Well. The easy and correct answer is you cant. The computer container is a container and not an organizational unit. Why not you may wonder.
The container is a system default and protected from administrators, so they cant delete it by mistake. We need to look in the schema to understand the big difference.
First off how does the AD know which GPO are linked to a specific OU? The AD keeps a list of all GPOs that are linked to a OU by storing an array of GUIDs in an attribute called gPLink. So why cant I just add gPLink to the container then?
The schema contains all objectclasses (classSchema) and all attributes (attributeSchema) that make us the Active Directory. Each objectclass has a couple of attributes, these differ between containers and OU’s. All classes may contain required attributes (must) and optional attributes (may), these are stored as multivalued strings in systemMayContain and systemMustContain attributes.
Lets look:
- Start ADSI Edit (adsiedit.msc)
- Action menu and select Connect To
- Select the well known Naming Context: Schema and press OK
- Open the
CN=Schema,CN=Config...... - Lets open
CN=Organizational-Unit- Look at the
systemMayContainattribute - it contains the
gPLinkattribute
- Look at the
- Now do the same with
CN=Container- Look at the
systemMayContainattribute - it does not contains the
gPLinkattribute
- Look at the
So now we know why we cant link GPOs to the Computers container. But you could always change the location where the Active Directory stores new computers and users, but that will also give you new challenges. It is possible that you could alter your AD to allow this, BUT I would recommend AGAINST it. I dont think Microsoft will give you any support.