Groups That Must Remain In AD Users OU?

Tutorials Win: Microsoft Windows Forum

Does anyone have a link to a document that lists which groups must remain in
the AD Users OU, especially when you have other Microsoft products in your
domain like Exchange? I've seen this document before, but haven't been able
to find it.
Top

RE: Groups That Must Remain In AD Users OU? by v-morche

v-morche
Fri Mar 28 02:42:12 PDT 2008

Hi,

As far as I know, there is no such system requirement that some users must
be under Users OU. Most applications mostly care about SID. However, if we
move user accounts between different OUs under the same domain, the user's
SID will not be changed. So it won't affect these applications. If some
applications require that some users/groups remain in Users OU, it would
highly depend on the implementation of the specific applications.

If you doubt some users must remain in Users OU under an Exchange
environment, you may post in the following newsgroups whose engineers are
specialized in Exchange and have more knowledge on the special requirement
of Exchange.

microsoft.public.exchange.admin

More information about SID, please refer to the following articles:
=======

Well-known security identifiers in Windows operating systems
http://support.microsoft.com/kb/243330/en-us

How Security Identifiers Work
http://technet2.microsoft.com/windowsserver/en/library/5dbc99be-7404-41a6-9b
e7-171d40c398db1033.mspx?mfr=true

I hope this helps. If anything is unclear, please feel free to post back.

Sincerely
Morgan Che
Microsoft Online Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.


--------------------
--->Thread-Topic: Groups That Must Remain In AD Users OU?
--->thread-index: AciQWu71OKuLmVccQV27PrYodsLL6A==
--->X-WBNR-Posting-Host: 207.46.19.168
--->From: =?Utf-8?B?QnJpYW5H?= <BrianG@newsgroup.nospam>
--->Subject: Groups That Must Remain In AD Users OU?
--->Date: Thu, 27 Mar 2008 15:36:01 -0700
--->Lines: 4
--->Message-ID: <8925F729-EAFA-4DC6-AAB4-5A029FF3184B@microsoft.com>
--->MIME-Version: 1.0
--->Content-Type: text/plain;
---> charset="Utf-8"
--->Content-Transfer-Encoding: 7bit
--->X-Newsreader: Microsoft CDO for Windows 2000
--->Content-Class: urn:content-classes:message
--->Importance: normal
--->Priority: normal
--->X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2992
--->Newsgroups: microsoft.public.windows.server.active_directory
--->Path: TK2MSFTNGHUB02.phx.gbl
--->Xref: TK2MSFTNGHUB02.phx.gbl
microsoft.public.windows.server.active_directory:39272
--->NNTP-Posting-Host: tk2msftsbfm01.phx.gbl 10.40.244.148
--->X-Tomcat-NG: microsoft.public.windows.server.active_directory
--->
--->Does anyone have a link to a document that lists which groups must
remain in
--->the AD Users OU, especially when you have other Microsoft products in
your
--->domain like Exchange? I've seen this document before, but haven't been
able
--->to find it.
--->

Top

RE: Groups That Must Remain In AD Users OU? by BrianG

BrianG
Fri Mar 28 15:16:01 PDT 2008

I was able to find the following information and since this has to do with an
AD OU, I will post it here:

The Users container is the default container for all newly-created users and
groups. Certainly we can move them to any other organizational units later as
needed. There is only one exception for a domain environment with Exchange
deployed.

If we are using Microsoft Exchange Server, we must not move the "Exchange
Domain Servers" group or the "Exchange Enterprise Servers" group out of this
default Users container. These two groups must remain in the default Users
container for Exchange to function properly. For any other users/groups we
can move as we like without any problems.

For more information please refer to the following Microsoft articles:

260914 Domainprep utility does not work if Exchange Enterprise Servers group
and Exchange Domain Servers group moved to a new container
(http://support.microsoft.com/default.aspx?scid=kb;EN-US;260914)

324949 Redirecting the users and computers containers in Windows Server 2003
domains (http://support.microsoft.com/default.aspx?scid=kb;EN-US;324949)

Thanks,
Brian

"Morgan che(MSFT)" wrote:

> Hi,
>
> As far as I know, there is no such system requirement that some users must
> be under Users OU. Most applications mostly care about SID. However, if we
> move user accounts between different OUs under the same domain, the user's
> SID will not be changed. So it won't affect these applications. If some
> applications require that some users/groups remain in Users OU, it would
> highly depend on the implementation of the specific applications.
>
> If you doubt some users must remain in Users OU under an Exchange
> environment, you may post in the following newsgroups whose engineers are
> specialized in Exchange and have more knowledge on the special requirement
> of Exchange.
>
> microsoft.public.exchange.admin
>
> More information about SID, please refer to the following articles:
> =======
>
> Well-known security identifiers in Windows operating systems
> http://support.microsoft.com/kb/243330/en-us
>
> How Security Identifiers Work
> http://technet2.microsoft.com/windowsserver/en/library/5dbc99be-7404-41a6-9b
> e7-171d40c398db1033.mspx?mfr=true
>
> I hope this helps. If anything is unclear, please feel free to post back.
>
> Sincerely
> Morgan Che
> Microsoft Online Support
> Microsoft Global Technical Support Center
>
> Get Secure! - www.microsoft.com/security
> =====================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> =====================================================
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
> --------------------
> --->Thread-Topic: Groups That Must Remain In AD Users OU?
> --->thread-index: AciQWu71OKuLmVccQV27PrYodsLL6A==
> --->X-WBNR-Posting-Host: 207.46.19.168
> --->From: =?Utf-8?B?QnJpYW5H?= <BrianG@newsgroup.nospam>
> --->Subject: Groups That Must Remain In AD Users OU?
> --->Date: Thu, 27 Mar 2008 15:36:01 -0700
> --->Lines: 4
> --->Message-ID: <8925F729-EAFA-4DC6-AAB4-5A029FF3184B@microsoft.com>
> --->MIME-Version: 1.0
> --->Content-Type: text/plain;
> ---> charset="Utf-8"
> --->Content-Transfer-Encoding: 7bit
> --->X-Newsreader: Microsoft CDO for Windows 2000
> --->Content-Class: urn:content-classes:message
> --->Importance: normal
> --->Priority: normal
> --->X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2992
> --->Newsgroups: microsoft.public.windows.server.active_directory
> --->Path: TK2MSFTNGHUB02.phx.gbl
> --->Xref: TK2MSFTNGHUB02.phx.gbl
> microsoft.public.windows.server.active_directory:39272
> --->NNTP-Posting-Host: tk2msftsbfm01.phx.gbl 10.40.244.148
> --->X-Tomcat-NG: microsoft.public.windows.server.active_directory
> --->
> --->Does anyone have a link to a document that lists which groups must
> remain in
> --->the AD Users OU, especially when you have other Microsoft products in
> your
> --->domain like Exchange? I've seen this document before, but haven't been
> able
> --->to find it.
> --->
>
>
Top

RE: Groups That Must Remain In AD Users OU? by v-morche

v-morche
Tue Apr 01 03:31:41 PDT 2008

Hello,

Thank you for your sharing. I believe that other customers will also
benefit from your experience sharing.

If you experience any break/fix based issue in the future, you are welcome
to post here. We are glad to be of help.

Thanks.

Sincerely
Morgan Che
Microsoft Online Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.


--------------------
--->Thread-Topic: Groups That Must Remain In AD Users OU?
--->thread-index: AciRIU4/csgMByDqThGKXQDT1qnucw==
--->X-WBNR-Posting-Host: 207.46.19.168
--->From: =?Utf-8?B?QnJpYW5H?= <BrianG@newsgroup.nospam>
--->References: <8925F729-EAFA-4DC6-AAB4-5A029FF3184B@microsoft.com>
<JrriAgLkIHA.7148@TK2MSFTNGHUB02.phx.gbl>
--->Subject: RE: Groups That Must Remain In AD Users OU?
--->Date: Fri, 28 Mar 2008 15:16:01 -0700
--->Lines: 104
--->Message-ID: <C9C3CFC7-CD5A-4569-A89B-BD330F4FB257@microsoft.com>
--->MIME-Version: 1.0
--->Content-Type: text/plain;
---> charset="Utf-8"
--->Content-Transfer-Encoding: 7bit
--->X-Newsreader: Microsoft CDO for Windows 2000
--->Content-Class: urn:content-classes:message
--->Importance: normal
--->Priority: normal
--->X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2992
--->Newsgroups: microsoft.public.windows.server.active_directory
--->Path: TK2MSFTNGHUB02.phx.gbl
--->Xref: TK2MSFTNGHUB02.phx.gbl
microsoft.public.windows.server.active_directory:39387
--->NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149
--->X-Tomcat-NG: microsoft.public.windows.server.active_directory
--->
--->I was able to find the following information and since this has to do
with an
--->AD OU, I will post it here:
--->
--->The Users container is the default container for all newly-created
users and
--->groups. Certainly we can move them to any other organizational units
later as
--->needed. There is only one exception for a domain environment with
Exchange
--->deployed.
--->
--->If we are using Microsoft Exchange Server, we must not move the
"Exchange
--->Domain Servers" group or the "Exchange Enterprise Servers" group out of
this
--->default Users container. These two groups must remain in the default
Users
--->container for Exchange to function properly. For any other users/groups
we
--->can move as we like without any problems.
--->
--->For more information please refer to the following Microsoft articles:
--->
--->260914 Domainprep utility does not work if Exchange Enterprise Servers
group
--->and Exchange Domain Servers group moved to a new container
--->(http://support.microsoft.com/default.aspx?scid=kb;EN-US;260914)
--->
--->324949 Redirecting the users and computers containers in Windows Server
2003
--->domains (http://support.microsoft.com/default.aspx?scid=kb;EN-US;324949)
--->
--->Thanks,
--->Brian
--->
--->"Morgan che(MSFT)" wrote:
--->
--->> Hi,
--->>
--->> As far as I know, there is no such system requirement that some users
must
--->> be under Users OU. Most applications mostly care about SID. However,
if we
--->> move user accounts between different OUs under the same domain, the
user's
--->> SID will not be changed. So it won't affect these applications. If
some
--->> applications require that some users/groups remain in Users OU, it
would
--->> highly depend on the implementation of the specific applications.
--->>
--->> If you doubt some users must remain in Users OU under an Exchange
--->> environment, you may post in the following newsgroups whose engineers
are
--->> specialized in Exchange and have more knowledge on the special
requirement
--->> of Exchange.
--->>
--->> microsoft.public.exchange.admin
--->>
--->> More information about SID, please refer to the following articles:
--->> =======
--->>
--->> Well-known security identifiers in Windows operating systems
--->> http://support.microsoft.com/kb/243330/en-us
--->>
--->> How Security Identifiers Work
--->>
http://technet2.microsoft.com/windowsserver/en/library/5dbc99be-7404-41a6-9b
--->> e7-171d40c398db1033.mspx?mfr=true
--->>
--->> I hope this helps. If anything is unclear, please feel free to post
back.
--->>
--->> Sincerely
--->> Morgan Che
--->> Microsoft Online Support
--->> Microsoft Global Technical Support Center
--->>
--->> Get Secure! - www.microsoft.com/security
--->> =====================================================
--->> When responding to posts, please "Reply to Group" via your newsreader
so
--->> that others may learn and benefit from your issue.
--->> =====================================================
--->> This posting is provided "AS IS" with no warranties, and confers no
rights.
--->>
--->>
--->> --------------------
--->> --->Thread-Topic: Groups That Must Remain In AD Users OU?
--->> --->thread-index: AciQWu71OKuLmVccQV27PrYodsLL6A==
--->> --->X-WBNR-Posting-Host: 207.46.19.168
--->> --->From: =?Utf-8?B?QnJpYW5H?= <BrianG@newsgroup.nospam>
--->> --->Subject: Groups That Must Remain In AD Users OU?
--->> --->Date: Thu, 27 Mar 2008 15:36:01 -0700
--->> --->Lines: 4
--->> --->Message-ID: <8925F729-EAFA-4DC6-AAB4-5A029FF3184B@microsoft.com>
--->> --->MIME-Version: 1.0
--->> --->Content-Type: text/plain;
--->> ---> charset="Utf-8"
--->> --->Content-Transfer-Encoding: 7bit
--->> --->X-Newsreader: Microsoft CDO for Windows 2000
--->> --->Content-Class: urn:content-classes:message
--->> --->Importance: normal
--->> --->Priority: normal
--->> --->X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2992
--->> --->Newsgroups: microsoft.public.windows.server.active_directory
--->> --->Path: TK2MSFTNGHUB02.phx.gbl
--->> --->Xref: TK2MSFTNGHUB02.phx.gbl
--->> microsoft.public.windows.server.active_directory:39272
--->> --->NNTP-Posting-Host: tk2msftsbfm01.phx.gbl 10.40.244.148
--->> --->X-Tomcat-NG: microsoft.public.windows.server.active_directory
--->> --->
--->> --->Does anyone have a link to a document that lists which groups
must
--->> remain in
--->> --->the AD Users OU, especially when you have other Microsoft
products in
--->> your
--->> --->domain like Exchange? I've seen this document before, but
haven't been
--->> able
--->> --->to find it.
--->> --->
--->>
--->>
--->

Top