By default, when a computer is joined to a domain via the System Properties GUI (sysdm.cpl), an account is created in the root Computers container. This is the default container for all new computer objects in the domain.
Technically, the Computers root container is not an Organizational Unit (OU), and you cannot assign Group Policies to it. It is only affected by root domain GPOs, including the Default Domain Policy. This could potentially be insecure because new computers may not immediately receive the necessary security policies from production computer OUs. Domain admins must track the creation of new computer accounts in the default Computers container and manually move objects to the appropriate Organizational Units.
A domain admin can change the OU for new computers using the built-in redircmp.exe command.
Show the current default container for new computers.
Get-ADDomain | select ComputersContainer
To change this container to a different target OU, specify its distinguishedName in the following command:
redircmp.exe "OU=Workstations,OU=LA,DC=woshub,DC=com"
Check that the default container for computers has changed.
Likewise, you can locate the current default container for user accounts. When creating a new user with the New-ADUser cmdlet (or other CLI tools) without specifying a target OU, t the account is created in the root container CN=User.
Get-ADDomain | select usersContainer
Use the redirusr.exe command to change the default OU for new user accounts:
redirusr "OU=Users,OU=LA,DC=woshub,DC=com"
