| Author | Messages | |
dharding
Posts:39
 | | 03/08/2007 5:25 AM |
| Is it possible to create a script or GPO that will auto move
a server object to a different OU after its been joined to a domain?
-Devon
This message (including any attachments) is intended only for
the use of the individual or entity to which it is addressed and
may contain information that is non-public, proprietary,
privileged, confidential, and exempt from disclosure under
applicable law or may constitute as attorney work product.
If you are not the intended recipient, you are hereby notified
that any use, dissemination, distribution, or copying of this
communication is strictly prohibited. If you have received this
communication in error, notify us immediately by telephone and
(i) destroy this message if a facsimile or (ii) delete this message
immediately if this is an electronic communication.
Thank you. | | | |
| ASteele
Posts:22
| | 03/08/2007 5:41 AM |
| v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
Devon,
This is not necessary. If
you use delegated join whereby you delegate rights on the target OU to the personnel
in charge of adding the machines to the domain to “Create” computer
objects within the OU. They create the objects, give themselves rights to join
it to the domain. Active Directory matches based on NetBIOS name when a
machine attempts to join, and you have a server, joined to the domain, with its
“Server Object” in the correct OU.
Hope that helps.
/aaron
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On
Behalf Of Harding, Devon
Sent: Thursday, March 08, 2007 4:25 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Auto move to OU
Is it possible to create a script or GPO that will auto move
a server object to a different OU after its been joined to a domain?
-Devon
This message (including any attachments) is intended only for the
use of the individual or entity to which it is addressed and may contain
information that is non-public, proprietary, privileged, confidential, and
exempt from disclosure under applicable law or may constitute as attorney work
product. If you are not the intended recipient, you are hereby notified that
any use, dissemination, distribution, or copying of this communication is
strictly prohibited. If you have received this communication in error, notify
us immediately by telephone and (i) destroy this message if a facsimile or (ii)
delete this message immediately if this is an electronic communication.
Thank you. | | | |
| AD000001702
Posts:0
| | 03/08/2007 6:37 AM |
| You might find the following useful...it applies more to all new user and
computer objects rather than server objects specifically...
URL:
http://technet2.microsoft.com/WindowsServer/en/library/5f963d08-9efc-4660-8621-6adcf5a0137e1033.mspx?mfr=true
TITLE: Redirect the Users and Computers Containers
EXTRACT: In Windows Server 2003 Active Directory, when the domain
functional level has been raised to Windows Server 2003, you can redirect
the default CN=Users and CN=Computers containers to organizational units
that you specify so that each can support Group Policy, making them easier
to manage.
Cheers,
Matt Duguid
Microsoft Systems Engineer
Information and Technology Group - Identity Services
The Department of Internal Affairs Te Tari Taiwhenua
Direct Dial: +64 4 4748028 x8028
Fax: +64 4 4748894
Mobile: +64 21 1713290
Address: Level 4, 47 Boulcott Street, Wellington, New Zealand
Internet: http://www.dia.govt.nz/
To:
cc:
"Harding, Devon" Subject: [ActiveDir] Auto move to OU
Sent by:
ActiveDir-owner@mail.ac
tivedir.org
09/03/2007 11:25 a.m.
Please respond to
ActiveDir
Is it possible to create a script or GPO that will auto move a server
object to a different OU after its been joined to a domain?
-Devon
This message (including any attachments) is intended only for the use of
the individual or entity to which it is addressed and may contain
information that is non-public, proprietary, privileged, confidential, and
exempt from disclosure under applicable law or may constitute as attorney
work product. If you are not the intended recipient, you are hereby
notified that any use, dissemination, distribution, or copying of this
communication is strictly prohibited. If you have received this
communication in error, notify us immediately by telephone and (i) destroy
this message if a facsimile or (ii) delete this message immediately if this
is an electronic communication.
Thank you.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| bdesmond
Posts:977
| | 03/08/2007 6:41 AM |
| @font-face {
font-family: Cambria Math;
}
@font-face {
font-family: Calibri;
}
@page Section1 {margin: 1.0in 1.0in 1.0in 1.0in; }
P.MsoNormal {
FONT-SIZE: 11pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Calibri","sans-serif"
}
LI.MsoNormal {
FONT-SIZE: 11pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Calibri","sans-serif"
}
DIV.MsoNormal {
FONT-SIZE: 11pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Calibri","sans-serif"
}
A:link {
COLOR: blue; TEXT-DECORATION: underline
}
SPAN.MsoHyperlink {
COLOR: blue; TEXT-DECORATION: underline
}
A:visited {
COLOR: purple; TEXT-DECORATION: underline
}
SPAN.MsoHyperlinkFollowed {
COLOR: purple; TEXT-DECORATION: underline
}
SPAN.EmailStyle17 {
COLOR: windowtext; FONT-FAMILY: "Calibri","sans-serif"
}
.MsoChpDefault {
}
DIV.Section1 {
}
P {
MARGIN-TOP: 0px; MARGIN-BOTTOM: 0px
}
If you're on 2003, Look up redircomp.exe
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: ActiveDir-owner@mail.activedir.org [ActiveDir-owner@mail.activedir.org] On Behalf Of Harding, Devon [dharding@SOUTHERNWINE.com]
Sent: Thursday, March 08, 2007 5:25 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Auto move to OU
Is it possible to create a script or GPO that will auto move a server object to a different OU after its been joined to a domain?
-Devon
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure
under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication
in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication.
Thank you. | | | |
| amulnick
Posts:163
| | 03/08/2007 7:37 AM |
| Personally, I prefer this method. The reason for that is that it causes the installer to think before adding to the domain. I have often just delegated full rights to the OU to the installer for computer objects, so the step about delegating themselves rights to join the machine wasn't necessary. But the process works well and I've even gone so far as to write a utility for the group to be able to add en masse (it's a migration after all) via text file. It keeps the computer accounts where they belong.
Could you write a script to do this? Sure. But how do you know what OU to move it to? If it's the same each time, then check out the other posts that talk about redirecting the default container. If you have to divide them into different OU's depending on some criteria, then you may want to consider Aaron's method because it doesn't require any funny timing, or scheduling or somebody to remember to run a script to move computer objects. It happens, or the computer doesn't join the domain. Simple. Secure. Fast.
Al
On 3/8/07, Aaron Steele wrote:
Devon,
This is not necessary. If you use delegated join whereby you delegate rights on the target OU to the personnel in charge of adding the machines to the domain to "Create" computer objects within the OU. They create the objects, give themselves rights to join it to the domain. Active Directory matches based on NetBIOS name when a machine attempts to join, and you have a server, joined to the domain, with its "Server Object" in the correct OU.
Hope that helps.
/aaron
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Harding, DevonSent:
Thursday, March 08, 2007 4:25 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Auto move to OU
Is it possible to create a script or GPO that will auto move a server object to a different OU after its been joined to a domain?
-Devon
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication.
Thank you. | | | |
| ZJORZ
Posts:363
| | 03/09/2007 2:42 AM |
| v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
Sure.
Why not add/join it right away
to the correct OU?
NETDOM can help you with this..
NETDOM JOIN
/DOMAIN:\ /USERD: /PASSWORDD:
/OU:”” /REBOOT
is the machine
to be joined
\ will
join the machine to the domain and use the DC for the
add/write action. You can also just use , but it will then ask
for a DC in the domain that has registered its domain wide service records. By
default all DCs do that. In branch office scenarios it is OK to tell the branch
office DCs NOT to register domain wide records, only site wide records. To
determine the best DC you could create some script that queries AD for the AD
site/subnet based on the server/client IP address and use a DC for that site.
and
are the credentials to connect to the domain
the OU where the machine
should be added to. What will be the criteria to select this? When entered
manually, no problem, just specify. But when automagically, how to determine?
Met vriendelijke groeten / Kind regards,
__________________________________________________________________________________
MVP Profile à
https://mvp.support.microsoft.com/profile=f8c04f4a-bff2-453e-9aed-7dfedab0be10
MVP Home Site à
https://mvp.support.microsoft.com/
MVP Overview à
https://mvp.support.microsoft.com/mvpexecsum
BLOG à http://blogs.dirteam.com/blogs/jorge/default.aspx
__________________________________________________________________________________
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On
Behalf Of Harding, Devon
Sent: Thursday, March 08, 2007 23:25
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Auto move to OU
Is it possible to create a script or GPO that will auto move
a server object to a different OU after its been joined to a domain?
-Devon
This message (including any attachments) is intended only for the
use of the individual or entity to which it is addressed and may contain
information that is non-public, proprietary, privileged, confidential, and
exempt from disclosure under applicable law or may constitute as attorney work
product. If you are not the intended recipient, you are hereby notified that
any use, dissemination, distribution, or copying of this communication is
strictly prohibited. If you have received this communication in error, notify
us immediately by telephone and (i) destroy this message if a facsimile or (ii)
delete this message immediately if this is an electronic communication.
Thank you.
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. | | | |
| AD000001356
Posts:0
| | 03/09/2007 3:09 AM |
| @font-face {
font-family: Cambria Math;
}
@font-face {
font-family: Calibri;
}
@page Section1 {size: 8.5in 11.0in; margin: 1.0in 1.0in 1.0in 1.0in; }
P.MsoNormal {
FONT-SIZE: 11pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Calibri","sans-serif"
}
LI.MsoNormal {
FONT-SIZE: 11pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Calibri","sans-serif"
}
DIV.MsoNormal {
FONT-SIZE: 11pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Calibri","sans-serif"
}
A:link {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlink {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
A:visited {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlinkFollowed {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.EmailStyle17 {
COLOR: windowtext; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal-compose
}
.MsoChpDefault {
mso-style-type: export-only
}
DIV.Section1 {
page: Section1
}
As others have said this is more of a
process issue than a technical one. In the environment that I'm currently
designing we want any new servers to be placed in a staging OU, while any new
clients into a staging OU for clients. The reason for this is that we have
several locked down GPOs that get overridden by staging. This means anyone
who joins the domain manually, assuming they somehow have permissions to do so,
gets put in the Computers container which gives them an almost unworkable
desktop. We do use scripts during the automation process to move the
automated objectto staging (well, it gives the appearance of this in
actuality it pre-creates the objects in the correct OU). The information
on what's a server or workstation is ascertained from the Radia (systems
management tool that is used to manage and deploy systems).
So, the answer to your question is yes,
but you need to do this with a scripting language as opposed to a command line
so that you can add some logic and error handling (e.g. DCs need to be excluded
from the move). The other thing that needs to be considered is how this
script is run. Should it be run on a schedule moving objects at, for
example, midnight into their correct OUs, or should it be done during object
creation?
Or, is it better to have a manual process
whereby someone responsible for user object administration pre-creates the
objects in the correct OU before the server is built. In my opinion this
should be automated for larger organisations. In a smaller organisation
whereby each server or a small number are implemented using a single change will
allow the manual process to work as the objects are created and then the change
commences, however in a larger organisation you'll end up with a backlog due to
the number of new objects that need to be precreated. We could never do
this any other way than via automation as we're provisioning thousands of
servers and hundreds of thousands of workstations. This also means that
the likely churn of workstations will be reasonably high.
--Paul
----- Original Message -----
From:
Harding, Devon
To: ActiveDir@mail.activedir.org
Sent: Thursday, March 08, 2007 10:25
PM
Subject: [ActiveDir] Auto move to
OU
Is it possible to create a script or GPO that will auto
move a server object to a different OU after its been joined to a
domain?
-Devon
This message (including any attachments) is intended
only for the use of the individual or entity to which it is addressed and may
contain information that is non-public, proprietary, privileged, confidential,
and exempt from disclosure under applicable law or may constitute as attorney
work product. If you are not the intended recipient, you are hereby notified
that any use, dissemination, distribution, or copying of this communication is
strictly prohibited. If you have received this communication in error, notify
us immediately by telephone and (i) destroy this message if a facsimile or
(ii) delete this message immediately if this is an electronic communication.
Thank you. | | | |
| lists1
Posts:6
| | 03/09/2007 12:43 PM |
| v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
Apart from the answers on redircomp – which will affect all
machines and not just servers – you’d be able to instruct your
staff using netdom.exe for joining the domain, where you are able to pass the
OU as parameter.
If you want to write
a script you could do a one-liner in CMD which uses dsquery and pipes it output
to dsmove, however I’d also prefer one of the other suggestions.
Gruesse - Sincerely,
Ulf B. Simon-Weidner
Profile &
Publications:http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811D
Weblog: http://msmvps.org/UlfBSimonWeidner
Website: http://www.windowsserverfaq.org
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Harding, Devon
Sent: Donnerstag, 8. März 2007 23:25
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Auto move to OU
Is it possible to create a script or GPO
that will auto move a server object to a different OU after its been joined to
a domain?
-Devon
This message (including any attachments)
is intended only for the use of the individual or entity to which it is
addressed and may contain information that is non-public, proprietary,
privileged, confidential, and exempt from disclosure under applicable law or
may constitute as attorney work product. If you are not the intended recipient,
you are hereby notified that any use, dissemination, distribution, or copying
of this communication is strictly prohibited. If you have received this
communication in error, notify us immediately by telephone and (i) destroy this
message if a facsimile or (ii) delete this message immediately if this is an
electronic communication.
Thank you. | | | |
| dharding
Posts:39
| | 03/12/2007 2:10 AM |
| v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
What tool are you using to automate this process. This is
exactly what I’m looking for.
-Devon
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On
Behalf Of Bart Van den Wyngaert
Sent: Monday, March 12, 2007 12:51 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Auto move to OU
Automating this requires simply the correct parameters.
Don't know how you guys build machines, but in most automated build processes
you use parameters (not?).
We for example have a default OU when we're building a
server (which seems logic to me). As last step of our building process, the
script moves the object in AD to the correct OU, depending on the parameter
specified. This parameter depends actually on the type of server (application,
IIS, SQL, ...) and is included in the naming convention. Result is that this
parameter is automatically derived...
So we have 2 steps:
- Join domain to default OU (netdom command)
- Move object in AD to final OU
As already indicated earlier, look at your process. The key
is in there!
Best regards,
Bart
On 3/12/07, Harding, Devon
wrote:
See, I didn't want to have to
1. Create the Object in the correct OU ahead of time or 2. Use a command line
tool to add a computer to the domain. I also don't want to redirect the
Computers container to an OU as I have different OUs for different computers.
Are there any scripting options?
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Al Mulnick
Sent: Thursday, March 08, 2007 7:37 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Auto move to OU
Personally, I prefer this method. The reason for that is that it
causes the installer to think before adding to the domain. I have often
just delegated full rights to the OU to the installer for computer objects, so
the step about delegating themselves rights to join the machine wasn't necessary.
But the process works well and I've even gone so far as to write a utility for
the group to be able to add en masse (it's a migration after all) via text
file. It keeps the computer accounts where they belong.
Could you write a script to do this? Sure. But how do you know
what OU to move it to? If it's the same each time, then check out the
other posts that talk about redirecting the default container. If you have to
divide them into different OU's depending on some criteria, then you may want
to consider Aaron's method because it doesn't require any funny timing, or
scheduling or somebody to remember to run a script to move computer
objects. It happens, or the computer doesn't join the domain.
Simple. Secure. Fast.
Al
On 3/8/07, Aaron Steele wrote:
Devon,
This is not necessary. If you use
delegated join whereby you delegate rights on the target OU to the personnel in
charge of adding the machines to the domain to "Create" computer
objects within the OU. They create the objects, give themselves rights to join
it to the domain. Active Directory matches based on NetBIOS name when a
machine attempts to join, and you have a server, joined to the domain, with its
"Server Object" in the correct OU.
Hope that helps.
/aaron
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Harding, Devon
Sent: Thursday, March 08, 2007 4:25 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Auto move to OU
Is it possible to create a script or GPO that will auto move a server object
to a different OU after its been joined to a domain?
-Devon
This message (including any attachments) is
intended only for the use of the individual or entity to which it is addressed
and may contain information that is non-public, proprietary, privileged,
confidential, and exempt from disclosure under applicable law or may constitute
as attorney work product. If you are not the intended recipient, you are hereby
notified that any use, dissemination, distribution, or copying of this
communication is strictly prohibited. If you have received this communication
in error, notify us immediately by telephone and (i) destroy this message if a
facsimile or (ii) delete this message immediately if this is an electronic
communication.
Thank you.
This message
(including any attachments) is intended only for the use of the individual or
entity to which it is addressed and may contain information that is non-public,
proprietary, privileged, confidential, and exempt from disclosure under applicable
law or may constitute as attorney work product. If you are not the intended
recipient, you are hereby notified that any use, dissemination, distribution,
or copying of this communication is strictly prohibited. If you have received
this communication in error, notify us immediately by telephone and (i) destroy
this message if a facsimile or (ii) delete this message immediately if this is
an electronic communication.
Thank you.
This message (including any attachments) is intended only for
the use of the individual or entity to which it is addressed and
may contain information that is non-public, proprietary,
privileged, confidential, and exempt from disclosure under
applicable law or may constitute as attorney work product.
If you are not the intended recipient, you are hereby notified
that any use, dissemination, distribution, or copying of this
communication is strictly prohibited. If you have received this
communication in error, notify us immediately by telephone and
(i) destroy this message if a facsimile or (ii) delete this message
immediately if this is an electronic communication.
Thank you. | | | |
| kennedyjim
Posts:89
| | 03/12/2007 2:24 AM |
| v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
Though not who you are asking……Netdom.
Second example at the page below:
http://technet2.microsoft.com/WindowsServer/en/library/539c5381-db4f-445f-aac0-2df5448181c11033.mspx?mfr=true
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On
Behalf Of Harding, Devon
Sent: Monday, March 12, 2007 2:10 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Auto move to OU
What tool are you using to automate this process. This is
exactly what I’m looking for.
-Devon
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On
Behalf Of Bart Van den Wyngaert
Sent: Monday, March 12, 2007 12:51 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Auto move to OU
Automating this requires simply the correct parameters.
Don't know how you guys build machines, but in most automated build processes
you use parameters (not?).
We for example have a default OU when we're building a
server (which seems logic to me). As last step of our building process, the
script moves the object in AD to the correct OU, depending on the parameter
specified. This parameter depends actually on the type of server (application,
IIS, SQL, ...) and is included in the naming convention. Result is that this parameter
is automatically derived...
So we have 2 steps:
- Join domain to default OU (netdom command)
- Move object in AD to final OU
As already indicated earlier, look at your process. The key
is in there!
Best regards,
Bart
On 3/12/07, Harding, Devon
wrote:
See, I didn't want to have to
1. Create the Object in the correct OU ahead of time or 2. Use a command line
tool to add a computer to the domain. I also don't want to redirect the
Computers container to an OU as I have different OUs for different
computers. Are there any scripting options?
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Al Mulnick
Sent: Thursday, March 08, 2007 7:37 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Auto move to OU
Personally, I prefer this method. The reason for that is that it
causes the installer to think before adding to the domain. I have often
just delegated full rights to the OU to the installer for computer objects, so
the step about delegating themselves rights to join the machine wasn't
necessary. But the process works well and I've even gone so far as to
write a utility for the group to be able to add en masse (it's a migration
after all) via text file. It keeps the computer accounts where they belong.
Could you write a script to do this? Sure. But how do you know
what OU to move it to? If it's the same each time, then check out the
other posts that talk about redirecting the default container. If you have to
divide them into different OU's depending on some criteria, then you may want
to consider Aaron's method because it doesn't require any funny timing, or
scheduling or somebody to remember to run a script to move computer objects.
It happens, or the computer doesn't join the domain. Simple. Secure.
Fast.
Al
On 3/8/07, Aaron Steele wrote:
Devon,
This is not necessary. If you use
delegated join whereby you delegate rights on the target OU to the personnel in
charge of adding the machines to the domain to "Create" computer
objects within the OU. They create the objects, give themselves rights to join
it to the domain. Active Directory matches based on NetBIOS name when a
machine attempts to join, and you have a server, joined to the domain, with its
"Server Object" in the correct OU.
Hope that helps.
/aaron
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Harding, Devon
Sent: Thursday, March 08, 2007 4:25 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Auto move to OU
Is it possible to create a script or GPO that will auto move a server object
to a different OU after its been joined to a domain?
-Devon
This message (including any attachments) is
intended only for the use of the individual or entity to which it is addressed
and may contain information that is non-public, proprietary, privileged,
confidential, and exempt from disclosure under applicable law or may constitute
as attorney work product. If you are not the intended recipient, you are hereby
notified that any use, dissemination, distribution, or copying of this
communication is strictly prohibited. If you have received this communication
in error, notify us immediately by telephone and (i) destroy this message if a
facsimile or (ii) delete this message immediately if this is an electronic
communication.
Thank you.
This message
(including any attachments) is intended only for the use of the individual or
entity to which it is addressed and may contain information that is non-public,
proprietary, privileged, confidential, and exempt from disclosure under
applicable law or may constitute as attorney work product. If you are not the
intended recipient, you are hereby notified that any use, dissemination,
distribution, or copying of this communication is strictly prohibited. If you
have received this communication in error, notify us immediately by telephone
and (i) destroy this message if a facsimile or (ii) delete this message
immediately if this is an electronic communication.
Thank you.
This message (including any
attachments) is intended only for the use of the individual or entity to which
it is addressed and may contain information that is non-public, proprietary,
privileged, confidential, and exempt from disclosure under applicable law or
may constitute as attorney work product. If you are not the intended recipient,
you are hereby notified that any use, dissemination, distribution, or copying
of this communication is strictly prohibited. If you have received this
communication in error, notify us immediately by telephone and (i) destroy this
message if a facsimile or (ii) delete this message immediately if this is an
electronic communication.
Thank you. | | | |
| ericcjones
Posts:0
| | 03/12/2007 3:31 AM |
| v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
Adding my little bit too…
The way the gentleman does it
below is an excellent way to do it. In a previous life I wrote a VBScript
to do just that. I used a string function to move servers based on naming
convention. I initially ran it in a polling manner, running every 2
minutes. The script was very lightweight and just queried our
[redirected] default OU. It operated in 2 stages. It would move the
computer object based OS + naming convention. If the naming convention
wasn’t followed or if we just had a new type for me to account
for…it would move the computer (server) object to a special OU where only
general configuration policies applied, but not our full security
enforcement. From there I let others police what should happen to the
servers in the “Rogue” OU. I eventually modified the script
to run only when new computer objects were added to the redirected OU.
I personally prefer VBScript, as
generalist, however you could achieve the same with a combination of
“ADFind” and “DSmod”.
Thanks,
-Eric
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On
Behalf Of Harding, Devon
Sent: Monday, March 12, 2007 2:10 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Auto move to OU
What tool are you using to automate this process. This is
exactly what I’m looking for.
-Devon
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On
Behalf Of Bart Van den Wyngaert
Sent: Monday, March 12, 2007 12:51 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Auto move to OU
Automating this requires simply the correct parameters.
Don't know how you guys build machines, but in most automated build processes
you use parameters (not?).
We for example have a default OU when we're building a
server (which seems logic to me). As last step of our building process, the
script moves the object in AD to the correct OU, depending on the parameter
specified. This parameter depends actually on the type of server (application,
IIS, SQL, ...) and is included in the naming convention. Result is that this
parameter is automatically derived...
So we have 2 steps:
- Join domain to default OU (netdom command)
- Move object in AD to final OU
As already indicated earlier, look at your process. The key
is in there!
Best regards,
Bart
On 3/12/07, Harding, Devon
wrote:
See, I didn't want to have to
1. Create the Object in the correct OU ahead of time or 2. Use a command line
tool to add a computer to the domain. I also don't want to redirect the
Computers container to an OU as I have different OUs for different
computers. Are there any scripting options?
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Al Mulnick
Sent: Thursday, March 08, 2007 7:37 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Auto move to OU
Personally, I prefer this method. The reason for that is that it
causes the installer to think before adding to the domain. I have often
just delegated full rights to the OU to the installer for computer objects, so
the step about delegating themselves rights to join the machine wasn't
necessary. But the process works well and I've even gone so far as to
write a utility for the group to be able to add en masse (it's a migration
after all) via text file. It keeps the computer accounts where they belong.
Could you write a script to do this? Sure. But how do you know
what OU to move it to? If it's the same each time, then check out the
other posts that talk about redirecting the default container. If you have to
divide them into different OU's depending on some criteria, then you may want
to consider Aaron's method because it doesn't require any funny timing, or
scheduling or somebody to remember to run a script to move computer
objects. It happens, or the computer doesn't join the domain.
Simple. Secure. Fast.
Al
On 3/8/07, Aaron Steele wrote:
Devon,
This is not necessary. If you use
delegated join whereby you delegate rights on the target OU to the personnel in
charge of adding the machines to the domain to "Create" computer
objects within the OU. They create the objects, give themselves rights to join
it to the domain. Active Directory matches based on NetBIOS name when a
machine attempts to join, and you have a server, joined to the domain, with its
"Server Object" in the correct OU.
Hope that helps.
/aaron
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Harding, Devon
Sent: Thursday, March 08, 2007 4:25 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Auto move to OU
Is it possible to create a script or GPO that will auto move a server object
to a different OU after its been joined to a domain?
-Devon
This message (including any attachments) is
intended only for the use of the individual or entity to which it is addressed
and may contain information that is non-public, proprietary, privileged,
confidential, and exempt from disclosure under applicable law or may constitute
as attorney work product. If you are not the intended recipient, you are hereby
notified that any use, dissemination, distribution, or copying of this
communication is strictly prohibited. If you have received this communication
in error, notify us immediately by telephone and (i) destroy this message if a
facsimile or (ii) delete this message immediately if this is an electronic communication.
Thank you.
This message
(including any attachments) is intended only for the use of the individual or
entity to which it is addressed and may contain information that is non-public,
proprietary, privileged, confidential, and exempt from disclosure under
applicable law or may constitute as attorney work product. If you are not the
intended recipient, you are hereby notified that any use, dissemination,
distribution, or copying of this communication is strictly prohibited. If you
have received this communication in error, notify us immediately by telephone
and (i) destroy this message if a facsimile or (ii) delete this message
immediately if this is an electronic communication.
Thank you.
This message (including any
attachments) is intended only for the use of the individual or entity to which
it is addressed and may contain information that is non-public, proprietary, privileged,
confidential, and exempt from disclosure under applicable law or may constitute
as attorney work product. If you are not the intended recipient, you are hereby
notified that any use, dissemination, distribution, or copying of this
communication is strictly prohibited. If you have received this communication
in error, notify us immediately by telephone and (i) destroy this message if a
facsimile or (ii) delete this message immediately if this is an electronic
communication.
Thank you. | | | |
| amulnick
Posts:163
| | 03/12/2007 4:38 AM |
| yeah, I've seen it done this way. But the danger that comes with that in most orgs is pretty big. That's because the assumption is that the naming convention is uniformly applied and retrofitted. Many orgs change their naming standards too often. Since this thread is not about those issues and what it leads to, I think I'll let that drop. :)
The bit that still gets me about this thread, is that the poster asked to not use a command line tool but rather wanted a script. Did I misread that? Netdom doesn't fit if that's the case and the usage of netdom is something that wouldn't be any easier or harder than using a process to pre-create the machines in the appropriate ou. More of a sacred cow process from the sound of it. I could be wrong, but that's how I interpret the use of netdom to place a machine in it's appropriate OU in many situations. In some larger orgs (global, 50K desktops or better) it might make more sense to let the workstation do it's own OU designation if you have multiple workstation images. If not, then I doubt you'll get the benefit from one vs. the other to make it worth the time.
My $0.04 anyway.
On 3/12/07, Eric C. Jones wrote:
Adding my little bit too…
The way the gentleman does it below is an excellent way to do it. In a previous life I wrote a VBScript to do just that. I used a string function to move servers based on naming convention. I initially ran it in a polling manner, running every 2 minutes. The script was very lightweight and just queried our [redirected] default OU. It operated in 2 stages. It would move the computer object based OS + naming convention. If the naming convention wasn't followed or if we just had a new type for me to account for…it would move the computer (server) object to a special OU where only general configuration policies applied, but not our full security enforcement. From there I let others police what should happen to the servers in the "Rogue" OU. I eventually modified the script to run only when new computer objects were added to the redirected OU.
I personally prefer VBScript, as generalist, however you could achieve the same with a combination of "ADFind" and "DSmod".
Thanks,
-Eric
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Harding, DevonSent:
Monday, March 12, 2007 2:10 PMTo: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Auto move to OU
What tool are you using to automate this process. This is exactly what I'm looking for.
-Devon
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Bart Van den Wyngaert
Sent: Monday, March 12, 2007 12:51 PMTo: ActiveDir@mail.activedir.orgSubject:
Re: [ActiveDir] Auto move to OU
Automating this requires simply the correct parameters. Don't know how you guys build machines, but in most automated build processes you use parameters (not?).
We for example have a default OU when we're building a server (which seems logic to me). As last step of our building process, the script moves the object in AD to the correct OU, depending on the parameter specified. This parameter depends actually on the type of server (application, IIS, SQL, ...) and is included in the naming convention. Result is that this parameter is automatically derived...
So we have 2 steps:
- Join domain to default OU (netdom command)
- Move object in AD to final OU
As already indicated earlier, look at your process. The key is in there!
Best regards,
Bart
On 3/12/07, Harding, Devon wrote:
See, I didn't want to have to 1. Create the Object in the correct OU ahead of time or 2. Use a command line tool to add a computer to the domain. I also don't want to redirect the Computers container to an OU as I have different OUs for different computers. Are there any scripting options?
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al MulnickSent:
Thursday, March 08, 2007 7:37 PMTo: ActiveDir@mail.activedir.orgSubject:
Re: [ActiveDir] Auto move to OU
Personally, I prefer this method. The reason for that is that it causes the installer to think before adding to the domain. I have often just delegated full rights to the OU to the installer for computer objects, so the step about delegating themselves rights to join the machine wasn't necessary. But the process works well and I've even gone so far as to write a utility for the group to be able to add en masse (it's a migration after all) via text file. It keeps the computer accounts where they belong.
Could you write a script to do this? Sure. But how do you know what OU to move it to? If it's the same each time, then check out the other posts that talk about redirecting the default container. If you have to divide them into different OU's depending on some criteria, then you may want to consider Aaron's method because it doesn't require any funny timing, or scheduling or somebody to remember to run a script to move computer objects. It happens, or the computer doesn't join the domain. Simple. Secure. Fast.
Al
On 3/8/07, Aaron Steele wrote:
Devon,
This is not necessary. If you use delegated join whereby you delegate rights on the target OU to the personnel in charge of adding the machines to the domain to "Create" computer objects within the OU. They create the objects, give themselves rights to join it to the domain. Active Directory matches based on NetBIOS name when a machine attempts to join, and you have a server, joined to the domain, with its "Server Object" in the correct OU.
Hope that helps.
/aaron
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Harding, DevonSent:
Thursday, March 08, 2007 4:25 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Auto move to OU
Is it possible to create a script or GPO that will auto move a server object to a different OU after its been joined to a domain?
-Devon
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication.
Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication.
Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication.
Thank you. | | | |
| dharding
Posts:39
| | 03/12/2007 11:35 AM |
| v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
See, I didn’t want to have to 1. Create the Object in the
correct OU ahead of time or 2. Use a command line tool to add a computer to the
domain. I also don’t want to redirect the Computers container to an OU as I
have different OUs for different computers. Are there any scripting options?
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On
Behalf Of Al Mulnick
Sent: Thursday, March 08, 2007 7:37 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Auto move to OU
Personally, I prefer this method. The reason for that
is that it causes the installer to think before adding to the domain. I
have often just delegated full rights to the OU to the installer for computer
objects, so the step about delegating themselves rights to join the machine
wasn't necessary. But the process works well and I've even gone so far as
to write a utility for the group to be able to add en masse (it's a migration
after all) via text file. It keeps the computer accounts where they belong.
Could you write a script to do this? Sure. But
how do you know what OU to move it to? If it's the same each time, then
check out the other posts that talk about redirecting the default container. If
you have to divide them into different OU's depending on some criteria, then
you may want to consider Aaron's method because it doesn't require any funny
timing, or scheduling or somebody to remember to run a script to move computer
objects. It happens, or the computer doesn't join the domain.
Simple. Secure. Fast.
Al
On 3/8/07, Aaron Steele wrote:
Devon,
This is not necessary. If you use
delegated join whereby you delegate rights on the target OU to the personnel in
charge of adding the machines to the domain to "Create" computer
objects within the OU. They create the objects, give themselves rights to join
it to the domain. Active Directory matches based on NetBIOS name when a
machine attempts to join, and you have a server, joined to the domain, with its
"Server Object" in the correct OU.
Hope that helps.
/aaron
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Harding, Devon
Sent: Thursday, March 08, 2007 4:25 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Auto move to OU
Is it possible to create a script or GPO that will auto move a server object
to a different OU after its been joined to a domain?
-Devon
This message (including any attachments) is
intended only for the use of the individual or entity to which it is addressed
and may contain information that is non-public, proprietary, privileged,
confidential, and exempt from disclosure under applicable law or may constitute
as attorney work product. If you are not the intended recipient, you are hereby
notified that any use, dissemination, distribution, or copying of this
communication is strictly prohibited. If you have received this communication
in error, notify us immediately by telephone and (i) destroy this message if a
facsimile or (ii) delete this message immediately if this is an electronic
communication.
Thank you.
This message (including any attachments) is intended only for
the use of the individual or entity to which it is addressed and
may contain information that is non-public, proprietary,
privileged, confidential, and exempt from disclosure under
applicable law or may constitute as attorney work product.
If you are not the intended recipient, you are hereby notified
that any use, dissemination, distribution, or copying of this
communication is strictly prohibited. If you have received this
communication in error, notify us immediately by telephone and
(i) destroy this message if a facsimile or (ii) delete this message
immediately if this is an electronic communication.
Thank you. | | | |
| Marty1_0
Posts:0
| | 03/12/2007 12:50 PM |
| Automating this requires simply the correct parameters. Don't know how you guys build machines, but in most automated build processes you use parameters (not?).
We for example have a default OU when we're building a server (which seems logic to me). As last step of our building process, the script moves the object in AD to the correct OU, depending on the parameter specified. This parameter depends actually on the type of server (application, IIS, SQL, ...) and is included in the naming convention. Result is that this parameter is automatically derived...
So we have 2 steps:
- Join domain to default OU (netdom command)
- Move object in AD to final OU
As already indicated earlier, look at your process. The key is in there!
Best regards,
Bart
On 3/12/07, Harding, Devon wrote:
See, I didn't want to have to 1. Create the Object in the correct OU ahead of time or 2. Use a command line tool to add a computer to the domain. I also don't want to redirect the Computers container to an OU as I have different OUs for different computers. Are there any scripting options?
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al MulnickSent:
Thursday, March 08, 2007 7:37 PMTo: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Auto move to OU
Personally, I prefer this method. The reason for that is that it causes the installer to think before adding to the domain. I have often just delegated full rights to the OU to the installer for computer objects, so the step about delegating themselves rights to join the machine wasn't necessary. But the process works well and I've even gone so far as to write a utility for the group to be able to add en masse (it's a migration after all) via text file. It keeps the computer accounts where they belong.
Could you write a script to do this? Sure. But how do you know what OU to move it to? If it's the same each time, then check out the other posts that talk about redirecting the default container. If you have to divide them into different OU's depending on some criteria, then you may want to consider Aaron's method because it doesn't require any funny timing, or scheduling or somebody to remember to run a script to move computer objects. It happens, or the computer doesn't join the domain. Simple. Secure. Fast.
Al
On 3/8/07, Aaron Steele wrote:
Devon,
This is not necessary. If you use delegated join whereby you delegate rights on the target OU to the personnel in charge of adding the machines to the domain to "Create" computer objects within the OU. They create the objects, give themselves rights to join it to the domain. Active Directory matches based on NetBIOS name when a machine attempts to join, and you have a server, joined to the domain, with its "Server Object" in the correct OU.
Hope that helps.
/aaron
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Harding, DevonSent:
Thursday, March 08, 2007 4:25 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Auto move to OU
Is it possible to create a script or GPO that will auto move a server object to a different OU after its been joined to a domain?
-Devon
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication.
Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication.
Thank you. | | | |
| Marty1_0
Posts:0
| | 03/13/2007 6:08 AM |
| Use the netdom utility from a VBScript? That's the way we do it.
Yes naming conventions are changed, but the process needs to keep in mind such things. So you put the correct people in the review process of that naming convention.
We work same way for secure environments: they are moved at the end of the process to a seperate OU with max. restrictions. During install they end up in their default OU based on our environment parameters. These kind of exceptions will always exist and I don't see a way to automate this, except that your build tool is configured to handle these kind of parameters.
Best starting point is to see, even when you're doing the moves manually, that your process and procedures are correct and that you have a standard. This is an absolute needed basis to start with. Then you can start thinking about automating the stuff. Example: a DB where the parameters are set and retrieved by your scripts, a webinterface to view, edit, add, ... these parameters. Or based on the OS and naming convention, but then you have to make sure that you also have covered exceptions, either manually either by standard (naming convention).
Our build tool is selfmade tool btw, but if you're a little bit familiar with unattended installations, it isn't that hard... Depends on environment ofcourse. Before that we used RAT (by INS), but we modified a bit too much. Then the decission was taken to create the next version internally instead of bying a tool and completely modify it... Nice but not in every environment applicable. For another client I use a totally different way, no DB or anything involved as they have only 5 pc's, so that totally overkill. But that client can (re)install themselves a PC if I put a small .ini file in place, so they are very happy with it. Larger environments may require a build app with DB.
Look around and keep in mind your total process, they go hand-in-hand !
Regards,
Bart
On 3/12/07, Al Mulnick wrote:
yeah, I've seen it done this way. But the danger that comes with that in most orgs is pretty big. That's because the assumption is that the naming convention is uniformly applied and retrofitted. Many orgs change their naming standards too often. Since this thread is not about those issues and what it leads to, I think I'll let that drop. :)
The bit that still gets me about this thread, is that the poster asked to not use a command line tool but rather wanted a script. Did I misread that? Netdom doesn't fit if that's the case and the usage of netdom is something that wouldn't be any easier or harder than using a process to pre-create the machines in the appropriate ou. More of a sacred cow process from the sound of it. I could be wrong, but that's how I interpret the use of netdom to place a machine in it's appropriate OU in many situations. In some larger orgs (global, 50K desktops or better) it might make more sense to let the workstation do it's own OU designation if you have multiple workstation images. If not, then I doubt you'll get the benefit from one vs. the other to make it worth the time.
My $0.04 anyway.
On 3/12/07, Eric C. Jones > wrote:
Adding my little bit too…
The way the gentleman does it below is an excellent way to do it. In a previous life I wrote a VBScript to do just that. I used a string function to move servers based on naming convention. I initially ran it in a polling manner, running every 2 minutes. The script was very lightweight and just queried our [redirected] default OU. It operated in 2 stages. It would move the computer object based OS + naming convention. If the naming convention wasn't followed or if we just had a new type for me to account for…it would move the computer (server) object to a special OU where only general configuration policies applied, but not our full security enforcement. From there I let others police what should happen to the servers in the "Rogue" OU. I eventually modified the script to run only when new computer objects were added to the redirected OU.
I personally prefer VBScript, as generalist, however you could achieve the same with a combination of "ADFind" and "DSmod".
Thanks,
-Eric
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Harding, DevonSent:
Monday, March 12, 2007 2:10 PMTo: ActiveDir@mail.activedir.orgSubject:
RE: [ActiveDir] Auto move to OU
What tool are you using to automate this process. This is exactly what I'm looking for.
-Devon
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Bart Van den Wyngaert
Sent: Monday, March 12, 2007 12:51 PMTo: ActiveDir@mail.activedir.orgSubject:
Re: [ActiveDir] Auto move to OU
Automating this requires simply the correct parameters. Don't know how you guys build machines, but in most automated build processes you use parameters (not?).
We for example have a default OU when we're building a server (which seems logic to me). As last step of our building process, the script moves the object in AD to the correct OU, depending on the parameter specified. This parameter depends actually on the type of server (application, IIS, SQL, ...) and is included in the naming convention. Result is that this parameter is automatically derived...
So we have 2 steps:
- Join domain to default OU (netdom command)
- Move object in AD to final OU
As already indicated earlier, look at your process. The key is in there!
Best regards,
Bart
On 3/12/07, Harding, Devon wrote:
See, I didn't want to have to 1. Create the Object in the correct OU ahead of time or 2. Use a command line tool to add a computer to the domain. I also don't want to redirect the Computers container to an OU as I have different OUs for different computers. Are there any scripting options?
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al MulnickSent:
Thursday, March 08, 2007 7:37 PMTo: ActiveDir@mail.activedir.orgSubject:
Re: [ActiveDir] Auto move to OU
Personally, I prefer this method. The reason for that is that it causes the installer to think before adding to the domain. I have often just delegated full rights to the OU to the installer for computer objects, so the step about delegating themselves rights to join the machine wasn't necessary. But the process works well and I've even gone so far as to write a utility for the group to be able to add en masse (it's a migration after all) via text file. It keeps the computer accounts where they belong.
Could you write a script to do this? Sure. But how do you know what OU to move it to? If it's the same each time, then check out the other posts that talk about redirecting the default container. If you have to divide them into different OU's depending on some criteria, then you may want to consider Aaron's method because it doesn't require any funny timing, or scheduling or somebody to remember to run a script to move computer objects. It happens, or the computer doesn't join the domain. Simple. Secure. Fast.
Al
On 3/8/07, Aaron Steele wrote:
Devon,
This is not necessary. If you use delegated join whereby you delegate rights on the target OU to the personnel in charge of adding the machines to the domain to "Create" computer objects within the OU. They create the objects, give themselves rights to join it to the domain. Active Directory matches based on NetBIOS name when a machine attempts to join, and you have a server, joined to the domain, with its "Server Object" in the correct OU.
Hope that helps.
/aaron
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Harding, DevonSent:
Thursday, March 08, 2007 4:25 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Auto move to OU
Is it possible to create a script or GPO that will auto move a server object to a different OU after its been joined to a domain?
-Devon
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication.
Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication.
Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication.
Thank you. | | | |
| bdesmond
Posts:977
| | 03/13/2007 6:37 AM |
| @font-face {
font-family: Cambria Math;
}
@font-face {
font-family: Calibri;
}
@font-face {
font-family: Tahoma;
}
@page Section1 {margin: 1.0in 1.0in 1.0in 1.0in; }
P.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
LI.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
DIV.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
A:link {
COLOR: blue; TEXT-DECORATION: underline
}
SPAN.MsoHyperlink {
COLOR: blue; TEXT-DECORATION: underline
}
A:visited {
COLOR: purple; TEXT-DECORATION: underline
}
SPAN.MsoHyperlinkFollowed {
COLOR: purple; TEXT-DECORATION: underline
}
P {
FONT-SIZE: 12pt; MARGIN-LEFT: 0in; MARGIN-RIGHT: 0in; FONT-FAMILY: "Times New Roman","serif"
}
SPAN.gmailquote {
}
SPAN.e {
}
SPAN.EmailStyle20 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"
}
.MsoChpDefault {
}
DIV.Section1 {
}
P {
MARGIN-TOP: 0px; MARGIN-BOTTOM: 0px
}
Just run a scheduled task on a DC then to do what you want to the contents of the computers container every so often.
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: ActiveDir-owner@mail.activedir.org [ActiveDir-owner@mail.activedir.org] On Behalf Of Harding, Devon [dharding@SOUTHERNWINE.com]
Sent: Monday, March 12, 2007 11:35 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Auto move to OU
See, I didn’t want to have to 1. Create the Object in the correct OU ahead of time or 2. Use a command line tool to add a computer to the domain. I also
don’t want to redirect the Computers container to an OU as I have different OUs for different computers. Are there any scripting options?
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Al Mulnick
Sent: Thursday, March 08, 2007 7:37 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Auto move to OU
Personally, I prefer this method. The reason for that is that it causes the installer to think before adding to the domain. I have often just delegated full rights to the OU to the installer for computer objects, so the step about delegating
themselves rights to join the machine wasn't necessary. But the process works well and I've even gone so far as to write a utility for the group to be able to add en masse (it's a migration after all) via text file. It keeps the computer accounts where they
belong.
Could you write a script to do this? Sure. But how do you know what OU to move it to? If it's the same each time, then check out the other posts that talk about redirecting the default container. If you have to divide them into different
OU's depending on some criteria, then you may want to consider Aaron's method because it doesn't require any funny timing, or scheduling or somebody to remember to run a script to move computer objects. It happens, or the computer doesn't join the domain.
Simple. Secure. Fast.
Al
On 3/8/07, Aaron Steele wrote:
Devon,
This is not necessary. If you use delegated join whereby you delegate rights on the target OU to the personnel in charge of adding the machines to the domain to "Create" computer objects within the OU. They create the objects,
give themselves rights to join it to the domain. Active Directory matches based on NetBIOS name when a machine attempts to join, and you have a server, joined to the domain, with its "Server Object" in the correct OU.
Hope that helps.
/aaron
From:
ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Harding, Devon
Sent: Thursday, March 08, 2007 4:25 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Auto move to OU
Is it possible to create a script or GPO that will auto move a server object to a different OU after its been joined to a domain?
-Devon
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from
disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received
this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication.
Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure
under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication
in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication.
Thank you. | | | |
| bdesmond
Posts:977
| | 03/13/2007 6:41 AM |
| @font-face {
font-family: Cambria Math;
}
@font-face {
font-family: Calibri;
}
@font-face {
font-family: Tahoma;
}
@page Section1 {margin: 1.0in 1.0in 1.0in 1.0in; }
P.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
LI.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
DIV.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
A:link {
COLOR: blue; TEXT-DECORATION: underline
}
SPAN.MsoHyperlink {
COLOR: blue; TEXT-DECORATION: underline
}
A:visited {
COLOR: purple; TEXT-DECORATION: underline
}
SPAN.MsoHyperlinkFollowed {
COLOR: purple; TEXT-DECORATION: underline
}
P {
FONT-SIZE: 12pt; MARGIN-LEFT: 0in; MARGIN-RIGHT: 0in; FONT-FAMILY: "Times New Roman","serif"
}
SPAN.gmailquote {
}
SPAN.e {
}
SPAN.EmailStyle20 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"
}
.MsoChpDefault {
}
DIV.Section1 {
}
P {
MARGIN-TOP: 0px; MARGIN-BOTTOM: 0px
}
You would need to elevate the script to run in a context that can make these changes, or you'd need to mdoify the ACL on every computer account to grant SELF the rights to do the move which would be
fairly easy to exploit and delete computer accounts one by one.
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: ActiveDir-owner@mail.activedir.org [ActiveDir-owner@mail.activedir.org] On Behalf Of Harding, Devon [dharding@SOUTHERNWINE.com]
Sent: Tuesday, March 13, 2007 12:11 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Auto move to OU
Hmm…you just gave me an idea. I’ll simply create a vbscript ‘Startup Script’ that will analyze the computer account and if it’s not in the ‘Servers’ OU,
it will simply just move it. Will this work?
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Bart Van den Wyngaert
Sent: Tuesday, March 13, 2007 6:08 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Auto move to OU
Use the netdom utility from a VBScript? That's the way we do it.
Yes naming conventions are changed, but the process needs to keep in mind such things. So you put the correct people in the review process of that naming convention.
We work same way for secure environments: they are moved at the end of the process to a seperate OU with max. restrictions. During install they end up in their default OU based on our environment parameters. These kind of exceptions will
always exist and I don't see a way to automate this, except that your build tool is configured to handle these kind of parameters.
Best starting point is to see, even when you're doing the moves manually, that your process and procedures are correct and that you have a standard. This is an absolute needed basis to start with. Then you can start thinking about automating
the stuff. Example: a DB where the parameters are set and retrieved by your scripts, a webinterface to view, edit, add, ... these parameters. Or based on the OS and naming convention, but then you have to make sure that you also have covered exceptions, either
manually either by standard (naming convention).
Our build tool is selfmade tool btw, but if you're a little bit familiar with unattended installations, it isn't that hard... Depends on environment ofcourse. Before that we used RAT (by INS), but we modified a bit too much. Then the decission
was taken to create the next version internally instead of bying a tool and completely modify it... Nice but not in every environment applicable. For another client I use a totally different way, no DB or anything involved as they have only 5 pc's, so that
totally overkill. But that client can (re)install themselves a PC if I put a small .ini file in place, so they are very happy with it. Larger environments may require a build app with DB.
Look around and keep in mind your total process, they go hand-in-hand !
Regards,
Bart
On 3/12/07, Al Mulnick wrote:
yeah, I've seen it done this way. But the danger that comes with that in most orgs is pretty big. That's because the assumption is that the naming convention is uniformly applied and retrofitted. Many orgs change their naming standards
too often. Since this thread is not about those issues and what it leads to, I think I'll let that drop. :)
The bit that still gets me about this thread, is that the poster asked to not use a command line tool but rather wanted a script. Did I misread that? Netdom doesn't fit if that's the case and the usage of netdom is something that wouldn't
be any easier or harder than using a process to pre-create the machines in the appropriate ou. More of a sacred cow process from the sound of it. I could be wrong, but that's how I interpret the use of netdom to place a machine in it's appropriate OU in
many situations. In some larger orgs (global, 50K desktops or better) it might make more sense to let the workstation do it's own OU designation if you have multiple workstation images. If not, then I doubt you'll get the benefit from one vs. the other to
make it worth the time.
My $0.04 anyway.
On 3/12/07, Eric C. Jones > wrote:
Adding my little bit too…
The way the gentleman does it below is an excellent way to do it. In a previous life I wrote a VBScript to do just that. I used a string function to move servers based on naming convention. I initially ran it in a polling manner,
running every 2 minutes. The script was very lightweight and just queried our [redirected] default OU. It operated in 2 stages. It would move the computer object based OS + naming convention. If the naming convention wasn't followed or if we just had a
new type for me to account for…it would move the computer (server) object to a special OU where only general configuration policies applied, but not our full security enforcement. >From there I let others police what should happen to the servers in the "Rogue"
OU. I eventually modified the script to run only when new computer objects were added to the redirected OU.
I personally prefer VBScript, as generalist, however you could achieve the same with a combination of "ADFind" and "DSmod".
Thanks,
-Eric
From:
ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Harding, Devon
Sent: Monday, March 12, 2007 2:10 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Auto move to OU
What tool are you using to automate this process. This is exactly what I'm looking for.
-Devon
From:
ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Bart Van den Wyngaert
Sent: Monday, March 12, 2007 12:51 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Auto move to OU
Automating this requires simply the correct parameters. Don't know how you guys build machines, but in most automated build processes you use parameters (not?).
We for example have a default OU when we're building a server (which seems logic to me). As last step of our building process, the script moves the object in AD to the correct OU, depending on the parameter specified. This parameter depends actually on the
type of server (application, IIS, SQL, ...) and is included in the naming convention. Result is that this parameter is automatically derived...
So we have 2 steps:
- Join domain to default OU (netdom command)
- Move object in AD to final OU
As already indicated earlier, look at your process. The key is in there!
Best regards,
Bart
On 3/12/07, Harding, Devon wrote:
See, I didn't want to have to 1. Create the Object in the correct OU ahead of time or 2. Use a command line tool to add a computer to the domain. I also don't want to redirect the Computers container to an OU
as I have different OUs for different computers. Are there any scripting options?
From:
ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Al Mulnick
Sent: Thursday, March 08, 2007 7:37 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Auto move to OU
Personally, I prefer this method. The reason for that is that it causes the installer to think before adding to the domain. I have often just delegated full rights to the OU to the installer for computer objects, so the step about delegating themselves
rights to join the machine wasn't necessary. But the process works well and I've even gone so far as to write a utility for the group to be able to add en masse (it's a migration after all) via text file. It keeps the computer accounts where they belong.
Could you write a script to do this? Sure. But how do you know what OU to move it to? If it's the same each time, then check out the other posts that talk about redirecting the default container. If you have to divide them into different OU's depending
on some criteria, then you may want to consider Aaron's method because it doesn't require any funny timing, or scheduling or somebody to remember to run a script to move computer objects. It happens, or the computer doesn't join the domain. Simple. Secure.
Fast.
Al
On 3/8/07, Aaron Steele wrote:
Devon,
This is not necessary. If you use delegated join whereby you delegate rights on the target OU to the personnel in charge of adding the machines to the domain to "Create" computer objects within the OU. They create the objects,
give themselves rights to join it to the domain. Active Directory matches based on NetBIOS name when a machine attempts to join, and you have a server, joined to the domain, with its "Server Object" in the correct OU.
Hope that helps.
/aaron
From:
ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Harding, Devon
Sent: Thursday, March 08, 2007 4:25 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Auto move to OU
Is it possible to create a script or GPO that will auto move a server object to a different OU after its been joined to a domain?
-Devon
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from
disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received
this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication.
Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from
disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received
this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication.
Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from
disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received
this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication.
Thank you.
This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure
under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication
in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication.
Thank you. | | | |
| dharding
Posts:39
| | 03/13/2007 12:11 PM |
| v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
Hmm…you just gave me an idea. I’ll simply create a vbscript ‘Startup
Script’ that will analyze the computer account and if it’s not in the ‘Servers’
OU, it will simply just move it. Will this work?
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On
Behalf Of Bart Van den Wyngaert
Sent: Tuesday, March 13, 2007 6:08 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Auto move to OU
Use the netdom utility from a VBScript? That's the way we do
it.
Yes naming conventions are changed, but the process needs to
keep in mind such things. So you put the correct people in the review process
of that naming convention.
We work same way for secure environments: they are moved at
the end of the process to a seperate OU with max. restrictions. During install
they end up in their default OU based on our environment parameters. These kind
of exceptions will always exist and I don't see a way to automate this, except
that your build tool is configured to handle these kind of parameters.
Best starting point is to see, even when you're doing the
moves manually, that your process and procedures are correct and that you have
a standard. This is an absolute needed basis to start with. Then you can start
thinking about automating the stuff. Example: a DB where the parameters are set
and retrieved by your scripts, a webinterface to view, edit, add, ... these
parameters. Or based on the OS and naming convention, but then you have to make
sure that you also have covered exceptions, either manually either by standard
(naming convention).
Our build tool is selfmade tool btw, but if you're a little
bit familiar with unattended installations, it isn't that hard... Depends on
environment ofcourse. Before that we used RAT (by INS), but we modified a bit
too much. Then the decission was taken to create the next version internally
instead of bying a tool and completely modify it... Nice but not in every
environment applicable. For another client I use a totally different way, no DB
or anything involved as they have only 5 pc's, so that totally overkill. But
that client can (re)install themselves a PC if I put a small .ini file in
place, so they are very happy with it. Larger environments may require a build
app with DB.
Look around and keep in mind your total process, they go
hand-in-hand !
Regards,
Bart
On 3/12/07, Al Mulnick wrote:
yeah, I've seen it done this way. But the danger that
comes with that in most orgs is pretty big. That's because the assumption
is that the naming convention is uniformly applied and retrofitted. Many
orgs change their naming standards too often. Since this thread is not
about those issues and what it leads to, I think I'll let that drop. :)
The bit that still gets me about this thread, is that the
poster asked to not use a command line tool but rather wanted a script.
Did I misread that? Netdom doesn't fit if that's the case and the usage
of netdom is something that wouldn't be any easier or harder than using a
process to pre-create the machines in the appropriate ou. More of a
sacred cow process from the sound of it. I could be wrong, but that's how
I interpret the use of netdom to place a machine in it's appropriate OU in many
situations. In some larger orgs (global, 50K desktops or better) it might make
more sense to let the workstation do it's own OU designation if you have multiple
workstation images. If not, then I doubt you'll get the benefit from one vs.
the other to make it worth the time.
My $0.04 anyway.
On 3/12/07, Eric C. Jones
wrote:
Adding my little bit too…
The way the gentleman does it below is an
excellent way to do it. In a previous life I wrote a VBScript to do just
that. I used a string function to move servers based on naming
convention. I initially ran it in a polling manner, running every 2
minutes. The script was very lightweight and just queried our
[redirected] default OU. It operated in 2 stages. It would move the
computer object based OS + naming convention. If the naming convention
wasn't followed or if we just had a new type for me to account for…it would
move the computer (server) object to a special OU where only general
configuration policies applied, but not our full security enforcement.
>From there I let others police what should happen to the servers in the "Rogue"
OU. I eventually modified the script to run only when new computer
objects were added to the redirected OU.
I personally prefer VBScript, as generalist,
however you could achieve the same with a combination of "ADFind" and
"DSmod".
Thanks,
-Eric
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Harding, Devon
Sent: Monday, March 12, 2007 2:10 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Auto move to OU
What tool are you using to
automate this process. This is exactly what I'm looking for.
-Devon
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Bart Van den Wyngaert
Sent: Monday, March 12, 2007 12:51 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Auto move to OU
Automating this requires simply the correct parameters. Don't know how you
guys build machines, but in most automated build processes you use parameters
(not?).
We for example have a default OU when we're building a server (which seems
logic to me). As last step of our building process, the script moves the object
in AD to the correct OU, depending on the parameter specified. This parameter
depends actually on the type of server (application, IIS, SQL, ...) and is
included in the naming convention. Result is that this parameter is automatically
derived...
So we have 2 steps:
- Join domain to default OU (netdom command)
- Move object in AD to final OU
As already indicated earlier, look at your process. The key is in there!
Best regards,
Bart
On 3/12/07, Harding, Devon
wrote:
See, I didn't want to have to
1. Create the Object in the correct OU ahead of time or 2. Use a command line
tool to add a computer to the domain. I also don't want to redirect the
Computers container to an OU as I have different OUs for different
computers. Are there any scripting options?
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Al Mulnick
Sent: Thursday, March 08, 2007 7:37 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Auto move to OU
Personally, I prefer this method. The reason for that is that it
causes the installer to think before adding to the domain. I have often
just delegated full rights to the OU to the installer for computer objects, so
the step about delegating themselves rights to join the machine wasn't
necessary. But the process works well and I've even gone so far as to
write a utility for the group to be able to add en masse (it's a migration
after all) via text file. It keeps the computer accounts where they belong.
Could you write a script to do this? Sure. But how do you know
what OU to move it to? If it's the same each time, then check out the
other posts that talk about redirecting the default container. If you have to
divide them into different OU's depending on some criteria, then you may want
to consider Aaron's method because it doesn't require any funny timing, or
scheduling or somebody to remember to run a script to move computer
objects. It happens, or the computer doesn't join the domain.
Simple. Secure. Fast.
Al
On 3/8/07, Aaron Steele wrote:
Devon,
This is not necessary. If you use
delegated join whereby you delegate rights on the target OU to the personnel in
charge of adding the machines to the domain to "Create" computer
objects within the OU. They create the objects, give themselves rights to join
it to the domain. Active Directory matches based on NetBIOS name when a
machine attempts to join, and you have a server, joined to the domain, with its
"Server Object" in the correct OU.
Hope that helps.
/aaron
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Harding, Devon
Sent: Thursday, March 08, 2007 4:25 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Auto move to OU
Is it possible to create a script or GPO that will auto move a server object
to a different OU after its been joined to a domain?
-Devon
This message (including any attachments) is
intended only for the use of the individual or entity to which it is addressed
and may contain information that is non-public, proprietary, privileged,
confidential, and exempt from disclosure under applicable law or may constitute
as attorney work product. If you are not the intended recipient, you are hereby
notified that any use, dissemination, distribution, or copying of this
communication is strictly prohibited. If you have received this communication
in error, notify us immediately by telephone and (i) destroy this message if a
facsimile or (ii) delete this message immediately if this is an electronic
communication.
Thank you.
This message (including any attachments) is
intended only for the use of the individual or entity to which it is addressed
and may contain information that is non-public, proprietary, privileged,
confidential, and exempt from disclosure under applicable law or may constitute
as attorney work product. If you are not the intended recipient, you are hereby
notified that any use, dissemination, distribution, or copying of this
communication is strictly prohibited. If you have received this communication
in error, notify us immediately by telephone and (i) destroy this message if a
facsimile or (ii) delete this message immediately if this is an electronic
communication.
Thank you.
This message (including any attachments) is
intended only for the use of the individual or entity to which it is addressed
and may contain information that is non-public, proprietary, privileged,
confidential, and exempt from disclosure under applicable law or may constitute
as attorney work product. If you are not the intended recipient, you are hereby
notified that any use, dissemination, distribution, or copying of this
communication is strictly prohibited. If you have received this communication
in error, notify us immediately by telephone and (i) destroy this message if a
facsimile or (ii) delete this message immediately if this is an electronic communication.
Thank you.
This message (including any attachments) is intended only for
the use of the individual or entity to which it is addressed and
may contain information that is non-public, proprietary,
privileged, confidential, and exempt from disclosure under
applicable law or may constitute as attorney work product.
If you are not the intended recipient, you are hereby notified
that any use, dissemination, distribution, or copying of this
communication is strictly prohibited. If you have received this
communication in error, notify us immediately by telephone and
(i) destroy this message if a facsimile or (ii) delete this message
immediately if this is an electronic communication.
Thank you. | | | |
| AD000001290
Posts:0
| | 03/13/2007 12:16 PM |
| v\:* {
BEHAVIOR: url(#default#VML)
}
o\:* {
BEHAVIOR: url(#default#VML)
}
w\:* {
BEHAVIOR: url(#default#VML)
}
.shape {
BEHAVIOR: url(#default#VML)
}
@font-face {
font-family: Cambria Math;
}
@font-face {
font-family: Calibri;
}
@font-face {
font-family: Tahoma;
}
@page Section1 {size: 8.5in 11.0in; margin: 1.0in 1.0in 1.0in 1.0in; }
P.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
LI.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
DIV.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
A:link {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlink {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
A:visited {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlinkFollowed {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
P {
FONT-SIZE: 12pt; MARGIN-LEFT: 0in; MARGIN-RIGHT: 0in; FONT-FAMILY: "Times New Roman","serif"; mso-style-priority: 99; mso-margin-top-alt: auto; mso-margin-bottom-alt: auto
}
SPAN.gmailquote {
mso-style-name: gmail_quote
}
SPAN.e {
mso-style-name: e
}
SPAN.EmailStyle20 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal-reply
}
.MsoChpDefault {
mso-style-type: export-only
}
DIV.Section1 {
page: Section1
}
FWIW: I've seen that done before, where a script ran at
startup and analysed the computer name.
Based upon the name, the script moved the computer object
to the correct OU.
neil
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Harding,
DevonSent: 13 March 2007 16:12To:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Auto move to
OU
Hmm…you
just gave me an idea. I’ll simply create a vbscript ‘Startup Script’ that
will analyze the computer account and if it’s not in the ‘Servers’ OU, it will
simply just move it. Will this work?
From:
ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Bart Van den WyngaertSent: Tuesday, March 13,
2007 6:08 AMTo: ActiveDir@mail.activedir.orgSubject: Re:
[ActiveDir] Auto move to OU
Use the netdom utility from a VBScript? That's the way we do
it.
Yes naming conventions are changed, but the process needs to
keep in mind such things. So you put the correct people in the review process of
that naming convention.
We work same way for secure environments: they are moved at
the end of the process to a seperate OU with max. restrictions. During install
they end up in their default OU based on our environment parameters. These kind
of exceptions will always exist and I don't see a way to automate this, except
that your build tool is configured to handle these kind of parameters.
Best starting point is to see, even when you're doing the
moves manually, that your process and procedures are correct and that you have a
standard. This is an absolute needed basis to start with. Then you can start
thinking about automating the stuff. Example: a DB where the parameters are set
and retrieved by your scripts, a webinterface to view, edit, add, ... these
parameters. Or based on the OS and naming convention, but then you have to make
sure that you also have covered exceptions, either manually either by standard
(naming convention).
Our build tool is selfmade tool btw, but if you're a little
bit familiar with unattended installations, it isn't that hard... Depends on
environment ofcourse. Before that we used RAT (by INS), but we modified a bit
too much. Then the decission was taken to create the next version internally
instead of bying a tool and completely modify it... Nice but not in every
environment applicable. For another client I use a totally different way, no DB
or anything involved as they have only 5 pc's, so that totally overkill. But
that client can (re)install themselves a PC if I put a small .ini file in place,
so they are very happy with it. Larger environments may require a build app with
DB.
Look around and keep in mind your total process, they go
hand-in-hand !
Regards,
Bart
On 3/12/07, Al Mulnick wrote:
yeah, I've seen it done this way. But the danger that
comes with that in most orgs is pretty big. That's because the assumption
is that the naming convention is uniformly applied and retrofitted. Many
orgs change their naming standards too often. Since this thread is not
about those issues and what it leads to, I think I'll let that drop. :)
The bit that still gets me about this thread, is that the
poster asked to not use a command line tool but rather wanted a script.
Did I misread that? Netdom doesn't fit if that's the case and the usage of
netdom is something that wouldn't be any easier or harder than using a process
to pre-create the machines in the appropriate ou. More of a sacred cow
process from the sound of it. I could be wrong, but that's how I interpret
the use of netdom to place a machine in it's appropriate OU in many situations.
In some larger orgs (global, 50K desktops or better) it might make more sense to
let the workstation do it's own OU designation if you have multiple workstation
images. If not, then I doubt you'll get the benefit from one vs. the other to
make it worth the time.
My $0.04 anyway.
On 3/12/07, Eric C. Jones
> wrote:
Adding my little bit too…
The way the gentleman does it below is an
excellent way to do it. In a previous life I wrote a VBScript to do just
that. I used a string function to move servers based on naming convention.
I initially ran it in a polling manner, running every 2 minutes. The
script was very lightweight and just queried our [redirected] default OU. It
operated in 2 stages. It would move the computer object based OS + naming
convention. If the naming convention wasn't followed or if we just had a
new type for me to account for…it would move the computer (server) object to a
special OU where only general configuration policies applied, but not our full
security enforcement. >From there I let others police what should
happen to the servers in the "Rogue" OU. I eventually modified the script
to run only when new computer objects were added to the redirected OU.
I personally prefer VBScript, as generalist,
however you could achieve the same with a combination of "ADFind" and
"DSmod".
Thanks,
-Eric
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
Harding, DevonSent: Monday, March 12, 2007 2:10 PMTo:
ActiveDir@mail.activedir.orgSubject: RE:
[ActiveDir] Auto move to OU
What tool are you using to
automate this process. This is exactly what I'm looking
for.
-Devon
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Bart
Van den WyngaertSent: Monday, March 12, 2007 12:51 PMTo:
ActiveDir@mail.activedir.orgSubject: Re:
[ActiveDir] Auto move to OU
Automating this requires simply the correct parameters. Don't know how you
guys build machines, but in most automated build processes you use parameters
(not?).
We for example have a default OU when we're building a server (which seems
logic to me). As last step of our building process, the script moves the object
in AD to the correct OU, depending on the parameter specified. This parameter
depends actually on the type of server (application, IIS, SQL, ...) and is
included in the naming convention. Result is that this parameter is
automatically derived...
So we have 2 steps:
- Join domain to default OU (netdom command)
- Move object in AD to final OU
As already indicated earlier, look at your process. The key is in
there!
Best regards,
Bart
On 3/12/07, Harding, Devon wrote:
See, I didn't want to have to
1. Create the Object in the correct OU ahead of time or 2. Use a command line
tool to add a computer to the domain. I also don't want to redirect the
Computers container to an OU as I have different OUs for different
computers. Are there any scripting options?
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al
MulnickSent: Thursday, March 08, 2007 7:37 PMTo: ActiveDir@mail.activedir.orgSubject: Re:
[ActiveDir] Auto move to OU
Personally, I prefer this method. The reason for that is that it causes
the installer to think before adding to the domain. I have often just
delegated full rights to the OU to the installer for computer objects, so the
step about delegating themselves rights to join the machine wasn't
necessary. But the process works well and I've even gone so far as to
write a utility for the group to be able to add en masse (it's a migration after
all) via text file. It keeps the computer accounts where they belong.
Could you write a script to do this? Sure. But how do you know
what OU to move it to? If it's the same each time, then check out the
other posts that talk about redirecting the default container. If you have to
divide them into different OU's depending on some criteria, then you may want to
consider Aaron's method because it doesn't require any funny timing, or
scheduling or somebody to remember to run a script to move computer
objects. It happens, or the computer doesn't join the domain.
Simple. Secure. Fast.
Al
On 3/8/07, Aaron Steele wrote:
Devon,
This is not necessary. If you use
delegated join whereby you delegate rights on the target OU to the personnel in
charge of adding the machines to the domain to "Create" computer objects within
the OU. They create the objects, give themselves rights to join it to the
domain. Active Directory matches based on NetBIOS name when a machine
attempts to join, and you have a server, joined to the domain, with its "Server
Object" in the correct OU.
Hope that helps.
/aaron
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
Harding, DevonSent: Thursday, March 08, 2007 4:25
PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir]
Auto move to OU
Is it possible to create a script or GPO that will auto move a server object
to a different OU after its been joined to a domain?
-Devon
This message (including any attachments) is
intended only for the use of the individual or entity to which it is addressed
and may contain information that is non-public, proprietary, privileged,
confidential, and exempt from disclosure under applicable law or may constitute
as attorney work product. If you are not the intended recipient, you are hereby
notified that any use, dissemination, distribution, or copying of this
communication is strictly prohibited. If you have received this communication in
error, notify us immediately by telephone and (i) destroy this message if a
facsimile or (ii) delete this message immediately if this is an electronic
communication. Thank you.
This message (including any attachments) is
intended only for the use of the individual or entity to which it is addressed
and may contain information that is non-public, proprietary, privileged,
confidential, and exempt from disclosure under applicable law or may constitute
as attorney work product. If you are not the intended recipient, you are hereby
notified that any use, dissemination, distribution, or copying of this
communication is strictly prohibited. If you have received this communication in
error, notify us immediately by telephone and (i) destroy this message if a
facsimile or (ii) delete this message immediately if this is an electronic
communication. Thank you.
This message (including any attachments) is
intended only for the use of the individual or entity to which it is addressed
and may contain information that is non-public, proprietary, privileged,
confidential, and exempt from disclosure under applicable law or may constitute
as attorney work product. If you are not the intended recipient, you are hereby
notified that any use, dissemination, distribution, or copying of this
communication is strictly prohibited. If you have received this communication in
error, notify us immediately by telephone and (i) destroy this message if a
facsimile or (ii) delete this message immediately if this is an electronic
communication. Thank you.
This message (including any attachments) is intended only
for the use of the individual or entity to which it is addressed and may contain
information that is non-public, proprietary, privileged, confidential, and
exempt from disclosure under applicable law or may constitute as attorney work
product. If you are not the intended recipient, you are hereby notified that any
use, dissemination, distribution, or copying of this communication is strictly
prohibited. If you have received this communication in error, notify us
immediately by telephone and (i) destroy this message if a facsimile or (ii)
delete this message immediately if this is an electronic communication.
Thank you. PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies. | | | |
| adwulf
Posts:93
| | 03/13/2007 12:47 PM |
| On 13/03/07, neil.ruston@uk.nomura.com wrote:
>
> FWIW: I've seen that done before, where a script ran at startup and analysed
> the computer name.
>
> Based upon the name, the script moved the computer object to the correct OU.
>
For organisations with computer names that bear no relation to their
geographical home, can anyone see any pitfalls of moving it based up
its IP address (or rather, which subnet it's on)?
Regards,
--
AdamT
"Just pick a random entry in the BNF and ship it to Surbiton, please"
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
|
|