How can I link a GPO to the Computers Container

Well. The easy and correct answer is you cant. The computer container is a container and not an organizational unit. Why not you may wonder.The container  is a system default and protected from administrators, so they cant delete it by mistake. We need to look in the schema to understand the big difference.

First off how does the AD know which GPO are linked to a specific OU? The AD keeps a list of all GPOs that are linked to a OU by storing an array of GUIDs in an attribute called gPLink. So why cant I just add gPLink to the container then?

The schema contains all objectclasses (classSchema) and all attributes (attributeSchema) that make us the Active Directory. Each objectclass has a couple of attributes, these differ between containers and OU’s. All classes may contain required attributes (must) and optional attributes (may), these are stored as multivalued strings in systemMayContain and systemMustContain attributes.

Lets look:

  • Start ADSI Edit (adsiedit.msc)
  • Action menu and select Connect To
  • Select the well known Naming Context: Schema and press OK
  • Open the CN=Schema,CN=Config……
  • Lets open CN=Organizational-Unit
    • Look at the systemMayContain attribute
    • it contains the gPLink attribute
  • Now do the same with CN=Container
    • Look at the systemMayContain attribute
    • it does not contains the gPLink attribute

So now we know why we cant link GPOs to the Computers container. But you could always change the location where the Active Directory stores new computers and users, but that will also give you new challenges. It is possible that you could alter your AD to allow this, BUT I would recommend AGAINST it. I dont think Microsoft will give you any support.

Sources:

Schema classes and attributes

Redirecting the users and computers containers in Active Directory domains

Comments

  1. Phunktional Johnkey says:

    Nicely done!

Leave a Reply