Active Directory is one of those things that simply has more nuances than many people expect or even know about, especially when discussing different configurations which require the Scheme Admin security group associated with their account.
Adding containers within Active Directory is just one of those situations – a nuanced configuration option that can quite literally define success and failure ( in certain situations ) while also giving some of us with high organization requirements an avenue to file and categorize further.
Before we go on – ask yourself ‘what is the problem we are trying to solve’?
If you are wanting to apply a GPO for whatever reason – it wont work on an Active Directory Container. The thing you are looking for is an Organizational Unit ( OU ).
If you are looking at making life a little easier with organization, logical grouping, access rights or even setting permissions – a container may just help you out. And it’s free.
What Is an Active Directory Container?
Many people confuse Containers and Active Directory Organizational Units – We will try to set them apart.
The Microsoft Windows Active Directory glossary defines an organizational unit as “A type of container in an Active Directory domain that can contain objects like users, computers, contacts, groups, or other OU’s or containers…”
True – the definition states that an OU is a container that ‘contains’ other containers or objects, but it continues with “…OU’s can also have group policies applied.”
That is the kicker – OU’s can have GPO’s applied to them but straight ‘containers’ cannot have Group Policies applied to them.
Want to be thoroughly confused? An Active Directory Schema defines a Container class. An object is not required to be an instance of the Container class itself in order to be a container.
There are also Leaf nodes and while they are subclasses of this class, they are typically not containers themselves but, it is possible for them to be containers. This can help declutter a ‘container happy’ sysadmin.
We will talk about these another day.
Why Would I Want To Use An Active Directory Container?
Any object in Active Directory Domain Services can be a container of other objects.
If you or the sysadmin wanted to group different like items based upon logical grouping, setting permissions, access rights or any other reason – a container can help you organize the chaos.
Lets say you have a need where there are Accounting documents on various shares across the network that you want to limit the access to a specific person or group of people.
You can create a container for ‘Accounting’ and include security groups detailing the access ( Share 1, Share 2 ) then add the various users to those security groups and finally assign permissions on the share to the groups.
These groups are now logically associated to functions within the Accounting department but offers flexibility that Executive 1 can see both shares, Executive 2 just share 1 and Executive 3 just share 2 – all while being in the same ‘Container’.
Isn’t An Active Directory Organizational Unit ( OU ) The Same Thing?
Short Answer – No. They are different, can do different things and have different expectations. Reference above.
Any Active Directory Containers To Be Concerned About?
Yes. Pretty much all of the default containers ( Users, Computers, etc ) should be left alone. Per Microsoft they state that it is not advised to modify who has permissions over the default containers.
This is especially true with the Domain Container. Since this is the root container for all of the hierarchy of the domain any changes made to the access control list ( ACL ) can ( and will ) have a domain wide impact. Delegating the control of this container away from the service administrators is not recommended.
Okay – How do I enable Containers in my Active Directory instance?
First, log into your Domain Controller with an account that is a member of the Schema Admins security group.
Open your “Adsiedit.msc” module then right click on ‘ADSI Edit’ located on the left panel then select “Connect to…”
A window will appear showing the Connection Settings.
Select “Schema” under “Select a well known Naming Context” and press OK.
In the left plane select “Schema,CN=Configuration,DC=domain,DC=lan” and look in the right plane for “CN=Container”. Open its properties.
Look for “defaultHidingValue” and change to “FALSE” then press Ok
Open or close and reopen the Active Directory Users and Computers program, ensure Advanced Features are enabled then right click on the domain name or any container and select “New”.
The container option should now be listed and available.