Post date: Oct 16, 2020 3:1:43 PM
I have migrated a client away from SBS 2008 to Windows Server 2012 Standard. Exchange 2007 has been uninstalled, demoted the domain controller, etc. I am now trying to get rid of the "MyCompany" OU structure, and for the life of me I can't figure out how. There are two sub OU's called "sbsusers" and "sbscomputers" that have the "iscriticalsystemobject" property set on them, and I get an error in ADSIEDIT if I try to remove that property or if I try to delete the OU's.
Can someone that has done this before help me out?
Thanks!
Got it, I'm preaty sure this will fix your issue. Started readying about the isCritical flag and it can only be set by the system, so I figured there had to be something attached to those OU's of yours.
http://redmondmag.com/articles/2003/12/23/the-ou-went-thataway.aspx
"For anyone who hasn't played much with Windows 2003, it has two utilities, REDIRCMP and REDIRUSR, that permit you to designate a different default OU for new user and new computer objects in place of the standard User and Computer containers. You can link Group Policy Objects to those OUs so that new user and computer accounts immediately get group policies instead of waiting for them to be moved to a production OU.
When you designate a target OU using REDIRCMP or REDIRUSR, the utility flags the OU with an attribute called IsCriticalSystemObject. You can see this attribute using the LDAP Browser (Ldp.exe) or the ADSI Editor (ADSIEdit.msc) in the Support Tools.
You are not permitted to delete or rename an object with the IsCriticalSystemObject attribute set to TRUE. For more information, take a look at the attribute documentation in the Platform SDK, which you can browse online at msdn.microsoft.com or download for more detailed searches (or click here for a good start).
If this turns out to be the problem, you can redirect the new user and computer containers back to their defaults or to some other OU then delete the OUs."