Solved

Default Users OU

Posted on 2015-02-19
6
43 Views
Last Modified: 2015-02-24
I am in the process of organising our Active Directory Organisation Unit (OU) structure from a security standpoint.
 
1.      Can I move all the objects in the Default users OU to another OU I created?
2.      If Yes, What would be any negative impact in moving them?
3.      From a security standpoint, what would any one suggest in terms of where I should move them to and how to protect them?


Many Thanks


Nikky
0
Comment
Question by:Nike_Baby
6 Comments
 
LVL 58

Accepted Solution

by:
Cliff Galiher earned 500 total points
ID: 40619412
1) The "default" users container is not an OU. It is a subtle but important distinction. Of course you can move users from the default container into an OU. Otherwise, why would AD have OUs at all?

2) Entirely dependent on your environment. There could be no negative impacts, or you could move users into an OU where delegation, liked GPOs, or other factors totally break your environment. If you aren't familiar with administering AD, take classes, buy books, call in an expert to assist.... but don't try to go it alone. *Nobody* here can answer this question since it is assuredly specific to each environment.

3) see #2
0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 40619423
1,2,3) See Cliff's answer. :)
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40619425
The Default Users Container is where accounts get created unless otherwise specified. This is similar to the default computers container where new computers added to the domain appear in if you have not redirected your default computer placement.

You can move these user accounts to another OU where you can then apply policies, if required.

From a security standpoint, what would any one suggest in terms of where I should move them to and how to protect them?

This really depends on who you want to have access to modify properties of these accounts. I would start with Delegation of Control to ensure that only people authorized have access to these accounts. I would also use "Protect From Accidental Deletion" on the OU that you place them in.

I would continue this process throughout your restructuring of OU's as well.

Will.
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
LVL 37

Expert Comment

by:Mahesh
ID: 40619451
You can't apply any GPOs to Default Users Containers except "Default Domain Policy"

Because Default domain policy will be applied to all containers in entire domain including Users container.

The purpose of moving users from default users container to another OU have some specific reasons such as:

U want to move users according to your defined organizational structure, because OU structure resembles your organizational structure
U want to apply specific user level polices on those OUs which is not possible by simply keeping them in default users container
OUs are there to represent your organizational structure \ simplify administration and to put restrictions
There is no very hard rocket science in that.
0
 
LVL 12

Expert Comment

by:Natty Greg
ID: 40619614
Already answered,
0
 

Author Closing Comment

by:Nike_Baby
ID: 40628396
Thank you all for your help
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question