Solved

Default Users OU

Posted on 2015-02-19
6
38 Views
Last Modified: 2015-02-24
I am in the process of organising our Active Directory Organisation Unit (OU) structure from a security standpoint.
 
1.      Can I move all the objects in the Default users OU to another OU I created?
2.      If Yes, What would be any negative impact in moving them?
3.      From a security standpoint, what would any one suggest in terms of where I should move them to and how to protect them?


Many Thanks


Nikky
0
Comment
Question by:Nike_Baby
6 Comments
 
LVL 56

Accepted Solution

by:
Cliff Galiher earned 500 total points
ID: 40619412
1) The "default" users container is not an OU. It is a subtle but important distinction. Of course you can move users from the default container into an OU. Otherwise, why would AD have OUs at all?

2) Entirely dependent on your environment. There could be no negative impacts, or you could move users into an OU where delegation, liked GPOs, or other factors totally break your environment. If you aren't familiar with administering AD, take classes, buy books, call in an expert to assist.... but don't try to go it alone. *Nobody* here can answer this question since it is assuredly specific to each environment.

3) see #2
0
 
LVL 21

Expert Comment

by:Joseph Moody
ID: 40619423
1,2,3) See Cliff's answer. :)
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40619425
The Default Users Container is where accounts get created unless otherwise specified. This is similar to the default computers container where new computers added to the domain appear in if you have not redirected your default computer placement.

You can move these user accounts to another OU where you can then apply policies, if required.

From a security standpoint, what would any one suggest in terms of where I should move them to and how to protect them?

This really depends on who you want to have access to modify properties of these accounts. I would start with Delegation of Control to ensure that only people authorized have access to these accounts. I would also use "Protect From Accidental Deletion" on the OU that you place them in.

I would continue this process throughout your restructuring of OU's as well.

Will.
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 35

Expert Comment

by:Mahesh
ID: 40619451
You can't apply any GPOs to Default Users Containers except "Default Domain Policy"

Because Default domain policy will be applied to all containers in entire domain including Users container.

The purpose of moving users from default users container to another OU have some specific reasons such as:

U want to move users according to your defined organizational structure, because OU structure resembles your organizational structure
U want to apply specific user level polices on those OUs which is not possible by simply keeping them in default users container
OUs are there to represent your organizational structure \ simplify administration and to put restrictions
There is no very hard rocket science in that.
0
 
LVL 9

Expert Comment

by:nattygreg
ID: 40619614
Already answered,
0
 

Author Closing Comment

by:Nike_Baby
ID: 40628396
Thank you all for your help
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now