Why is the Computers object a CN not an OU in Microsoft Active Directory?

active-directory

In my Microsoft active directory environment almost every organizational structure is an Organizational Unit. There are two common exceptions to this rule, the Computers object and the Users object. These are the default objects that are created when you setup Active Directory. Whenever I read anything about these objects, I am told that they use "Container Names" for backwards compatibility. From what I understand, these objects were configured that way when active directory was setup. My main question is this:

What will break if you convert to using OU's for these objects? I'm asuming the only way to do it is to create new OU's, redirect active directy to use these new OU's, and then delete the old CN objects.

I realize it's not a recommended procedure, but I want to know why.

Bonus Questions

  • Did the active directory developers give a reason why the Computers and Users objects were created using a CN and not as a normal OU?
  • Is it even possible to delete the default objects?

These containers exist for backward compatibility with NT4-based domains when being upgraded to Windows 2000 AD domains, and many other reasons that are due to NT4 compatibility with Windows 2000.

MS KB 324949 provides a good explanation of the reasons behind this due to legacy ("earlier-version") api calls: https://support.microsoft.com/en-us/help/324949/redirecting-the-users-and-computers-containers-in-active-directory-domains

In a default installation of an Active Directory domain, user accounts, computer accounts, and groups are put in CN=objectclass containers instead of being put in a more desirable organizational unit class container. Similarly, user accounts, computer accounts, and groups that were created by using earlier-version APIs are put in the CN=Users and CN=computers containers.

Users, computers, and groups that are created by earlier-version APIs place objects in the DN path that is specified in the WellKnownObjects attribute that is located in the domain NC head. The following code example shows the relevant paths in the WellKnownObjects attribute from the CONTOSO.COM domain NC head.


I'd advise against messing with those objects. It is typical to create new OUs and then move any necessary objects to your new OUs. You can then use redircmp (https://technet.microsoft.com/en-us/library/cc770619.aspx) to change where computer objects are created by default.

Related

grep ouput filepath with file modified date?
Environment variables using AWS CodeDeploy
Backup Monitoring Solution [closed]
Default policy for OUTPUT
How do I automatically approve important updates from WSUS?
Multiple DHCP uplinks - How to ignore DNS and default route on all but one?
yum list available - not showing all packages
DNS settings for DCs in remote sites
Security Risks of a One-Way Trust Relationship between Domains
Reverse DNS does not contain the hostname error from MXToolBox
Is it possible to / how would one include vars files from other vars files?
How does nginx distribute traffic among IPs associated with an upstream DNS name?