5.10. Allowing OUs to Be Created Within Containers

Problem

You want to create an OU within a container. By default, you cannot create OUs within container objects due to restrictions in the Active Directory schema.

Solution

Using a graphical user interface

  1. Open the Active Directory Schema snap-in as a user that is a member of the Schema Admins group. See Recipe 10.1 for more on using the Schema snap-in.

  2. Expand the Classes folder, right-click on the organizationalUnit class, and select Properties.

  3. Select the Relationship tab and, next to Possible Superior, click Add Superior (Windows Server 2003) or Add (Windows 2000).

  4. Select container and click OK.

  5. Click OK.

Using a command-line interface

Create an LDIF file called ou_in_container.ldf with the following contents:

dn: cn=organizational-unit,cn=schema,cn=configuration,<ForestRootDN>
changetype: modify
add: possSuperiors
possSuperiors: container
-

then run the ldifde command to import the change:

> ldifde -i -f ou_in_container.ldf

Using VBScript

' This code modifies the schema so that OUs can be created within containers
Const ADS_PROPERTY_APPEND = 3
set objRootDSE = GetObject("LDAP://RootDSE")
set objOUClass = GetObject("LDAP://cn=organizational-unit," & _
                           objRootDSE.Get("schemaNamingContext") )
objOUClass.PutEx ADS_PROPERTY_APPEND, "possSuperiors", Array("container")
objOUClass.SetInfo

Discussion

Allowing OUs to be created within containers requires a simple modification to the schema. You have to make the container class one of the possible ...

Get Active Directory Cookbook now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial