Active Directory 2008: Default Containers

When you install Active Directory, several default containers and Organizational Units (OUs) are automatically created.  The following table lists the default containers and their contents…


  • The Builtin container holds default service administrator accounts and domain local security groups. These groups are pre-assigned permissions needed to perform domain management tasks.


  • The Computers container holds all computers joined to the domain without a computer account. It is the default location for new computer accounts created in the domain.

Domain Controllers:

  • The Domain Controllers OU is the default location for the computer accounts for domain controllers.


  • The ForeignSecurityPrincipals container holds proxy objects for security principals in NT 4.0 domains or domains outside of the forest.


  • The LostAndFound container holds objects moved or created at the same time an Organizational Unit is deleted. Because of Active Directory replication, the parent OU can be deleted on one domain controller while administrators at other domain controllers can add or move objects to the deleted OU before the change has been replicated. During replication, new objects are placed in the LostAndFound container.

NTDS Quotas:   

  • The NTDS Quotas container holds objects that contain limits on the number of objects users and groups can own.

Program Data:  

  • The Program Data container holds application-specific data created by other programs. This container is empty until a program designed to store information in Active Directory uses it.


  • The System container holds configuration information about the domain including security groups and permissions, the domain SYSVOL share, DFS configuration information, and IP security policies.


  • The Users container holds additional predefined user and group accounts (besides those in the Builtin container). Users and groups are pre-assigned membership and permissions for completing domain and forest management tasks.

*Be aware of the following when managing the default containers:

  • Default containers are automatically created and cannot be deleted.
  • The Domain Controllers OU is the only default organizational unit object. All other containers are just containers, not OUs. As such, you cannot apply a GPO to any default container except for the Domain Controllers OU.
  • To apply Group Policy specifically to objects within a default container (except for the Domain Controllers OU), move the objects into an OU that you create, then link the GPO.
  • The LostAndFound, NTDS Quotas, Program Data, and System containers are hidden in Active Directory Users and Computers. To view these containers, click Advanced Features from the View menu.

2 thoughts on “Active Directory 2008: Default Containers

  1. Hi! I could have sworn I’ve been to this website before but after browsing through some of the post
    I realized it’s new to me. Anyways, I’m definitely happy I found
    it and I’ll be book-marking and checking back

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s