+ Reply to Thread
Results 1 to 9 of 9
  1. Senior Member
    Join Date
    Mar 2007
    Posts
    152
    #1

    Default How to make computer objects go to specific OU?

    Hi everyone,

    Here I am with another newbie question At work we run Active Directory on Windows Server 2003. When a computer has to be re-joined to domain (when it has been re-imaged for example) and given the same name that it had before I see that the computer object has been added to the default Computers container in AD. Is there anyway to automate this process so that I don't have to move computer objects from default Computers OU to Computers OU where the object really belongs?

    Sorry if this is confusing.
    Thank you.
    Reply With Quote Quote  

  2. SS -->
  3. Senior Member Devilsbane's Avatar
    Join Date
    Apr 2010
    Posts
    4,203

    Certifications
    MCSE:Security, MCDST, A+, Network+, Security+, ITIL V3 Foundations, ITIL 2011 Intermediate: Service Transition, MOS 2007 (MCAS) BAS Computer Forensics
    #2
    I know you can do it from an answer file and I believe a command line as well. Otherwise you could create the Computer object in the OU that you want it in and then when you join your computer link it to that alrready created account.

    Not sure how to actually do this though. I have only read about it. For me it was never a huge deal to select all the computers and just move them over.
    Reply With Quote Quote  

  4. Senior Member
    Join Date
    Mar 2007
    Posts
    12,308
    #3
    Reply With Quote Quote  

  5. Senior Member Devilsbane's Avatar
    Join Date
    Apr 2010
    Posts
    4,203

    Certifications
    MCSE:Security, MCDST, A+, Network+, Security+, ITIL V3 Foundations, ITIL 2011 Intermediate: Service Transition, MOS 2007 (MCAS) BAS Computer Forensics
    #4
    What I don't understand is, if Microsoft Recommends moving your users and computers to OU's... why do they send them to containers by defualt?
    Reply With Quote Quote  

  6. Senior Member motogpman's Avatar
    Join Date
    Apr 2008
    Location
    Houston, Texas
    Posts
    410

    Certifications
    MCSA 2k3 (270/290/291/293), Sec+, Net+, Server+, A+, Cert. in EE
    #5
    Because there are many different ways that companies can structure their AD tree.
    Reply With Quote Quote  

  7. Still a noob earweed's Avatar
    Join Date
    Mar 2010
    Location
    Mobile, Alabama
    Posts
    5,176

    Certifications
    BSIT, Proj+, A+, Net+, Sec+: MCTS: X5; MCITP:EA
    #6
    If you don't set them up beforehand you'll know where to find them.
    Reply With Quote Quote  

  8. Senior Member Devilsbane's Avatar
    Join Date
    Apr 2010
    Posts
    4,203

    Certifications
    MCSE:Security, MCDST, A+, Network+, Security+, ITIL V3 Foundations, ITIL 2011 Intermediate: Service Transition, MOS 2007 (MCAS) BAS Computer Forensics
    #7
    Quote Originally Posted by motogpman View Post
    Because there are many different ways that companies can structure their AD tree.
    I just read a section out of the MS press book that says
    "It is best to always create user objects in an OU so you can manage them later using group policies."
    Couple lines later
    "Therefore, your Active Directory installation should have appropriate OUs in it, in accordance with your organization's Active Directorydesign, before you begin creating user objects."

    If that is the best way to do it, why not make it default? Even if you choose not to make an OU tree, I don't see how having that container would be any different if it was an OU named Users.
    Reply With Quote Quote  

  9. Senior Member
    Join Date
    Mar 2007
    Posts
    12,308
    #8
    Quote Originally Posted by Devilsbane View Post
    If that is the best way to do it, why not make it default? Even if you choose not to make an OU tree, I don't see how having that container would be any different if it was an OU named Users.
    You can't assign GPOs to the default users and computers containers, which is why you should configure new objects to go to a specific OU where you have locked things down. It's easy, especially in large organizations, to forgot to move computer and user objects to the appropriate OU.

    Ideally, these default containers will have the most restrictive group policies applied to them. It's better to error on the side of being too restrictive rather than too permissive. If a user needs access to do something they're supposed to, they'll let you know. It's much rarer to have a user complain about having excessive privileges.
    Reply With Quote Quote  

  10. Senior Member Devilsbane's Avatar
    Join Date
    Apr 2010
    Posts
    4,203

    Certifications
    MCSE:Security, MCDST, A+, Network+, Security+, ITIL V3 Foundations, ITIL 2011 Intermediate: Service Transition, MOS 2007 (MCAS) BAS Computer Forensics
    #9
    Quote Originally Posted by dynamik View Post
    You can't assign GPOs to the default users and computers containers, which is why you should configure new objects to go to a specific OU where you have locked things down. It's easy, especially in large organizations, to forgot to move computer and user objects to the appropriate OU.

    Ideally, these default containers will have the most restrictive group policies applied to them. It's better to error on the side of being too restrictive rather than too permissive. If a user needs access to do something they're supposed to, they'll let you know. It's much rarer to have a user complain about having excessive privileges.
    I know that you can't link a GPO to a container, thats why I'm confused that the users container is even a container. Why did't/doesn't Microsoft just make it an OU?
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks