Re: Join a PC to a specific OU?

From: Brendon Rogers (brendon_at_nospam-itology.net)
Date: 05/23/04 

Date: Sun, 23 May 2004 07:52:59 -0400

See http://support.microsoft.com/default.aspx?kbid=324949

A new feature in Windows 2003 is you can redirect the Computers container to
an OU. It doesn't give you the flexibillity to put the computers into
different OUs but at least you can add the computer to an OU which has the
appropriate GPOs applied, rather than having to worry about applying and
fitlering GPOs at the domain level.

We don't use this though - all our PCs are added through RIS and we use
menus to choose which OU to add them into.

"Oli Restorick [MVP]" <oli@mvps.org> wrote in message
news:O4#hdDAQEHA.1160@TK2MSFTNGP09.phx.gbl...
>
> "Gerry Hickman" <gerry666uk@yahoo.co.uk> wrote in message
> news:O04weFqPEHA.4036@TK2MSFTNGP12.phx.gbl...
> > Right, that does mean it will only work (interactively) on stations with
> > netdom installed though.
> Yes. Since I'm doing the domain join as part of an unattended build, I
just
> include the netdom.exe file as part of the build. If you're looking for a
> way to add machines that have already been built to a specific OU, then
I'm
> not sure.
>
> What you're really looking for is a way to specify in Active Directory
which
> should be the default container/OU to add machines to. It's probably
> possible to do that. Perhaps one of the Directory Services guys might
> know -- a repost in microsoft.public.windows.server.active_directory might
> do the trick.
>
> It would be really cool if you could somehow use a WMI filter specified
> using AD that could determine the correct default OU for a machine.
>
> > I find the lack of an OU field in the GUI very odd, when you think Win2k
> > was designed to work with AD. Even more strange is that (apparently) XP
> > does not have this facility either.
> I think most people would find it confusing, to be honest. Most people
> would not get the LDAP path correct if you had to type it by hand. To
> provide a browse button, you'd need to authenticate against AD first.
>
> While most small businesses I know will go to the keyboard of the machine
to
> do a domain join, bigger companies are more likely to create the machine
> account in the correct OU and then let the end user do the domain join
> themselves. Then again, the default of allowing 10 domain joins per user
> doesn't tie up with this, as it doesn't have any administrative
involvement.
> You really don't want people dumping new machines into your computers
> container.
>
> As you've probably realised, you can't apply a GPO to the computers
> container (because it's a container). So, if you want a GPO to apply
here,
> you have to apply it at the site or domain level, at which point it's
going
> to get applied to your servers and probably several other machines you
don't
> want to hit.
>
> Regards
>
> Oli
>
>