to the Windows Server 2003 domain functional level in either the Active Directory Users and Computers snap-in (Dsa.msc) or the Domains and Trusts (Domains.msc) snap-in. For additional information about increasing the domain functional level, click the following article number to view the article in the Microsoft Knowledge Base:
322692 ( How to raise domain and forest functional levels in Windows Server 2003  
3. Create the organizational unit container where you want users that are created with earlier-version APIs to reside (if the desired OU container does not already exist).
4. Run Redirusr.exe from the command prompt by using the following syntax, where container-dn is the distinguished name of the organizational unit that will become the default location for newly-created user objects created by down-level APIs:
c:\windows\system32\redirusr container-dn
Redirusr is installed in the %SystemRoot%\System32 folder on new and upgraded Windows Server 2003-based computers. For example, to change the default location for users created with down-level APIs such as Net User to the OU=Users OU container in the CORP.COM domain, use the following syntax:
c:\windows\system32>redirusr ou=myusers,DC=company,dc=com
Keep in mind that redirusr will only allow you to redirect to a single OU; it does not have the necessary logic to say "Houston users should go in the Houston OU, Charlotte Users should go in the Charlotte OU", etc.  For that level of granularity you'll need some sort of provisioning system, either home-grown or purchased from a third-party vendor.

Redirusr will allow you to say "All new users created will go to the NewUsersOU rather than the Users Containter", nothing more.

Hope this helps.

Laura E. Hunter - Microsoft MVP: Windows Server - Networking
TIA_ITAuthor Commented:
Laura, actually that's what I'm looking for.  My Boston admin has a BST OU and a Users folder. When he creates a new user, that user gets bst+first initial+lastname and I would like that user account to be located in the Users folder in BST with memberships of BST-GG-ALL_USERS.    Same would go for any other of the 135 sites that we have.  The site admin creates the user, and the new account gets created in the respective OU for that site under Users, along with defaulted membership to the global group for ALL_USERS for that site.

So what I'm asking for is a third party deal?
There's unfortunately nothing native to AD, including redirusr, that will give you the kind of business logic that you're describing.  

If you want to stick with free tools, you would need to do something like run a scheduled task every hour that searches through the AllUsersOU, and if it finds a user with the first 3 letters of BST, moves that user to the BST OU.  This would be reactive rather than proactive, but it would still accomplish the same thing.

I don't have one single script handy that will do all of that logic from beginning to end, but you could certainly cobble together the vbscript to do the search & move logic from a book like the Active Directory Cookbook.  (Shameless plug, I wrote it.  ;-)  However, the un-annotated VBScript code is available for free here:



Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Chris DentPowerShell DeveloperCommented:

No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I will leave the following recommendation for this question in the Cleanup Zone:
ACCEPT: LauraEHunterMVP {18845805}

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

Experts Exchange Cleanup Volunteer
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.