JSI Tip 7617. How can I get the NET commands to add users, groups, and computers to an Organization Unit that I define?

The default container for users accounts and security groups is CN=Users. The default container for computer accounts is CN=Computers.

When you define policy settings at the root of the domain, you must define ACLs to prevent these from applying to users and computers in subordinate CN and OU containers.

If you define users, groups, service accounts, and admin accounts in their own OU, following the "Creating an Organizational Unit Design" section of the Best Practice Active Directory Design for Managing Windows Networks white paper, you can apply group policy directly to the containers that host users and computers, and during recovery, restore users before you restore groups.

If your domain functional level is Windows Server 2003, you can redirect the NET commands to default to an OU of your choice.

To redirect the net user and net group commands:

redirusr <Container Distinguished Name>

where <Container Distinguished Name> is the distinguished name of the organizational unit that will become the default for these early-version commands.

To redirect the net computer and netdom (without the /ou switch) commands:

redircmp <Your Computer Container Distinguished Name>

where <Your Computer Container Distinguished Name> is the distinguished name of the organizational unit that will become the default for these early-version commands.

If the PDC emulator is not reachable, you will receive an error similar to:

<redir_command_name> OU=YourOU,DC=YourDomain,DC=YourDomainSuffix Error, could not locate the Primary Domain Controller for the current domain: The specified domain either does not exist or could not be contacted. Redirection was NOT successful.

If the domain functional level is NOT Windows Server 2003, you will receive an error similar to:

<redir_command_name> OU=YourOU,DC=YourDomain,DC=YourDomainSuffix Error, unable to modify the wellKnownObjects attribute. Verify that the domain functional level of the domain is at least Windows Server 2003: Unwilling To Perform Redirection was NOT successful.

If you don't have the required permissions, you will receive an error similar to:

<redir_command_name> OU=YourOU,DC=YourDomain,DC=YourDomainSuffix Error, unable to modify the wellKnownObjects attribute. Verify that the domain functional level of the domain is at least Windows Server 2003: Insufficient Rights Redirection was NOT successful.

If the OU doesn't exist, you will receive an error similar to:

<redir_command_name> OU=YourOU,DC=YourDomain,DC=YourDomainSuffix Error, unable to modify the wellKnownObjects attribute. Verify that the domain functional level of the domain is at least Windows Server 2003: No Such Object Redirection was NOT successful.



Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish