Fun with the default Computers and Users containers #ActiveDirectory #AD
Just an initial blog to get the butterflies of blogging out of my stomach and get the engine rolling.
Over time as you work in Active directory more and more, you see various kinds of environments and people using it in different manners. That is the fun with AD that it is resilient and flexible. Of course as you understand more about the security side, there arises differences in what you may think is secure with AD that I may not agree.
As we know there are the default Users and Computers containers in AD and mostly people don’t mess with them. The focus should be mainly on protecting them , this is just an entertainer to show what is possible and not a solution or things that you need to go and Implement in your production environment. Just treat this as knowledge is all.
Lets look at what happens if we want to delete the Users and Computers container in an AD Domain.
We can use the redircmp and redirusr commandlets to achieve this.
C:\Users\Administrator>redircmp “OU=ComputersNEW,DC=narasub,dc=com”
Redirection was successful.
C:\Users\Administrator>redirusr “OU=UsersNEW,DC=narasub,dc=com”
Redirection was successful.
After this is complete, you are free to delete the containers (Or even rename them).
But oh what is happening in the backend , lets take a look.
The wellknownobjects in the Base search here , we can see that the values have been changed. Basically these are the 2 wellknownobjects that you are allowed to change out of the box.
Now , I have deleted the computers container in my Domain , after ofcourse ensuring there are no computer objects in there.
Now lets look at the Users container, Oh wait, there are objects in here.
Oh , let me just move these out we say and try it what happens
Ah very nicely they have moved out of the default container to the new one.
So then you think , this is must be it right, I am ready to delete the Users container now and going to make unhappy a lot of softwares and products around the world … woohooo
Wait a minute , the Users container has other objects ? But I don’t see them …
Oh wait I am using ADUC 😉
Ah this must be simple I think and I turn on “Advanced Features” in ADUC and then look at the OU
Ah , now I can fix it I think 😊
And I move the KRBTGT account out
Life is good again and I am ready to delete the Users container 😊
But only because this is a single domain forest and there are no trust objects in the Users container 😊
Lets see what it looks like in a domain with trusts.Let me quickly add a child domain and see whats out there
adfind -f name=childdom$ -dsq
“CN=CHILDDOM$,OU=UsersNEW,DC=narasub,DC=com”
Aha, i added the child domain and in the parent domain , the trust account got created UsersNEW container, so I can be safe in assuming atleast that code is not hardcoding to the Users container.
Now lets check in the child domain
And we see that the trust object is located in the default “Users” container.
adfind -h childdc1.childdom.narasub.com -f name=narasub$ -dsq
“CN=NARASUB$,CN=Users,DC=ChildDom,DC=narasub,DC=com”
So we have to be mindful in moving those types of objects too.
But essentially this is how we get it done for some fun with the default containers. But there are cases here where these steps may not work due to other configurations in a complex environment. That is not part of this blog. But reserved for a later one.
Part 2 on this later on the next post 😊
Warning:
These steps are not to be done without understanding what can break in your environment. Specifically do not even try to test this in a production environment. Do it in your own sandboxed environment to understand the intricacies involved. This article is not a suggestion to go and perform all this , as this is all under your risk.
Thanks
Nara
