As you probably know, by default, newly created user or computer is placed in default OUs Computers or Users. It is not a good practice to leave them there, because we are not able to apply GPO to these OUs and in many cases, we need more OUs. The good example why to create more OUs is that we need different policy for notebooks, desktops and servers.
There is also a good practice to change default containers for users and computers to one of these newly created OUs.
It is very simple to redirect them. You have to execute two commands from Administrative command prompt:
- For users: redirusr ou=MyDefaultUserOU,dc=domain,dc=local
- For computers: redircmp ou=MyDefaultComputerOU,dc=domain,dc=local
If you want your environment to be even more secure, just put this default OUs in OUs that have the most restricted GPOs applied. In this way, you will limit the access to your environment..