Redirecting Well Known Containers (CN=Users; CN=Computers etc.)


In this post we will see the Powershell way of redirecting Users and Computers containers (i.e. Powershell equivalent of tools: redirusr.exe and redircmp.exe).


By now you might know that you can use Get-ADDomain cmdlet for viewing the well-known containers of a domain, For example:

PS C:\Users\Administrator.DSWAMIPAT-W7-V1> Get-ADDomain | select *Container

ComputersContainer : CN=Computers,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com
DeletedObjectsContainer : CN=Deleted Objects,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com
DomainControllersContainer : OU=Domain Controllers,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com
ForeignSecurityPrincipalsContainer : CN=ForeignSecurityPrincipals,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com
LostAndFoundContainer : CN=LostAndFound,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com
QuotasContainer : CN=NTDS Quotas,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com
SystemsContainer : CN=System,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com
UsersContainer : OU=SwamTempOU,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com


However, Get-ADDomain cmdlet does not show you all the well-known containers. For example some lesser known containers such as: Program Data Container, Managed Service Account Container (which is technically an Other-Well-Known container) etc. are missing. Also, one cannot change/redirect a well-known container to some other OU using Set-ADDomain cmdlets.


These limitations can be easily overcome using Get-ADObject and Set-ADObject cmdlets. This blog discusses how to do these tasks using ADObject cmdlets and also provides easy-to-use functions for them.


Fetching well-known containers is really simple. All you have to do is read the wellKnownObjects and otherWellKnownObjects properties of the domain’s default naming context.

PS C:\Users\Administrator.DSWAMIPAT-W7-V1> Get-ADObject (Get-ADRootDSE).DefaultNamingContext -Properties otherWellKnownObjects, wellKnownObjects | fl OtherWellKnownObjects, wellKnownObjects

OtherWellKnownObjects : {B:32:1EB93889E40C45DF9F0C64D23BBB6237:OU=TestMSAOU,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com}
wellKnownObjects : {B:32:A9D1CA15768811D1ADED00C04FD8D5CD:OU=SwamTempOU,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com, B:32:6227F0AF1FC2410D8E3BB10615BB5B0F:CN=NTDS Quotas,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com, B:32:F4BE92A4C777485E878E9421D53087DB:CN=Microsoft,CN=Program Data,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com, B:32:09460C08AE1E4A4EA0F64AEE7DAA1E5A:CN=Program Data, DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com…}


These properties contain a list of well-known object containers by GUID and distinguished name. Of course you must know the GUID of the container that you are looking for, to find its value.


Also, changing/redirecting a well-known container can be done using Set-ADObject cmdlet by removing the old value from wellKnownObjects/otherWellKnownObjects attribute on the default naming context (i.e. DC=domainname,DC=com) and adding a new value. For example in order to redirect the Users container, one would run the following command:

PS C:\Users\Administrator.DSWAMIPAT-W7-V1> Set-ADObject (Get-ADRootDSE).DefaultNamingContext -Remove @{wellKnownObjects = “B:32:A9D1CA15768811D1ADED00C04FD8D5CD:CN=Users,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com” } -Add @{wellKnownObjects = “B:32:A9D1CA15768811D1ADED00C04FD8D5CD:OU=SwamTempOU,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com” } -server (Get-ADDomain).PDCEmulator

NOTE: The operation must be performed on the Primary domain controller (PDC).


Though it is feasible to use Get-ADObject and Set-ADObject cmdlets to read and manipulate well known containers, it is cumbersome. I have written few functions that would Get and Set the values of these containers.


In order to express the container name in a user-friendly way (rather than a cryptic GUID) I have created a new Enum called: WellKnownGuid. (I used a modified version of Add-Enum script described here in order to create the Enum)


There are two functions Get-XADWellKnownContainer and Set-XADWellKnownContainer that would get and set the value of a well-known container identified by its WellKnownGuid.


Example:

PS C:\Users\Administrator.DSWAMIPAT-W7-V1> Get-XADWellKnownContainer UsersContainer
OU=SwamTempOU,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com

PS C:\Users\Administrator.DSWAMIPAT-W7-V1> Get-XADWellKnownContainer ComputersContainer
CN=Computers,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com


For getting the values of all the Well-known containers of a domain type this:

PS C:\Users\Administrator.DSWAMIPAT-W7-V1> [Enum]::GetNames([WellKnownGuid]) | %{ $_.PadRight(30) + ” : “+(Get-XADWellKnownContainer $_)}
UsersContainer : OU=SwamTempOU,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com
ComputersContainer : CN=Computers,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com
SystemsContainer : CN=System,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com
DCContainer : OU=Domain Controllers,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com
InfrastructureContainer : CN=Infrastructure,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com
DeletedObjectsContainer : CN=Deleted Objects,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com
LostAndFoundContainer : CN=LostAndFound,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com
ForeignSecurityPrincipalContainer : CN=ForeignSecurityPrincipals,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com
ProgramDataContainer : CN=Program Data,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com
MicrosoftProgramDataContainer : CN=Microsoft,CN=Program Data,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com
NtdsQuotasContainer : CN=NTDS Quotas,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com
ManagedServiceAccountContainer : OU=LeakTestOU,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com

For changing/redirecting a well-known container simply pass the container name and new DN to Set-XADWellKnownContainer function.


Example:

PS C:\Users\Administrator.DSWAMIPAT-W7-V1> Set-XADWellKnownContainer  UsersContainer CN=Users,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com”

PS C:\Users\Administrator.DSWAMIPAT-W7-V1> Get-XADWellKnownContainer UsersContainer
CN=Users,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com


The script that contains these functions can be found attached to this blog.


For more information on well-known containers, read this: Binding to Well-Known Objects using WKGUID.


Cheers,


Swami

RedirectingWellKnownGuidContainer.ps1

Comments (8)

  1. Anonymous says:

    dont ry this stuff it can break your AD

  2. Allan M. says:

    ^^

    All Active Directory modifications must be taken with caution. Make sure you know what you are doing before you start to make changes you do not understand.

  3. Anonymous says:

    1: public partial class RedirectingContainer : TemplatePage

      2: {

      3:     private PageData _redirectTarget = null;

      4:  

      5:     protected override void OnInit(EventArgs e)

      6:     {

      7:         base.OnInit(e);

      8:         // Detect edit mode by checking for underscore (workpage prefix) in id

      9:         if (!(Request.QueryString["id"] ?? String.Empty).Contains("_"))

     10:         {

     11:             // Perform redirect immediately

     12:             Response.Redirect(RedirectTarget.LinkURL);

     13:         }

     14:     }

     15:  

     16:     protected override void OnLoad(EventArgs e)

     17:     {

     18:         base.OnLoad(e);

     19:         // Display a link to the redirect page

     20:         hlRedirect.NavigateUrl = RedirectTarget.LinkURL;

     21:         hlRedirect.Text = String.Format("{0} ({1})", RedirectTarget.PageName, RedirectTarget.PageLink.ID);

     22:     }

     23:  

     24:     protected PageData RedirectTarget

     25:     {

     26:         get

     27:         {

     28:             if (_redirectTarget == null)

     29:             {

     30:                 // Get specified page or parent if empty

     31:                 PageReference pageLink = (PageReference)(CurrentPage["ContainerRedirectTarget"] ?? PageReference.EmptyReference);

     32:                 // Make sure the redirect target is not the current page (avoid infinite loop)

     33:                 pageLink = (PageReference.IsNullOrEmpty(pageLink) || pageLink.Equals(CurrentPage.PageLink)) ? CurrentPage.ParentLink : pageLink;

     34:                 _redirectTarget = DataFactory.Instance.GetPage(pageLink);

     35:  

     36:             }

     37:             return _redirectTarget;

     38:         }

     39:     }

     40: }

    The above code can be used for the task as well

  4. Anonymous says:

    DR odudu the great spell caster bring back my lover in a period of 48hours all thanks goes to dr odudu for making my life happy again i thought of committing suicide but when i contact dr odudu all my tears was clean am saying all this because life is too beautiful, with me now all days am away happy with my lover,you that is there and you are saying you have lost all you have am hear to tell you now you have not lost any yet dr odudu is the answer to all problem contact him now at oduduspell@gmail.com or call +2348051913076 odudu is the answer,via oduduspell@gmail.com.

    roseline from u s a

  5. Anonymous says:

    Unimaginable and unbelievable. I am Mary Smith from the United States and i have a good news to share to the entire world. Do you need your ex husband or lover urgently? I wanna tell you that you need not to worry because i have a good news for those out there that are faced or similar to such situation because there is always a hope and a solution to all problem. There is a great spell caster called Great DR.ODUBU who can really solve your problem. Getting my lover back is what i can't imagine but when I was losing Jackson, I needed help and somewhere to turn badly but my Aunty told me about this spell caster who also helped her on the internet. I thought it won't work but i just tried to give this man a chance and i ordered a LOVE SPELL. Two days later, my phone rang. Jackson was his old self again and wanted to come back to me! Not only come back, the spell caster opened him up to know how much I loved and needed him. This Spell Casting isn't brainwashing, but he opened up his eyes to know how much we have to share together and he also cast a protection spell and no side effect for the spell and also he still cast money spell for me too but i have no problem about money i am reach now and also happy with my family. I recommend anyone who is in my old situation to try him because he will help you and make things be the way it thought to be. If you have such problem or similar to this, please contact him on his email DR.{odubuspiritualtempledr@yahoo}.com thank you Great DR.ODUBU and may your gods reward you for your good deeds { odubuspiritualtempledr@yahoo.com.}

  6. Anonymous says:

    HOW I GOT MY HUSBAND BACK!!! i want to say a very big thanks and appreciation to Prophet Ekpiku for bringing back my husband who left i and the kids for almost two months. i am very much grateful to Prophet Ekpiku. I pray God almighty give you the strength and wisdom to help more people having similar problem like mine. for help you can reach him on his email address:Ekpikuspelltemple@live.com

  7. Anonymous says:

    I want to thank Dr. godwin for getting my lover back to me within 48 hours. When my lover left me i was so tired and frustrated till i search the internet for help and i saw so many good talk about Dr godwin of solidodspelltemple2@gmail.com and i decided to give him a try and i contact him and explain my problems to him and he cast a love spell for me which i use to get my husband back.If you want to get your lover back contact Dr. godwin via email: solidodspelltemple2@gmail.com Dr.godwin the great man that is able to bring back lost love

    solidodspelltemple2@gmail.com

  8. Anonymous says:

    Byenveni nan tanp lan nan repons te tout pwoblèm

    yo rezoud ak gwo nam rele Dr bazecol la li ka ede w

    rezoud tout kalite pou pwoblèm. kontakte l 'pou

    nenpòt ki kalite pou période (1) période renmen (2)

    période Lajan (4) période Gwosès (5) période loto (6)

    VIH / SIDA période (7) Ex tounen période (8) Si ou ap

    chèche pou travay ( 9) Bon chans période.

    Bazecolspell@gmail.com +234805064927