Recipe 8.11 Binding to the Default Container for Computers | Active Directory Cookbook, 3rd Edition

This recipe requires the Windows Server 2003 domain functional level.

8.11.1 Problem

You want to bind to the default container that new computers objects are created in.

8.11.2 Solution

8.11.2.1 Using a graphical user interface

Open LDP.
From the menu, select Connection Connect.
For Server, enter the name of a domain controller (or leave blank to do a serverless bind).
For Port, enter 389.
Click OK.
From the menu, select Connection Bind.
Enter credentials of a domain user.
Click OK.
From the menu, select View Tree.
For the DN, enter:
```
<WKGUID=aa312825768811d1aded00c04fd8d5cd,<DomainDN>>
```
where <DomainDN> is the distinguished name of a domain.
Click OK.
In the left menu, you can now browse the default computers container for the domain.

8.11.2.2 Using a command-line interface

With tools like netdom, if there is an option to only specify the name of the computer, and not its DN or parent container, the default computers container is typically used.

8.11.2.3 Using VBScript

' This code illustrates how to bind to the default computers container. ' ------ SCRIPT CONFIGURATION ------ strDomain = "<DomainDNSName>"   ' e.g. apac.rallencorp.com ' ------ END CONFIGURATION --------- ' Computer GUID as defined in ntdsapi.h Const ADS_GUID_COMPUTRS_CONTAINER = "aa312825768811d1aded00c04fd8d5cd" set objRootDSE = GetObject("LDAP://" & strDomain & "/RootDSE") set objCompContainer = GetObject("LDAP://<WKGU," & _                              objRootDSE.Get("defaultNamingContext") & ">" ) WScript.Echo objCompContainer.Get("distinguishedName")

8.11.3 Discussion

There are several important objects within each Active Directory domain that need to be "rename safe." By that I mean you should be able to rename the object and not impact other applications that may depend on it. It is for this reason that Microsoft created WKGUID binding. WKGUID allows you to use a well-known GUID to bind with instead of a distinguished name.

For example, the default computers container has the following WKGUID:

aa312825768811d1aded00c04fd8d5cd

You can use the GUID to bind to the default computers container in the domain using the following ADsPath:

LDAP://<WKGUID=aa312825768811d1aded00c04fd8d5cd,dc=apac,dc=rallencorp,dc=com>

The list of well-known objects for a domain is contained in the wellKnownObjects attribute of the domainDNS object for the domain. The wellKnownObjects attribute is multivalued with DNWithBinary syntax. The following is an example of what that attribute looks like for the rallencorp.com domain:

B:32:AA312825768811D1ADED00C04FD8D5CD:CN=Computers,DC=rallencorp,DC=com; B:32: F4BE92A4C777485E878E9421D53087DB:CN=Microsoft,CN=Program Data,DC=rallencorp,DC=com; B:32:09460C08AE1E4A4EA0F64AEE7DAA1E5A:CN=Program Data,DC=rallencorp,DC=com; B:32: 22B70C67D56E4EFB91E9300FCA3DC1AA:CN=ForeignSecurityPrincipals,DC=rallencorp,DC=com; B:32:18E2EA80684F11D2B9AA00C04F79F805:CN=Deleted Objects,DC=rallencorp,DC=com; B:32: 2FBAC1870ADE11D297C400C04FD8D5CD:CN=Infrastructure,DC=rallencorp,DC=com; B:32: AB8153B7768811D1ADED00C04FD8D5CD:CN=LostAndFound,DC=rallencorp,DC=com; B:32: AB1D30F3768811D1ADED00C04FD8D5CD:CN=System,DC=rallencorp,DC=com; B:32: A361B2FFFFD211D1AA4B00C04FD7D83A:OU=Domain Controllers,DC=rallencorp,DC=com; B:32: A9D1CA15768811D1ADED00C04FD8D5CD:CN=Users,DC=rallencorp,DC=com;

Each value has the format of:

B:NumberofBytes:GUID:DistinguishedName

As you can see, the GUID for the first value is the same as the one we used in the ADsPath above to bind to the default computers container.

8.11.4 See Also

Recipe 8.12 for changing the default computers container and MSDN: Binding to Well-Known Objects Using WKGUID