Re: Redirect computers to a specific OU by IP Address
- From: is.that.spam.on.my.shoe@xxxxxxxxx
- Date: Wed, 27 Jun 2007 03:06:04 -0700
On Jun 26, 3:52 pm, Ryan Hanisco
<RyanHani...@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
Hi,
Getting theIPaddress of the workstation is easy if you are running the
script from the workstation. The issue there is that it woudl be a huge
security hole to let the workstation update the directory from the UI. (If
you were to do this, you would have to hard code admin credentials.)
From the server you would be relying on a DNS or DHCP lease lookup. Neither
of these is authoritative -- what about dual homedcomputers, DNS entries
that haven't been scavenged, expired leases... And if doing these in
batches, you couldn't guarantee that all the machines would be available.
From a consistentcy standpoint, I see this going all quagmire on you. In the
face of that, I'd probably just make that the responsibility of the local
admins and give them a timeline. This really SHOULDN'T take too long at all.
As to going forward, you can create a newOUto have all new computer
accounts as they are created. You'd then place a GPO on thatOUto
COMPLETELY lock them down until an admin put them into the rightOU. This
eliminates the problem, forces administration, and gives the admins incentive
to do their jobs.
Have a look at the following article:http://support.microsoft.com/default.aspx/kb/324949
Hope this helps.
--
Ryan Hanisco
MCSE, MCTS: SQL 2005, Project+
Chicago, IL
Remember: Marking helpful answers helps everyone find the info they need
quickly.
"is.that.spam.on.my.s...@xxxxxxxxx" wrote:
Ryan,
Much appreciate the response
To be more succinct:
I do agree with you on the site v'sOUmodel. However because this is
an environment where its become more or less a free for all (prior to
me coming on board) where there has been appprox 15 seperate admins
(with sufficient damage priveleges) joining computer accounts to a
W2K3 domain without any thought as to where they should be placed
thereafter. All workstations will be static from that respect (any
laptops can be moved into a seperateOU).
I'm in the process of disabling computer accounts that have not been
used for approx 180-240 days (as there is over 1000 computer accounts
currently held in the Computer container).
Like I said , I want to try to put a policy in place that will
automatically place any newcomputersinto the relevant Site/Sub-
Container (Remote Site -> Computers_OU) if the site admin does not
moveit after creation.
My problem is that I can't curtail the additions of new/rebuilt PC's
in the remote locations (very loose corporate enforcement policy) so I
want to attempt to put a cleanup process in place automatically in HQ.
My biggest problem is that I just dont know where to start the script
at....
:)
Hoot
On Jun 26, 5:36 am, Ryan Hanisco
<RyanHani...@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
SpamShoe... <G>
There are two answers to your question:
1. Remember that computer accounts' site membership is determined by subnet
at the time. Since Site is one of the three places where you can bind a
Group Policy, it is relatively easy to create policies by site without having
to create OUs.
2. This flexibility is a blessing and a curse. If all your workstations are
static, it isn't a big deal. So something like folder redirection becomes
easy as you always bind to the local site. With mobilecomputers, the site
affinity changes as theymove, making it more complicated. Even with
statically assigned OUs, you'll run into this problem. So you could write a
script to addcomputersto anOU, but what if theymove-- or worse, what if
they're not at their primary site when the script runs?
You'll need to look at what you're really trying to do befor eyou pick a
solution. Are you jsut trying to apply a policy by site or is there
something else you gain by OUs? If you need something flexible enough to
allowcomputerstomove, do you need a replicated environment like DFS or SAN
GeoSynch?
There is a bit to consider here and it all must be carefully planned.
--
Ryan Hanisco
MCSE, MCTS: SQL 2005, Project+
Chicago, IL
Remember: Marking helpful answers helps everyone find the info they need
quickly.
"is.that.spam.on.my.s...@xxxxxxxxx" wrote:
Hi,
I've seen relevant posts in the past for various queries on the
"DefaultComputers"OU,which work great. However I have come across a
legacy site with a very loose AD environment where hundreds of
computer accounts are unaccounted for (forgive the pun) scattered
within this AD environment.
The main problems are:
- No computer naming convention (various flavours of different Depts)
- No policies in place previously tomovenew accounts out of the
default container.
- Distributed remote sites.
I was wondering how to go about marrying a script to perform the
following:
- Parsing the machines by / for itsIPaddress (approx 15 different
subnets assigned through DHCP)
- Once the machine subnet has been identified - then the PC's are
moved into their new site specificOUwhere the local GP can be
enforced.
This will then be added as a startup or shutdown script and linked to
a "DefaultComputers"OU( will create a new OUfor existing
container to support this task).
Am I being too vague or too ambitious ?
Could anyone point me to rough script since I'm a complete novice and
rely on seasoned veterans to post miracle scripts on a regular basis.
kind Regards
Hoot.- Hide quoted text -
- Show quoted text -
Thanks Ryan that makes a lot more sense.
.
- References:
- Redirect computers to a specific OU by IP Address
- From: is . that . spam . on . my . shoe
- RE: Redirect computers to a specific OU by IP Address
- From: Ryan Hanisco
- Re: Redirect computers to a specific OU by IP Address
- From: is . that . spam . on . my . shoe
- Re: Redirect computers to a specific OU by IP Address
- From: Ryan Hanisco
- Redirect computers to a specific OU by IP Address
- Prev by Date: Active Directory Scripting for beginner
- Next by Date: Re: shared Folder permissions - No Read/Write Access for Admins
- Previous by thread: Re: Redirect computers to a specific OU by IP Address
- Next by thread: Re: Active Directory Replication
- Index(es):
Relevant Pages
|
