When you create a new user or computer account in Active Directory the accounts are created in the CN=Users and CN=Computers containers by default. Although these accounts will inherit GPO's linked to the domain, it is not possible to apply Group Policy directly to these containers.
There are two tools included with Windows Server 2003, Redirusr.exe and Redircmp.exe, with which you can change this behavior and cause new user and computer accounts to be created in a specific OU. Redircmp.exe and Redirusr.exe modify the wellKnown attribute on the PDC Emulator to accomplish this. These two tools are located in %windir%\system32. Before you try this you must ensure the following:
- Your domain must be running at the 2003 Domain Functional level (All DC's must be 2003 Server)
- You need Domain or Enterprise admin privlidges
- Your PDC must be online and responding to requests
- The OUs must be created before you run these tools
To redirect any new user accounts to a specific OU run the following command:
c:\%windir%\system32\redirusr.exe containerDN
For example to redirect new user accounts to an OU called NewUserAccounts run the following command:
c:\%windir%\system32\redirusr.exe OU=NewUserAccounts,DN=thelazyadmin,DC=com
It is just as easy to redirect new computer accounts to a specific OU with this command:
c:\%windir%\system32\redircmp.exe containerDN
For example to redirect a new computer account to an OU called NewComputerAccounts run the follwing command:
c:\%windir%\system32\redircmp.exe OU=NewComputerAccounts,DC=thelazyadmin,DC=com