Re: GPO Logon Script that requires AD rights


"Richard Mueller [MVP]" <rlmueller-nospam@xxxxxxxxxxxxxxxxxxxx> wrote in message news:OQ1y$XHHKHA.1380@xxxxxxxxxxxxxxxxxxxxxxx

"Tranquil-IT" <brandan.creed@xxxxxxxxx> wrote in message news:1a038415-f99a-4f70-ad1e-868444e06035@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hello all, and thank you in advance for taking the time to read this
and to share any thoughts/comments.

I am currently helping an organization restructure their domain.
Currently all computer accounts (~500) are grouped together in one OU
in AD. Management of most things are currently being done manually.
Fortunately, they have maintained an OU structure for users that is
based on their department.

What I need to do is organize the Computer accounts so that I can then
begin establishing managed software installations, etc.

Preferring not to do this by hand, I whipped up a quick vbs script
that when ran, grabs the Adspath information for the current user and
drops it into an array. The section of the array that has the user's
departmental OU (ie. "Sales") is then set to a variable and the "ou="
part of the string is stripped. The workstation name is then grabbed
and finally a function called that will move the computer account to a
matching computer OU (ie. Computers\Sales) for that user's department.

Everything works perfectly and I was happy it went so smoothly. I went
to go deploy the script via GPO for testing when I suddenly realized
this login script would do me no good since the users certainly don't
have the kind of rights required to manipulate AD like that.

Any ideas on how I might be able to salvage this script/idea? I can't
set it as a startup script, because there is currently no logged in
user during execution. I haven't checked, but I'm sure there's a "last
username logged in" sort of property I could query and use it that way
as a plan B, but I'd prefer to have it work appropriately the first
login, rather than 2nd.

Thank you kindly once again!

There are a couple of potential problems with your approach:

1. As you've noted, users won't have permissions to move the objects in AD.
2. You depend on a "correct" user logging into the computer, someone in the correct OU.
3. The script will run repeatedly, everytime someone logs on.

Hard coding credentials is not a good idea, and doesn't address all of my concerns above. I prefer doing things like this in bulk remotely. Then you know it is done once per computer and the objects are moved where you expect. The key here is knowing which OU to use for each computer. If you can't document this, say in a spread***, perhaps you can use a logon script to log user and computer names to a shared log file. I have an example VBScript program that logs information like this linked here:

http://www.rlmueller.net/Logon5.htm

The example, Logon5.vbs, logs the NT names (pre-Windows 2000 logon names) of the user and computer. You will want the Distinguished Names (DN's) instead, so instead of the lines:
=========
strUserName = objNetwork.UserName
strComputerName = objNetwork.ComputerName
=========
I would suggest:
========
Dim objSysInfo
Set objSysInfo = CreateObject("ADSystemInfo")
strUserName = objSysInfo.UserName
strComputerName = objSysInfo.ComputerName
=========
You can skip the part of this example that retrieves the IP address, unless that will help you.

Wait a minute! What if there is a one-to-one relationship between the OUs that the computers should be in and the AD subnet or site where the computer is connected to their network? That is how our network is structured, however, it might not be the case here.

But if it *is* the case, I'm sure you'd know at least a couple of ways to determine the subnet/site of each computer...

/Al

After awhile the shared log file will document which users log into which computers. If this doesn't give you enough information to decide where each computer object should be moved, then certainly doing the moves in logon scripts wouldn't work well.

From the shared log file you can create a spread*** with the Distinguished Names of each computer and the Distinguished Name of the OU they should be moved into. You can sort the raw spread*** by computer DN, then select the best user DN for each computer. Spread*** functions should be able to strip off the common name of the user in the DN. The final spread*** should have one row for each computer, with one column for the DN of the computer and another for the DN of the target OU. Then you can code a VBScript program to read the values from the final spread***, bind to each OU, and use the MoveHere method to move the computer objects into the correct OU's. Does this sound feasible to you? I can post an example VBScript program that reads computer and OU DN's from a spread*** and moves the objects.

Also, once you have decided on the OU of the "correct" user for each computer, you can also do a global find and replace in a spread*** to place the computer objects in a different OU from the users.

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--





.

Loading