Solved

Default Users OU

Posted on 2015-02-19
6
45 Views
Last Modified: 2015-02-24
I am in the process of organising our Active Directory Organisation Unit (OU) structure from a security standpoint.
 
1.      Can I move all the objects in the Default users OU to another OU I created?
2.      If Yes, What would be any negative impact in moving them?
3.      From a security standpoint, what would any one suggest in terms of where I should move them to and how to protect them?


Many Thanks


Nikky
0
Comment
Question by:Nike_Baby
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 58

Accepted Solution

by:
Cliff Galiher earned 500 total points
ID: 40619412
1) The "default" users container is not an OU. It is a subtle but important distinction. Of course you can move users from the default container into an OU. Otherwise, why would AD have OUs at all?

2) Entirely dependent on your environment. There could be no negative impacts, or you could move users into an OU where delegation, liked GPOs, or other factors totally break your environment. If you aren't familiar with administering AD, take classes, buy books, call in an expert to assist.... but don't try to go it alone. *Nobody* here can answer this question since it is assuredly specific to each environment.

3) see #2
0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 40619423
1,2,3) See Cliff's answer. :)
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40619425
The Default Users Container is where accounts get created unless otherwise specified. This is similar to the default computers container where new computers added to the domain appear in if you have not redirected your default computer placement.

You can move these user accounts to another OU where you can then apply policies, if required.

From a security standpoint, what would any one suggest in terms of where I should move them to and how to protect them?

This really depends on who you want to have access to modify properties of these accounts. I would start with Delegation of Control to ensure that only people authorized have access to these accounts. I would also use "Protect From Accidental Deletion" on the OU that you place them in.

I would continue this process throughout your restructuring of OU's as well.

Will.
0
Transaction Monitoring Vs. Real User Monitoring

Synthetic Transaction Monitoring Vs. Real User Monitoring: When To Use Each Approach? In this article, we will discuss two major monitoring approaches: Synthetic Transaction and Real User Monitoring.

 
LVL 37

Expert Comment

by:Mahesh
ID: 40619451
You can't apply any GPOs to Default Users Containers except "Default Domain Policy"

Because Default domain policy will be applied to all containers in entire domain including Users container.

The purpose of moving users from default users container to another OU have some specific reasons such as:

U want to move users according to your defined organizational structure, because OU structure resembles your organizational structure
U want to apply specific user level polices on those OUs which is not possible by simply keeping them in default users container
OUs are there to represent your organizational structure \ simplify administration and to put restrictions
There is no very hard rocket science in that.
0
 
LVL 13

Expert Comment

by:Natty Greg
ID: 40619614
Already answered,
0
 

Author Closing Comment

by:Nike_Baby
ID: 40628396
Thank you all for your help
0

Featured Post

Enroll in June's Course of the Month

June's Course of the Month is now available! Every 10 seconds, a consumer gets hit with ransomware. Refresh your knowledge of ransomware best practices by enrolling in this month's complimentary course for Premium Members, Team Accounts, and Qualified Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
Here's a look at newsworthy articles and community happenings during the last month.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question