When you create a user account in Active Directory using certain tools, by default the user will be placed in the Users container under the root of the domain. This can be undesirable, particularly if you want to apply distinct Group Policy to these users. Fortunately, Active Directory lets you change the default location for new User accounts. The best way to make this change is with the redirusr tool that is included with Windows Server. For example, to redirect new users in the cohovines.com domain to an Organizational Unit called New Hires, run this command:

redirusr "OU=New Hires,DC=cohovines,DC=com"

Under the covers, the redirusr tool updates an attribute of the domain NC head object called wellKnownObjects. The wellKnownObjects attribute contains a list of well known GUIDs and a distinguished name for each GUID. By using GUIDs, the path to an object can be dynamic without the client needing to be aware of anything other than the GUID for the object it is searching for. In this case, the a9d1ca15-7688-11d1-aded-00c04fd8d5cd GUID is how Active Directory keeps track of the default location for new user objects. You can use a tool like LDP to look at the wellKnownObjects attribute of the domain as shown below: