Categories: Windows Server

SOLVED: Why COMPUTER OU Does Not Appear in GROUP POLICY MANAGEMENT

Have you ever wondered why nearly every Active Directory you have seen has does not use the COMPUTERS and USERS Organizational Unit (folder) for day to day operations?

We had a client that put all 200 of there computers in the COMPUTERS OU in their AD and their staff could not figure out how to assign Group Policies to it. We explained that this is by design because the COMPUTERS “folder” in AD is NOT an Organizational Unit, it is a “Container”.

There are 7 primary CONTAINERS that come default with Active Directory:

  1. CN=Computers: The default location for new computer accounts.
  2. CN=Users: The default location for new user accounts and groups.
  3. CN=Built-in: Contains built-in groups and accounts used by the system.
  4. CN=ForeignSecurityPrincipals: Holds security principals from trusted external domains.
  5. CN=Program Data: Stores application-specific data.
  6. CN=System: Contains system-related objects and settings.
  7. CN=LostAndFound: Stores objects that have been orphaned during replication.

If you click VIEW > ADVANCED FEATURES in AD USERS AND COMPUTERS, you will see even more Containers, like NTDS QUOTAS and TPM DEVICES.

These containers are created by default during the installation of Active Directory Domain Services (AD DS) and are not OUs, so you cannot link Group Policy Objects (GPOs) directly to them.

What’s The Difference Between a CONTAINER and an ORGANIZATIONAL UNIT

When I took my first Active Directory training at COMDEX Vancouver, in 1999, the Microsoft instructors would get very animated if you called a OU a FOLDER. Personally, after 25 years of working with them, I think MS should have called OU’s folders and containers, containers.

Click on the AD screenshot to the right and notice that CONTAINERS have an icon that looks just like folder in file structure but OU’s have an icon of a folder within a folder.

In Active Directory (AD), containers and Organizational Units (OUs) serve different purposes and have distinct characteristics:

Containers

  • Default Objects: Containers are default objects created during the installation of AD. Examples include the “Users” and “Computers” containers
  • No Group Policy: You cannot apply Group Policy Objects (GPOs) directly to containers
  • Basic Structure: Containers provide a basic hierarchical structure for organizing objects like users, computers, and groups
  • Limited Control: Containers do not have security permissions or delegation capabilities. For instance you cannot rename a CONTAINER while you can rename an OU

Organizational Units (OUs)

  • Customizable: OUs can be created by administrators to suit specific organizational needs, such as departments or locations
  • Group Policy: You can apply GPOs to OUs, allowing for more granular control over settings and policies
  • Security and Delegation: OUs have their own security permissions and can be used to delegate administrative control
  • Flexible Management: OUs offer more flexibility and control over the management and organization of AD objects

To wrap this up, while containers provide a basic structure for organizing AD objects, OUs offer more advanced features like Group Policy application, security permissions, and administrative delegation, making them more suitable for detailed and flexible management.


Published by
Ian Matthews