The OU Went That-A-Way
Windows Server 2003's account redirection features are nifty, but remembering that you used them can produce some mysterious problems.
- By Bill Boswell
I'm using Windows Server 2003. I created
an OU and a sub-OU some months ago that contain user and computer accounts.
Everything seemed to work fine. Today, I started cleaning up unused OUs
and deleted several. However, I'm unable to delete either of these OUs!
I've checked my permissions on them and I should have Full Control, but
they act like they are read-only. Also, I cannot rename those OUs.
Any ideas on what this could be? I can't remember doing anything unusual
Jerrod: Because you're running Windows Server 2003, I'm
thinking that you used the new account redirection feature then forgot
that you made the change.
Help from Bill
Got a Windows or Exchange question or need troubleshooting
help? Or maybe you want a better explanation than provided
in the manuals? Describe your dilemma in an e-mail
to Bill at mailto:firstname.lastname@example.org;
the best questions get answered in this column.
When you send your questions, please include your
full first and last name, location, certifications (if
any) with your message. (If you prefer to remain anonymous,
specify this in your message but submit the requested
information for verification purposes.)
For anyone who hasn't played much with Windows 2003, it has two utilities,
REDIRCMP and REDIRUSR, that permit you to designate a different default
OU for new user and new computer objects in place of the standard User
and Computer containers. You can link Group Policy Objects to those OUs
so that new user and computer accounts immediately get group policies
instead of waiting for them to be moved to a production OU.
When you designate a target OU using REDIRCMP or REDIRUSR, the utility
flags the OU with an attribute called IsCriticalSystemObject. You can
see this attribute using the LDAP Browser (Ldp.exe) or the ADSI Editor
(ADSIEdit.msc) in the Support Tools.
You are not permitted to delete or rename an object with the IsCriticalSystemObject
attribute set to TRUE. For more information, take a look at the attribute
documentation in the Platform SDK, which you can browse online at msdn.microsoft.com
or download for more detailed searches (or click
here for a good start).
If this turns out to be the problem, you can redirect the new user and
computer containers back to their defaults or to some other OU then delete
Hope this helps.
One more thing: Happy holidays, everyone! Hope you have a safe
and enjoyable time away from some of the hassles of information technology.
Look for my next Q&A column on January 6, 2004.
Contributing Editor Bill Boswell, MCSE, is the principal of Bill Boswell Consulting, Inc. He's the author of Inside Windows Server 2003 and Learning Exchange Server 2003 both from Addison Wesley. Bill is also Redmond magazine's "Windows Insider" columnist and a speaker at MCP Magazine's TechMentor Conferences.