?
Solved

Default Users OU

Posted on 2015-02-19
6
Medium Priority
?
50 Views
Last Modified: 2015-02-24
I am in the process of organising our Active Directory Organisation Unit (OU) structure from a security standpoint.
 
1.      Can I move all the objects in the Default users OU to another OU I created?
2.      If Yes, What would be any negative impact in moving them?
3.      From a security standpoint, what would any one suggest in terms of where I should move them to and how to protect them?


Many Thanks


Nikky
0
Comment
Question by:Nike_Baby
6 Comments
 
LVL 60

Accepted Solution

by:
Cliff Galiher earned 2000 total points
ID: 40619412
1) The "default" users container is not an OU. It is a subtle but important distinction. Of course you can move users from the default container into an OU. Otherwise, why would AD have OUs at all?

2) Entirely dependent on your environment. There could be no negative impacts, or you could move users into an OU where delegation, liked GPOs, or other factors totally break your environment. If you aren't familiar with administering AD, take classes, buy books, call in an expert to assist.... but don't try to go it alone. *Nobody* here can answer this question since it is assuredly specific to each environment.

3) see #2
0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 40619423
1,2,3) See Cliff's answer. :)
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40619425
The Default Users Container is where accounts get created unless otherwise specified. This is similar to the default computers container where new computers added to the domain appear in if you have not redirected your default computer placement.

You can move these user accounts to another OU where you can then apply policies, if required.

From a security standpoint, what would any one suggest in terms of where I should move them to and how to protect them?

This really depends on who you want to have access to modify properties of these accounts. I would start with Delegation of Control to ensure that only people authorized have access to these accounts. I would also use "Protect From Accidental Deletion" on the OU that you place them in.

I would continue this process throughout your restructuring of OU's as well.

Will.
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 38

Expert Comment

by:Mahesh
ID: 40619451
You can't apply any GPOs to Default Users Containers except "Default Domain Policy"

Because Default domain policy will be applied to all containers in entire domain including Users container.

The purpose of moving users from default users container to another OU have some specific reasons such as:

U want to move users according to your defined organizational structure, because OU structure resembles your organizational structure
U want to apply specific user level polices on those OUs which is not possible by simply keeping them in default users container
OUs are there to represent your organizational structure \ simplify administration and to put restrictions
There is no very hard rocket science in that.
0
 
LVL 14

Expert Comment

by:Natty Greg
ID: 40619614
Already answered,
0
 

Author Closing Comment

by:Nike_Baby
ID: 40628396
Thank you all for your help
0

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Suggested Courses

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question