Redirecting Well Known Containers (CN=Users; CN=Computers etc.)

In this post we will see the Powershell way of redirecting Users and Computers containers (i.e. Powershell equivalent of tools: redirusr.exe and redircmp.exe).

By now you might know that you can use Get-ADDomain cmdlet for viewing the well-known containers of a domain, For example:

 PS C:\Users\Administrator.DSWAMIPAT-W7-V1> Get-ADDomain | select *Container


ComputersContainer                 : CN=Computers,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com
DeletedObjectsContainer            : CN=Deleted Objects,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com
DomainControllersContainer         : OU=Domain Controllers,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com
ForeignSecurityPrincipalsContainer : CN=ForeignSecurityPrincipals,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com
LostAndFoundContainer              : CN=LostAndFound,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com
QuotasContainer                    : CN=NTDS Quotas,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com
SystemsContainer                   : CN=System,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com
UsersContainer                     : OU=SwamTempOU,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com

However, Get-ADDomain cmdlet does not show you all the well-known containers. For example some lesser known containers such as: Program Data Container, Managed Service Account Container (which is technically an Other-Well-Known container) etc. are missing. Also, one cannot change/redirect a well-known container to some other OU using Set-ADDomain cmdlets.

These limitations can be easily overcome using Get-ADObject and Set-ADObject cmdlets. This blog discusses how to do these tasks using ADObject cmdlets and also provides easy-to-use functions for them.

Fetching well-known containers is really simple. All you have to do is read the wellKnownObjects and otherWellKnownObjects properties of the domain’s default naming context.

 PS C:\Users\Administrator.DSWAMIPAT-W7-V1> Get-ADObject (Get-ADRootDSE).DefaultNamingContext -Properties otherWellKnownObjects, wellKnownObjects | fl OtherWellKnownObjects, wellKnownObjects


OtherWellKnownObjects : {B:32:1EB93889E40C45DF9F0C64D23BBB6237:OU=TestMSAOU,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com}
wellKnownObjects      : {B:32:A9D1CA15768811D1ADED00C04FD8D5CD:OU=SwamTempOU,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com, B:32:6227F0AF1FC2410D8E3BB10615BB5B0F:CN=NTDS Quotas,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com, B:32:F4BE92A4C777485E878E9421D53087DB:CN=Microsoft,CN=Program Data,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com, B:32:09460C08AE1E4A4EA0F64AEE7DAA1E5A:CN=Program Data, DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com...}

These properties contain a list of well-known object containers by GUID and distinguished name. Of course you must know the GUID of the container that you are looking for, to find its value.

Also, changing/redirecting a well-known container can be done using Set-ADObject cmdlet by removing the old value from wellKnownObjects/otherWellKnownObjects attribute on the default naming context (i.e. DC=domainname,DC=com) and adding a new value. For example in order to redirect the Users container, one would run the following command:

 PS C:\Users\Administrator.DSWAMIPAT-W7-V1> Set-ADObject (Get-ADRootDSE).DefaultNamingContext -Remove @{wellKnownObjects = "B:32:A9D1CA15768811D1ADED00C04FD8D5CD:CN=Users,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com" } -Add @{wellKnownObjects = "B:32:A9D1CA15768811D1ADED00C04FD8D5CD:OU=SwamTempOU,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com" } -server (Get-ADDomain).PDCEmulator

NOTE: The operation must be performed on the Primary domain controller (PDC).

Though it is feasible to use Get-ADObject and Set-ADObject cmdlets to read and manipulate well known containers, it is cumbersome. I have written few functions that would Get and Set the values of these containers.

In order to express the container name in a user-friendly way (rather than a cryptic GUID) I have created a new Enum called: WellKnownGuid. (I used a modified version of Add-Enum script described here in order to create the Enum)

There are two functions Get-XADWellKnownContainer and Set-XADWellKnownContainer that would get and set the value of a well-known container identified by its WellKnownGuid.

Example:

 PS C:\Users\Administrator.DSWAMIPAT-W7-V1> Get-XADWellKnownContainer UsersContainer
OU=SwamTempOU,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com


PS C:\Users\Administrator.DSWAMIPAT-W7-V1> Get-XADWellKnownContainer ComputersContainer
CN=Computers,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com

For getting the values of all the Well-known containers of a domain type this:

 PS C:\Users\Administrator.DSWAMIPAT-W7-V1> [Enum]::GetNames([WellKnownGuid]) | %{ $_.PadRight(30) + " : "+(Get-XADWellKnownContainer $_)}
UsersContainer                 : OU=SwamTempOU,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com
ComputersContainer             : CN=Computers,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com
SystemsContainer               : CN=System,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com
DCContainer                    : OU=Domain Controllers,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com
InfrastructureContainer        : CN=Infrastructure,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com
DeletedObjectsContainer        : CN=Deleted Objects,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com
LostAndFoundContainer          : CN=LostAndFound,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com
ForeignSecurityPrincipalContainer : CN=ForeignSecurityPrincipals,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com
ProgramDataContainer           : CN=Program Data,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com
MicrosoftProgramDataContainer  : CN=Microsoft,CN=Program Data,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com
NtdsQuotasContainer            : CN=NTDS Quotas,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com
ManagedServiceAccountContainer : OU=LeakTestOU,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com

For changing/redirecting a well-known container simply pass the container name and new DN to Set-XADWellKnownContainer function.

Example:

 PS C:\Users\Administrator.DSWAMIPAT-W7-V1> Set-XADWellKnownContainer  UsersContainer CN=Users,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com"


PS C:\Users\Administrator.DSWAMIPAT-W7-V1> Get-XADWellKnownContainer  UsersContainer
CN=Users,DC=dswamipat-w7-vm1,DC=nttest,DC=microsoft,DC=com

The script that contains these functions can be found attached to this blog.

For more information on well-known containers, read this: Binding to Well-Known Objects using WKGUID.

Cheers,

Swami

RedirectingWellKnownGuidContainer.ps1