Move computers to different OUs based on AD's DynamicSitename

  • 105 Views
  • Last Post 29 July 2015
jfigueroa123 posted this 29 July 2015

Hi folks, I am looking to move AD client computers from one large OU to different OUs for each physical site.  

  1. The client computer naming convention has not been consistent to be trusted.
  2. The AD subnets and sites are being built to reflect the physical sites.
  3. I have seen some of the scripts out there that use the client subnets to do this. 
Once #2 above is completed, I thought I could leverage the DynamicSiteName in the registry of the domain client computers to accomplish this. However, not sure how this would work, or #3 for that matter for mobile devices that may move between physical sites.  Thoughts? Regards,  Johnny A. FigueroaSolution ArchitectFigueroa IT, LLCJohnnyfigueroa9@xxxxxxxxxxxxxxxx

Order By: Standard | Newest | Votes
g4ugm posted this 29 July 2015

Why? If you want to apply site based policy use site based policy….. how are you going to keep it up to date if folks move a computer?Assuming you have a recent server why not use the DNS name.. https://technet.microsoft.com/en-us/%5Clibrary/JJ590781(v=WPS.630).aspx Dave. 

show

darren posted this 29 July 2015

Yea, I would ask, what is it you’re trying to achieve by using location-based OUs? Do you need to deliver location-specific GP settings? Or something else?

As Dave says, if GP targeting is your goal, either site-linked GPOs or Item-level targeting in GP Preferences could be a better solution.



 

Darren

 

show

Ravi.Sabharanjak posted this 29 July 2015

There is really no point in having OU's per location. OU's really make sense for administration / delegation or application of group policy.
if your administration is centralized or with a global team that supports all users, then your support team needs the same access to all computers. If your clients can be mobile as well, then they should receive the same uniform experience regardless of where they go to. Both these are arguments against a separate OU per location.
What is useful however is separating laptops from desktops, so that policies such as offline files, power etc may be applied differently to each type of device.
However, to answer the question, you could do the below -
- Allow the "self" principal to move the computer object at the OU level.- have a group policy startup script that calculates the proper OU for the machine an moves itself there.
for laptops, you could check whether the laptop has a battery and process it differently. Another option is to have the computer startup script write its model number to the AD attributes for its computer object, and then you can use adfind / admod to process.
hth,-Ravi

show

jfigueroa123 posted this 29 July 2015

Thanks Guys, sure I am not explaining well enough. All client computers are in one OU today, we have created an OU structure with a regional break down as well as a physical location within the region. Say Southwest and then Phoenix within the region. Phoenix has specific subnets that will be built into an AD site.  We will delegate the ability to make computer and user changes to local admins based on that. I get using GPP to eliminate the need for an overly complex OU structure.  So if I have all of these client computers in one OU, the AD subnets and sites get built properly, I thought the most practical way to move the devices to where they belong would be leveraging AD's site awareness.  Thanks


show

jfigueroa123 posted this 29 July 2015

Thanks Ravi,  The idea of a startup script is where I think this needs to go. I was just trying to figure out the logic. If I use the DynamicSitename, or build some subnet logic into it, devices that move between sites could ping pong around. Thanks again


show

g4ugm posted this 29 July 2015

Yes, delegation of authority is the one good reason for OUs in AD.  As someone else said, give the computers the right to change their own OU. Setup site based start-up scripts that move the computer to the relevant site. Consider using “catch-all” subnets to make sure computers end up in a site. Dave Wade 

show

Ravi.Sabharanjak posted this 29 July 2015

I have a script that I found quite some time ago on the net, that I tailored to my needs. It figures out the narrowest subnet that matches your IP, and then reads the location attribute off it. the location is expected to be populated in Microsoft recommended format (location information separated by "/") for example: (North America/California/San Francisco/50 Bush St/Floor 10), using dssite.msc.
it's in vbscript. the same might be doable with powershell, probably with less code.
The script figures out its location components (city etc) and writes them to the registry and AD. You could then move the objects as needed by then querying the AD information using dsquery / admod.
SCript is attached, hope it makes it thro..
regards,-Ravi

show

jfigueroa123 posted this 29 July 2015

Thank you all. Ravi thanks for the script. I have something similar in PowerShell but will look at this code as well.  Thanks again!

show

Close