Hi all,

I am moving, renaming and generally reorganizing an AD domain that has really not been touched in a couple decades.  I've got a bunch of questions so I don't mess it up:

1) can I move user or computer or groups "live" during the day?  That is, if someone is logged in when I move their user object, when the object is "refreshed" (I know that group policy is refreshed during the day), will this cause a problem for the user?  Likewise for a server or a computer (I would like to move the servers out of the general "computers" container into their own container so that some group policy items are not applied to them).  And then the same for groups - can they be moved live without affecting the security on the network.

2) the previous admin put all user security groups within the OU that holds the users.  But I don't see any reason to do that and would rather have the groups out where they are more visible (at the root of the domain in their own OU).  I figure that security groups do not need policy applied to them because they are not a user or computer object.  Is this a correct assumption?

3) the domain has the default "users" container off the root.  Can I a) rename this or b) can I move groups that I use a lot (e.g. "Domain Users", "Domain Admins", "Domain Computers" and the user object "Administrator") out of this container and will AD find these objects e.g. I assume when a computer is added to the domain the process finds "Domain Computers" and adds the computer as a member of that group.  I want to just make it easier for admins to find the groups we need so I am going to have a "User Groups" container at the root (and also an "Admin Groups" and "System Groups" off the root).

The last question is more just - any comments on the above strategy?  I am trying to divide up the objects in a better way so that as group policy is applied, I can just apply it to different OU's.  Same goes for applying delegation to different OU's.  Right now most of the group policy is applied to the "default domain policy" policy object and sometimes it has to be blocked further down.

Thanks for any comments!

Albert

1. Open Group Policy Management tool and make sure that destination OU have the same GPO's as source. If so you can move users/computers without any problems.

2. Groups can be moved at any location whenever you want.

3. You can't rename default computers and users OU's. You can use redircmp and redirusr tools to change default path for user/computer creation.

Hi

That is not a small question! I'll advise on my recommendations having done this task several times before:

1. You cannot assume that you can move users or groups in the day. From experience, normally you can move the objects without issue but ultimately it depends on (a) where they are being moved to and (b) where those objects are used.

So if a group is used on a Windows file server then you are safe to rename that group or move it as the fileshare updates itself as the DC's replicate. However if the group is used in a 3rd party appliance (in a previous case I worked on - a network web filter) then you should be cautious and read the vendors documentation. In my case, the web filter would cache the distinguished name of the object, so when the security group was moved our users lost access to websites until the group was re-added (which updated its distinguished name).

Also, especially with users and computer objects it all depends on group policy applied to the OUs they are being moved to. This should be analysed carefully before moving. You should test this thoroughly with a pilot group to ensure all will work as expected and use RSoP tools etc. Do not simply move all the objects and hope for the best.

2. Yes but you should check if there are special policies in place that modify groups, such as restrictive groups etc. Also, check where these groups are used prior to moving.

3. It is not recommended to rename the default containers (Users and Builtin) so leave them as they are. You are safe to move groups out of this container and into an OU provided you have analysed all apps that potentially use these groups. AD will 'find' them as it searches the entire directory by default. Computers joined to the domain will automatically place them in the 'Computers' container unless it is changed.
See here for more info. https://support.microsoft.com/en-us/kb/324949

See these docs for more info:

https://msdn.microsoft.com/en-us/library/bb727085.aspx
http://www.microsoft.com/en-us/download/details.aspx?id=8133

zxx

• Edited by zxxzxx Wednesday, August 26, 2015 8:47 PM
• Marked as answer by Albert M Gostick 13 hours 29 minutes ago

Thanks for the reply.  Will check out redircmp and redirusr tools.  Thanks!

Thanks for the great answer.  I should have also put in my question that I am aware that one of the servers in the domain uses LDAP to authenticate users and so I know I have to update the pathing on that server at the time that I rename that group.  I also need to check to see if the firewall uses any sort of LDAP pathing to authenticate remote users.  Will look more into that.

For #2, can you explain that a bit further - do you mean that some other piece of software is modifying group membership (and this relies upon a specific path to the object)?

Thanks,

Albert

For moving groups - no I am mainly referring to third-party applicances, typically non-Microsoft.

However without knowing your exact setup, say you use Office 365 with Directory Synchronization filtered to certain OUs, you would have to make sure the OU you were moving the distribution groups to is synced to Office 365, otherwise they would disappear from the GAL.

Another thing to check would be the directory permissions themselves to make sure the default permissions are intact. As mentioned previously, RSoP tools would highlight this.

So my advice is - generally moving objects work without issues but always check and test end-to-end.

zxx

Follow up question: I have run the redircmp and redirusr command and they came back as successful.  the article you referenced did not show how to display this information (for confirmation).  Is there a command that I can run to display this?  I tried using an LDAP browser to see if I could see it that way but it did not show everything in WellKnownObjects.

Thanks.

Albert

Update: I found a link where someone else asked the same - the powershell command is easy to run and displays the new info.

http://serverfault.com/questions/453864/how-can-i-retrieve-the-default-user-computer-ou

• Edited by Albert M Gostick 11 hours 43 minutes ago