|
server
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Dynamically Moving Computer Objects
I am planning a move of computer objects from the common "Computers"
container to respective OU's that are sorted by the "User Department" attribute. Is there a way that I can move them at login, where the script would lookup what department the user belongs to and moves the computer object to that OU? Examples of OU's are: O3B,O5A,C15,D32. Thank you. JV wrote:
>I am planning a move of computer objects from the common "Computers" I would move the computers in bulk myself, perhaps with a script, but then > container to respective OU's that are sorted by the "User Department" > attribute. > Is there a way that I can move them at login, where the script would > lookup what department the user belongs to and moves the computer object > to that OU? Examples of OU's are: O3B,O5A,C15,D32. > Thank you. you probably have no way to determine which department each belongs to. Can you be sure the right person will be the first to log into the computers? Also, you would need to make sure each computer only got moved once. A logon script seems the wrong way to do this. A VBScript program to move a computer would: 1. Bind to the computer object. In a logon script, the ADSystemInfo object can be used to retrieve the Distinguished Name (DN) of the current computer. 2. Bind to the new OU. 3. Use the MoveHere method of the OU object, passing the AdsPath of the computer to the method. Perhaps when you retrieve the DN of the computer you can check and only move if the object is in cn=Computers. A script could enumerate all computer objects in the cn=Computers, bind to each, and move them - if you have a way to determine the department/OU. Another option would be to have a script spit out all computer DN's to a spreadsheet, then add a column to the spreadsheet (or text file) for OU, then have another script read the spreadsheet (or text file) and perform the moves.
Show quote
"Richard Mueller [MVP]" wrote: We have two sets of OU's created. One set for the users, and an identical > JV wrote: > > >I am planning a move of computer objects from the common "Computers" > > container to respective OU's that are sorted by the "User Department" > > attribute. > > Is there a way that I can move them at login, where the script would > > lookup what department the user belongs to and moves the computer object > > to that OU? Examples of OU's are: O3B,O5A,C15,D32. > > Thank you. > > I would move the computers in bulk myself, perhaps with a script, but then > you probably have no way to determine which department each belongs to. Can > you be sure the right person will be the first to log into the computers? > Also, you would need to make sure each computer only got moved once. A logon > script seems the wrong way to do this. > > A VBScript program to move a computer would: > > 1. Bind to the computer object. In a logon script, the ADSystemInfo object > can be used to retrieve the Distinguished Name (DN) of the current computer. > 2. Bind to the new OU. > 3. Use the MoveHere method of the OU object, passing the AdsPath of the > computer to the method. > > Perhaps when you retrieve the DN of the computer you can check and only move > if the object is in cn=Computers. > > A script could enumerate all computer objects in the cn=Computers, bind to > each, and move them - if you have a way to determine the department/OU. > Another option would be to have a script spit out all computer DN's to a > spreadsheet, then add a column to the spreadsheet (or text file) for OU, > then have another script read the spreadsheet (or text file) and perform the > moves. > > -- > Richard Mueller > Microsoft MVP Scripting and ADSI > Hilltop Lab - http://www.rlmueller.net > -- > > set for the computer objects. The users are all correctly located in their respective OU's, but the computer objects are not. And their OU is correctly identified as the "Department" attribute in the User properties. That is why I wanted to poll it as the unique identifier. Instead of running it at login, would a script be able to scan the domain, check all users that are logged into it, check what pc's they are using, and move the computer object into the OU respective of that users' "Department" attribute? Then it would only have to be run once.
Show quote
"JV" <J*@discussions.microsoft.com> wrote in message You will have to excuse me. I'm used to networks where anyone can logon to news:A2D91A68-E670-4D68-ACD6-C3A69FE6D38E@microsoft.com... > > > "Richard Mueller [MVP]" wrote: > >> JV wrote: >> >> >I am planning a move of computer objects from the common "Computers" >> > container to respective OU's that are sorted by the "User Department" >> > attribute. >> > Is there a way that I can move them at login, where the script would >> > lookup what department the user belongs to and moves the computer >> > object >> > to that OU? Examples of OU's are: O3B,O5A,C15,D32. >> > Thank you. >> >> I would move the computers in bulk myself, perhaps with a script, but >> then >> you probably have no way to determine which department each belongs to. >> Can >> you be sure the right person will be the first to log into the computers? >> Also, you would need to make sure each computer only got moved once. A >> logon >> script seems the wrong way to do this. >> >> A VBScript program to move a computer would: >> >> 1. Bind to the computer object. In a logon script, the ADSystemInfo >> object >> can be used to retrieve the Distinguished Name (DN) of the current >> computer. >> 2. Bind to the new OU. >> 3. Use the MoveHere method of the OU object, passing the AdsPath of the >> computer to the method. >> >> Perhaps when you retrieve the DN of the computer you can check and only >> move >> if the object is in cn=Computers. >> >> A script could enumerate all computer objects in the cn=Computers, bind >> to >> each, and move them - if you have a way to determine the department/OU. >> Another option would be to have a script spit out all computer DN's to a >> spreadsheet, then add a column to the spreadsheet (or text file) for OU, >> then have another script read the spreadsheet (or text file) and perform >> the >> moves. >> >> -- >> Richard Mueller >> Microsoft MVP Scripting and ADSI >> Hilltop Lab - http://www.rlmueller.net >> -- >> >> > We have two sets of OU's created. One set for the users, and an identical > set for the computer objects. The users are all correctly located in > their > respective OU's, but the computer objects are not. And their OU is > correctly > identified as the "Department" attribute in the User properties. That is > why > I wanted to poll it as the unique identifier. > Instead of running it at login, would a script be able to scan the domain, > check all users that are logged into it, check what pc's they are using, > and > move the computer object into the OU respective of that users' > "Department" > attribute? Then it would only have to be run once. any computer. AD is not designed to maintain any correspondence between users and computers. Given a user, there is no way to tell which computer they use. Given a computer, there is no good way to tell who uses it. I suggested the spreadsheet because I thought it would be easier for you to tell from the computer name which department it belonged in. A quick try at a logon script (assuming all clients are Windows 2000 or above): ============== Option Explicit Dim objSysInfo, strComputer, strUser, objComputer, objUser Dim strDepartment, strOU, objOU ' Retrieve DN of current user and computer from ADSystemInfo object. Set objSysInfo = CreateObject("ADSystemInfo") strComputer = objSysInfo.ComputerName strUser = objSysInfo.UserName ' Bind to computer and user objects. Set objComputer = GetObject("LDAP://" & strComputer) Set objUser = GetObject("LDAP://" & strUser) ' Check that computer in cn=Computers container. If (InStr(LCase(strComputer), "cn=computers") = 0) Then ' Computer not in cn=Computers, abort. ' Perhaps already moved during previous logon. Wscript.Quit End If ' Retrieve user department. strDepartment = UCase(objUser.deparment) ' Select DN of OU from user department. Select Case strDepartment Case "O3B" strOU = "ou=O3B,dc=MyDomain,dc=com" Case "O5A" strOU = "ou=O5A,dc=MyDomain,dc=com" Case "C15" strOU = "ou=C15,dc=MyDomain,dc=com" Case "D32" strOU = "ou=D32,dc=MyDomain,dc=com" Case Else ' Department not recognized, abort. Wscript.Quit End Select ' Bind to target OU. Set objOU = GetObject("LDAP://" & strOU) ' Move the computer object into the OU. objOU.MoveHere objComputer.AdsPath, vbNullString =========== This also assumes the correct person logs in. Hello Richard.
Your first suggestion has turned out to be a more solid method due to "Run-as" rights. You script works perfectly when I run it as a Domain Admin, but when I run it as a standard user, it fails (min has to have Account Operator rights). I tried prefacing this script with a second script that passes "Runas" rights but it won't pull the rights correctly. So I'm now trying the first idea, but I can't seem to get the syntax right. I am willing to manually change the OU, each time I run it. There are not that many OU's. How could I script this to load the PC names from a text file, one-by-one, and move them to the OU I have configured? (I'm new at AD scripting). Thank you in advance for any assistance you might offer. Show quote "Richard Mueller [MVP]" wrote: > JV wrote: > > >I am planning a move of computer objects from the common "Computers" > > container to respective OU's that are sorted by the "User Department" > > attribute. > > Is there a way that I can move them at login, where the script would > > lookup what department the user belongs to and moves the computer object > > to that OU? Examples of OU's are: O3B,O5A,C15,D32. > > Thank you. > > I would move the computers in bulk myself, perhaps with a script, but then > you probably have no way to determine which department each belongs to. Can > you be sure the right person will be the first to log into the computers? > Also, you would need to make sure each computer only got moved once. A logon > script seems the wrong way to do this. > > A VBScript program to move a computer would: > > 1. Bind to the computer object. In a logon script, the ADSystemInfo object > can be used to retrieve the Distinguished Name (DN) of the current computer. > 2. Bind to the new OU. > 3. Use the MoveHere method of the OU object, passing the AdsPath of the > computer to the method. > > Perhaps when you retrieve the DN of the computer you can check and only move > if the object is in cn=Computers. > > A script could enumerate all computer objects in the cn=Computers, bind to > each, and move them - if you have a way to determine the department/OU. > Another option would be to have a script spit out all computer DN's to a > spreadsheet, then add a column to the spreadsheet (or text file) for OU, > then have another script read the spreadsheet (or text file) and perform the > moves. > > -- > Richard Mueller > Microsoft MVP Scripting and ADSI > Hilltop Lab - http://www.rlmueller.net > -- > > >  |
|||||||||||||||||||||||
Other interesting topics