The OU Went That-A-Way

Windows Server 2003's account redirection features are nifty, but remembering that you used them can produce some mysterious problems.

Bill: I'm using Windows Server 2003. I created an OU and a sub-OU some months ago that contain user and computer accounts. Everything seemed to work fine. Today, I started cleaning up unused OUs and deleted several. However, I'm unable to delete either of these OUs! I've checked my permissions on them and I should have Full Control, but they act like they are read-only. Also, I cannot rename those OUs.

Any ideas on what this could be? I can't remember doing anything unusual with them.
—Jerrod

Jerrod: Because you're running Windows Server 2003, I'm thinking that you used the new account redirection feature then forgot that you made the change.

Get Help from Bill

Got a Windows or Exchange question or need troubleshooting help? Or maybe you want a better explanation than provided in the manuals? Describe your dilemma in an e-mail to Bill at mailto:[email protected]; the best questions get answered in this column.

When you send your questions, please include your full first and last name, location, certifications (if any) with your message. (If you prefer to remain anonymous, specify this in your message but submit the requested information for verification purposes.)

For anyone who hasn't played much with Windows 2003, it has two utilities, REDIRCMP and REDIRUSR, that permit you to designate a different default OU for new user and new computer objects in place of the standard User and Computer containers. You can link Group Policy Objects to those OUs so that new user and computer accounts immediately get group policies instead of waiting for them to be moved to a production OU.

When you designate a target OU using REDIRCMP or REDIRUSR, the utility flags the OU with an attribute called IsCriticalSystemObject. You can see this attribute using the LDAP Browser (Ldp.exe) or the ADSI Editor (ADSIEdit.msc) in the Support Tools.

You are not permitted to delete or rename an object with the IsCriticalSystemObject attribute set to TRUE. For more information, take a look at the attribute documentation in the Platform SDK, which you can browse online at msdn.microsoft.com or download for more detailed searches (or click here for a good start).

If this turns out to be the problem, you can redirect the new user and computer containers back to their defaults or to some other OU then delete the OUs.

Hope this helps.

One more thing: Happy holidays, everyone! Hope you have a safe and enjoyable time away from some of the hassles of information technology. Look for my next Q&A column on January 6, 2004.

About the Author

Contributing Editor Bill Boswell, MCSE, is the principal of Bill Boswell Consulting, Inc. He's the author of Inside Windows Server 2003 and Learning Exchange Server 2003 both from Addison Wesley. Bill is also Redmond magazine's "Windows Insider" columnist and a speaker at MCP Magazine's TechMentor Conferences.

Featured