Delegating Administration of Default Containers and OUs

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012

Every Active Directory domain contains a standard set of containers and organizational units (OUs) that are created during the installation of Active Directory Domain Services (AD DS). These include the following:

  • Domain container, which serves as the root container to the hierarchy

  • Built-in container, which holds the default service administrator accounts

  • Users container, which is the default location for new user accounts and groups created in the domain

  • Computers container, which is the default location for new computer accounts created in the domain

  • Domain Controllers OU, which is the default location for the computer accounts for domain controllers computer accounts

The forest owner controls these default containers and OUs.

Domain container

The domain container is the root container of the hierarchy of a domain. Changes to the policies or the access control list (ACL) on this container can potentially have domain-wide impact. Do not delegate control of this container; it must be controlled by the service administrators.

Users and computers containers

When you perform an in-place domain upgrade from Windows Server 2003 to Windows Server 2008, existing users and computers are automatically placed into the users and the computers containers. If you are creating a new Active Directory domain, the users and computers containers are the default locations for all new user accounts and non-domain-controller computer accounts in the domain.

Important

If you need to delegate control over users or computers, do not modify the default settings on the users and computers containers. Instead, create new OUs (as needed) and move the user and computer objects from their default containers and into the new OUs. Delegate control over the new OUs, as needed. We recommend that you not modify who controls the default containers.

Also, you cannot apply Group Policy settings to the default users and computers containers. To apply Group Policy to users and computers, create new OUs and move the user and computer objects into those OUs. Apply the Group Policy settings to the new OUs.

Optionally, you can redirect the creation of objects that are placed in the default containers to be placed in containers of your choice.

Well-known users and groups and built-in accounts

By default, several well-known users and groups and built-in accounts are created in a new domain. We recommend that management of these accounts remains under the control of the service administrators. Do not delegate management of these accounts to an individual who is not a service administrator. The following table lists the well-known users and groups and built-in accounts that need to remain under the control of the service administrators.

Well-known users and groups Built-in accounts

Cert Publishers

Domain Controllers

Group Policy Creator Owners

KRBTGT

Domain Guests

Administrator

Domain Admins

Schema Admins (forest root domain only)

Enterprise Admins (forest root domain only)

Domain Users

Administrator

Guest

Guests

Account Operators

Administrators

Backup Operators

Incoming Forest Trust Builders

Print Operators

Pre-Windows 2000 Compatible Access

Server Operators

Users

Domain Controller OU

When domain controllers are added to the domain, their computer objects are automatically added to the Domain Controller OU. This OU has a default set of policies applied to it. To ensure that these policies are applied uniformly to all domain controllers, we recommend that you not move the computer objects of the domain controllers out of this OU. Failure to apply the default policies can cause a domain controller to fail to function properly.

By default, the service administrators control this OU. Do not delegate control of this OU to individuals other than the service administrators.