RE: [ActiveDir] joining station to the domain and GPO...
Hi all, Thanks everyone for your inputs! The solution is now adopted. I'll go with your suggestions, temporarily I'll pre-create the objects in AD until I upgrade to Win2k3 (soon) and then ill use the Redircomp command. Keep up the good work! List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] joining station to the domain and GPO...
That's a good idea, I'll check into that option. So simple that I never thought about it. > -Message d'origine- > De : [EMAIL PROTECTED] [mailto:ActiveDir- > [EMAIL PROTECTED] De la part de David Aragon > Envoyé : Wednesday, April 13, 2005 2:59 PM > À : ActiveDir@mail.activedir.org > Objet : RE: [ActiveDir] joining station to the domain and GPO... > > Michel, > > You asked how we would handle the situation. Rather than a solution that > looks at things done after the fact, my question back to you would be > this: > You mention the techs have the ability to add computers to the Domain, but > do not have the ability to move objects from one OU to another OU (I have > the same setup). Do the techs have, and if not someone in your > organization > should have, the ability to pre-create the computer objects where they > belong, say when the request comes in from the user or a supervisor to > join > a system? I mention this because you said the computer account is created > in OU=COMPUTERS, the default container used when there is no pre-created > object. Pre-creation would solve your problem as when the system is > joined > to the Domain it would be where it belonged and get all the appropriate > GPO's. I understand your pain, I suffer from the same ailment your > describing, a few techs that can't seem to follow even the simplest > instruction set, but in the long run pre-creation actually saves time and > energy. > > David Aragon > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of > > Bruyere, Michel > > Sent: Wednesday, April 13, 2005 8:31 AM > > To: ActiveDir@mail.activedir.org > > Subject: [ActiveDir] joining station to the domain and GPO... > > > > Hi, > > I have a little question as to how you guys would handle this > > situation... > > > > I have 2 techs that are adding stations to the domain from > > time to time. > > When they join the stations to the domain, the computer > > account is created in the COMPUTERS built-in UO. > > I have many UOs that are used to deploy the GPOs depending on > > the type of computers, let say desktop and laptops. > > > > The problem actually occurs because they "forget" to tell me > > that they added a new laptop to the domain and this new added > > machine ends up on the network w/o the proper GPOs applied. > > > > I actually check the UO manually but I would like to have any > > automated way to check for new computer account added in the > > UO. For control purposes, they don't have access to move the > > computer account from an UO to another and it have to stay that way. > > > > Any ideas or 3rd party programs that can help are appreciated... > > > > > > > > > > Thanks > > > > > > > > List info : http://www.activedir.org/List.aspx > > List FAQ: http://www.activedir.org/ListFAQ.aspx > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] joining station to the domain and GPO...
Sorry for not mentioning it... it's a native win2k domain with XP sp2 stations and laptops. > -Message d'origine- > De : [EMAIL PROTECTED] [mailto:ActiveDir- > [EMAIL PROTECTED] De la part de mike kline > Envoyé : Wednesday, April 13, 2005 2:37 PM > À : ActiveDir@mail.activedir.org > Objet : Re: [ActiveDir] joining station to the domain and GPO... > > Michel, > > If you are running Windows 2003 then the Redircomp.exe may be what you > are looking for. > > > > From: > http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Dep > Kit/bf5437ce-389c-4dc9-953c-999f854b98d1.mspx > > > > Redirusr.exe (for user accounts) and Redircomp.exe (for computer > accounts) are two new tools included with Windows Server 2003 that > enable you to change the default location where new user and computer > accounts are created so you can more easily scope GPOs directly to > newly created user and computer objects. > > This article describes it's use: > > http://support.microsoft.com/default.aspx?scid=kb;en-us;324949 > > I hope that helps > > Thanks > Mike > > On 4/13/05, Bruyere, Michel <[EMAIL PROTECTED]> wrote: > > Hi, > >I have a little question as to how you guys would handle this > > situation... > > > > I have 2 techs that are adding stations to the domain from time to time. > > When they join the stations to the domain, the computer account is > > created in the COMPUTERS built-in UO. > > I have many UOs that are used to deploy the GPOs depending on the type > > of computers, let say desktop and laptops. > > > > The problem actually occurs because they "forget" to tell me that they > > added a new laptop to the domain and this new added machine ends up on > > the network w/o the proper GPOs applied. > > > > I actually check the UO manually but I would like to have any automated > > way to check for new computer account added in the UO. For control > > purposes, they don't have access to move the computer account from an UO > > to another and it have to stay that way. > > > > Any ideas or 3rd party programs that can help are appreciated... > > > > Thanks > > > > List info : http://www.activedir.org/List.aspx > > List FAQ: http://www.activedir.org/ListFAQ.aspx > > List archive: http://www.mail- > archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] joining station to the domain and GPO...
Michel, You asked how we would handle the situation. Rather than a solution that looks at things done after the fact, my question back to you would be this: You mention the techs have the ability to add computers to the Domain, but do not have the ability to move objects from one OU to another OU (I have the same setup). Do the techs have, and if not someone in your organization should have, the ability to pre-create the computer objects where they belong, say when the request comes in from the user or a supervisor to join a system? I mention this because you said the computer account is created in OU=COMPUTERS, the default container used when there is no pre-created object. Pre-creation would solve your problem as when the system is joined to the Domain it would be where it belonged and get all the appropriate GPO's. I understand your pain, I suffer from the same ailment your describing, a few techs that can't seem to follow even the simplest instruction set, but in the long run pre-creation actually saves time and energy. David Aragon > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Bruyere, Michel > Sent: Wednesday, April 13, 2005 8:31 AM > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] joining station to the domain and GPO... > > Hi, > I have a little question as to how you guys would handle this > situation... > > I have 2 techs that are adding stations to the domain from > time to time. > When they join the stations to the domain, the computer > account is created in the COMPUTERS built-in UO. > I have many UOs that are used to deploy the GPOs depending on > the type of computers, let say desktop and laptops. > > The problem actually occurs because they "forget" to tell me > that they added a new laptop to the domain and this new added > machine ends up on the network w/o the proper GPOs applied. > > I actually check the UO manually but I would like to have any > automated way to check for new computer account added in the > UO. For control purposes, they don't have access to move the > computer account from an UO to another and it have to stay that way. > > Any ideas or 3rd party programs that can help are appreciated... > > > > > Thanks > > > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] joining station to the domain and GPO...
Michel, If you are running Windows 2003 then the Redircomp.exe may be what you are looking for. From: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepKit/bf5437ce-389c-4dc9-953c-999f854b98d1.mspx Redirusr.exe (for user accounts) and Redircomp.exe (for computer accounts) are two new tools included with Windows Server 2003 that enable you to change the default location where new user and computer accounts are created so you can more easily scope GPOs directly to newly created user and computer objects. This article describes it's use: http://support.microsoft.com/default.aspx?scid=kb;en-us;324949 I hope that helps Thanks Mike On 4/13/05, Bruyere, Michel <[EMAIL PROTECTED]> wrote: > Hi, >I have a little question as to how you guys would handle this > situation... > > I have 2 techs that are adding stations to the domain from time to time. > When they join the stations to the domain, the computer account is > created in the COMPUTERS built-in UO. > I have many UOs that are used to deploy the GPOs depending on the type > of computers, let say desktop and laptops. > > The problem actually occurs because they "forget" to tell me that they > added a new laptop to the domain and this new added machine ends up on > the network w/o the proper GPOs applied. > > I actually check the UO manually but I would like to have any automated > way to check for new computer account added in the UO. For control > purposes, they don't have access to move the computer account from an UO > to another and it have to stay that way. > > Any ideas or 3rd party programs that can help are appreciated... > > Thanks > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] joining station to the domain and GPO...
Check out the netdom utility. With that command line util you can join a computer to the domain and place it in the proper OU right from the start so I would have the techs use that utility to join the machines instead of just adding them and moving them manually to the proper OU. If you follow a naming standard and can tell what machines need to be in what OU based on the machine name then you could use a script running as a scheduled task to move the machines from the Computers container to the proper OU. Phil On 4/13/05, Bruyere, Michel <[EMAIL PROTECTED]> wrote: > Hi, >I have a little question as to how you guys would handle this > situation... > > I have 2 techs that are adding stations to the domain from time to time. > When they join the stations to the domain, the computer account is > created in the COMPUTERS built-in UO. > I have many UOs that are used to deploy the GPOs depending on the type > of computers, let say desktop and laptops. > > The problem actually occurs because they "forget" to tell me that they > added a new laptop to the domain and this new added machine ends up on > the network w/o the proper GPOs applied. > > I actually check the UO manually but I would like to have any automated > way to check for new computer account added in the UO. For control > purposes, they don't have access to move the computer account from an UO > to another and it have to stay that way. > > Any ideas or 3rd party programs that can help are appreciated... > > Thanks > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] joining station to the domain and GPO...
Instead of giving your techs the permission to add unlimited computers to the domain, give them the ability to create computer objects in the OU where they are going to end up. Then, when they create the computer object, they can assign themselves permissions to add it to the domain. That way, no computers get added to the Computers OU. -Andrew -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: Wednesday, April 13, 2005 10:31 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] joining station to the domain and GPO... Hi, I have a little question as to how you guys would handle this situation... I have 2 techs that are adding stations to the domain from time to time. When they join the stations to the domain, the computer account is created in the COMPUTERS built-in UO. I have many UOs that are used to deploy the GPOs depending on the type of computers, let say desktop and laptops. The problem actually occurs because they "forget" to tell me that they added a new laptop to the domain and this new added machine ends up on the network w/o the proper GPOs applied. I actually check the UO manually but I would like to have any automated way to check for new computer account added in the UO. For control purposes, they don't have access to move the computer account from an UO to another and it have to stay that way. Any ideas or 3rd party programs that can help are appreciated... Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ smime.p7s Description: S/MIME cryptographic signature
