RE: Groups That Must Remain In AD Users OU?

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: BrianG <BrianG@xxxxxxxxxxxxxxxx>
Date: Fri, 28 Mar 2008 15:16:01 -0700

I was able to find the following information and since this has to do with an
AD OU, I will post it here:

The Users container is the default container for all newly-created users and
groups. Certainly we can move them to any other organizational units later as
needed. There is only one exception for a domain environment with Exchange
deployed.

If we are using Microsoft Exchange Server, we must not move the "Exchange
Domain Servers" group or the "Exchange Enterprise Servers" group out of this
default Users container. These two groups must remain in the default Users
container for Exchange to function properly. For any other users/groups we
can move as we like without any problems.

For more information please refer to the following Microsoft articles:

260914 Domainprep utility does not work if Exchange Enterprise Servers group
and Exchange Domain Servers group moved to a new container
(http://support.microsoft.com/default.aspx?scid=kb;EN-US;260914)

324949 Redirecting the users and computers containers in Windows Server 2003
domains (http://support.microsoft.com/default.aspx?scid=kb;EN-US;324949)

Thanks,
Brian

"Morgan che(MSFT)" wrote:

Hi,

As far as I know, there is no such system requirement that some users must
be under Users OU. Most applications mostly care about SID. However, if we
move user accounts between different OUs under the same domain, the user's
SID will not be changed. So it won't affect these applications. If some
applications require that some users/groups remain in Users OU, it would
highly depend on the implementation of the specific applications.

If you doubt some users must remain in Users OU under an Exchange
environment, you may post in the following newsgroups whose engineers are
specialized in Exchange and have more knowledge on the special requirement
of Exchange.

microsoft.public.exchange.admin

More information about SID, please refer to the following articles:
=======

Well-known security identifiers in Windows operating systems
http://support.microsoft.com/kb/243330/en-us

How Security Identifiers Work
http://technet2.microsoft.com/windowsserver/en/library/5dbc99be-7404-41a6-9b
e7-171d40c398db1033.mspx?mfr=true

I hope this helps. If anything is unclear, please feel free to post back.

Sincerely
Morgan Che
Microsoft Online Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
--->Thread-Topic: Groups That Must Remain In AD Users OU?
--->thread-index: AciQWu71OKuLmVccQV27PrYodsLL6A==
--->X-WBNR-Posting-Host: 207.46.19.168
--->From: =?Utf-8?B?QnJpYW5H?= <BrianG@xxxxxxxxxxxxxxxx>
--->Subject: Groups That Must Remain In AD Users OU?
--->Date: Thu, 27 Mar 2008 15:36:01 -0700
--->Lines: 4
--->Message-ID: <8925F729-EAFA-4DC6-AAB4-5A029FF3184B@xxxxxxxxxxxxx>
--->MIME-Version: 1.0
--->Content-Type: text/plain;
---> charset="Utf-8"
--->Content-Transfer-Encoding: 7bit
--->X-Newsreader: Microsoft CDO for Windows 2000
--->Content-Class: urn:content-classes:message
--->Importance: normal
--->Priority: normal
--->X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2992
--->Newsgroups: microsoft.public.windows.server.active_directory
--->Path: TK2MSFTNGHUB02.phx.gbl
--->Xref: TK2MSFTNGHUB02.phx.gbl
microsoft.public.windows.server.active_directory:39272
--->NNTP-Posting-Host: tk2msftsbfm01.phx.gbl 10.40.244.148
--->X-Tomcat-NG: microsoft.public.windows.server.active_directory
--->
--->Does anyone have a link to a document that lists which groups must
remain in
--->the AD Users OU, especially when you have other Microsoft products in
your
--->domain like Exchange? I've seen this document before, but haven't been
able
--->to find it.
--->

References:
- Groups That Must Remain In AD Users OU?
  - From: BrianG
- RE: Groups That Must Remain In AD Users OU?
  - From: Morgan che(MSFT)

Prev by Date: Re: DSADD COMPUTER - Doesn't work right!
Next by Date: Changing CUSTOM attributes from commandline
Previous by thread: RE: Groups That Must Remain In AD Users OU?
Next by thread: Computer Does Not Allow ANY Use To Search Using AD Group Alias Nam
Index(es):
- Date
- Thread

Relevant Pages

Re: Exchange 2003 Setup Error
... it back to "users" container. ... => Exchange Enterprise Servers ... Go to Deployment tools and follow the on screen path for installation. ...
(microsoft.public.exchange.setup)
Re: To WINS or not WINS
... Also some applications like exchange use it. ... Best regards ... We have two Windows 2003 Servers on our domain. ...
(microsoft.public.windows.server.active_directory)
Re: Active/Active Clustering
... not going A/A with a single application (like Exchange). ... with Active/Active applications in a cluster. ... The problem that usually occurs in this situation is that applications tend ... careful monitoring of your servers peak utilization statistics. ...
(microsoft.public.windows.server.clustering)
Re: POP3 Connector undisclosed recipients
... >connector. ... Also most of the newer email servers like ... No, cost is what I wind up paying for amortized hardware costs, ... >> unoptimized Exchange servers. ...
(microsoft.public.exchange.admin)
Re: How to host email using Exchange 2003
... > You Own SMTP Mail using Exchange 2000" and think the instructions will ... So their DNS your company is using is Internet "facing". ... record specific Emails servers. ... The ISP DNS servers will do the job of sending Internet mails out. ...
(microsoft.public.exchange.setup)