Re: Automatically adding computers to a group


"Mike" <reply@xxxxxxxx> wrote in message
news:OuExCOpiIHA.5968@xxxxxxxxxxxxxxxxxxxxxxx
Thanks, it's a brilliant idea and it works a treat. The trick to it is to
allow add/remove self as member assigned to the SELF role of the security
group.

I have a lot of machines that are ghosted, regularly. Once their image is
older than 30 days, their domain computer account password expires. This
prevents them from logging on to the network and accessing resources. To
fix this problem, the computer must be rejoined to the domain. (Even if I
reset the computer account, I will still have to rejoin the machine)

Only AT the computer -- this procedure does NOT change the SID and so
should never affect existing group membership.

Again, I still do not understand why me explaining this is of any
relevance to my initial question. Understand that all I want to know is
how to automatically add a computer to a specific security group when
every time it's joined to a domain.

And we have said there is no way to do this specifically which leads to the
questions about REAL goals to find out how to simulate the REAL effect
you need.


What process on a DC adds the computer to Domain

Underneath the covers it is almost certainly an ADSI call (calls actually)
which perform the set of steps necessary.

Computers? Can I latch on to it and add a secondary group?

Probably not. You can either replace the procedure with your own
for adding the account OR supplement it after that is finished.

Notice that "adding the computer account to the domain" and "joining the
computer to the domain" are TWO SEPARATE steps even when they
look like only one.

The account is added to AD; the computer is told to join using that
domain (and at this point negotiates its secret password with the
authenticating DC.



"Herb Martin" <news@xxxxxxxxxxxxxx> wrote in message
news:ubqWipoiIHA.4684@xxxxxxxxxxxxxxxxxxxxxxx

"Mike" <reply@xxxxxxxx> wrote in message
news:OBpeJEmiIHA.3448@xxxxxxxxxxxxxxxxxxxxxxx
No, it would not.

Huh?

If you mean that the "Computer does not still appear in the group" then
that makes no sense if the computer account is NOT recreated.

I clearly asked if there was any way I could add a computer to a
security group every time its joined to a domain. I should not have to
explain why I have this requirement.

I didn't ask, but might have done so since if we know what you are
REALLY trying to do frequently we can solve the real problem rather
than the requested method you are pursuing for doing that.

For instance, computers should not be REMOVED and RE-ADDED
to domains as of Win2000/Active Directory whenever this can be
avoided.

Computer accounts should merely be "reset" whenever this works to
straighten out problems (e.g., restored from backup, hosed computer
password etc.)

I run a script from a GPO that removes the computer that the script is
running on from the security group. This security group is used to
filter the same GPO. This allows me to execute "run once" GPO's, or in
my case run once start up scripts.

Interesting concept, "run once GPO. There are other ways to get the
effect of run once scripts but I like the concept of "run once GPO".

So the GPO arranges to add the computer to a group which is used to
filter out that same GPO? (i.e., filter it from ever applying again?)

Pretty nice idea. Does it work generally?


"Herb Martin" <news@xxxxxxxxxxxxxx> wrote in message
news:udFLNXfiIHA.3448@xxxxxxxxxxxxxxxxxxxxxxx
"Mike" <reply@xxxxxxxx> wrote in message
news:utCEUTbiIHA.3512@xxxxxxxxxxxxxxxxxxxxxxx
Scripts based on what AD property? Computer objects have a
whenCreated and whenModified but neither of these cover when a
machine is rejoined.

If it is NOT recreated then the membership in any group (from before)
would
still be present.

You only need to "re-add" it if the account is recreated and thus the
SID changes.

"Paul Bergson [MVP-DS]" <pbergson@xxxxxxxxxxxxxxxxx> wrote in message
news:OPPEAGciIHA.484@xxxxxxxxxxxxxxxxxxxxxxx
I would agree with Herb that you are probably going to have to script
it, but you realize there is already a group called domain computers
that all machines are a member of. You could just create a group and
make domain computer a member of this new security group.

Yes, if you wish EVERY computer to belong you might just use this
group.

As to his last question: You might (probably) will have to select a
list of
ALL computers that fit you requirements (by OS
--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.

"Mike" <reply@xxxxxxxx> wrote in message
news:utCEUTbiIHA.3512@xxxxxxxxxxxxxxxxxxxxxxx
Scripts based on what AD property? Computer objects have a
whenCreated and whenModified but neither of these cover when a
machine is rejoined.



"Herb Martin" <news@xxxxxxxxxxxxxx> wrote in message
news:ewdmRxaiIHA.4684@xxxxxxxxxxxxxxxxxxxxxxx

"Mike" <reply@xxxxxxxx> wrote in message
news:%23ExJwkWiIHA.6136@xxxxxxxxxxxxxxxxxxxxxxx


Any ideas on how to automatically add a computer that has just been
joined to the domain, to a security group? Similar to how they are
added to Domain Computers. I also need to make sure that if it is
re-joined it will be added to the group again.

AFAIK you will need to write scripts to do this.


--
Herb Martin, MCSE, MVP
http://www.LearnQuick.Com (phone on web site)

If you use LinkedIn then tell me where you know me from when
linking:

http://www.linkedin.com/in/herbmartin










.

Relevant Pages

  • Re: Automatically adding computers to a group
    ... that makes no sense if the computer account is NOT recreated. ... This security group is used to filter ... Interesting concept, "run once GPO. ... computer a member of this new security group. ...
    (microsoft.public.windows.server.active_directory)
  • Re: GP/OU Problem/Question
    ... Create OU & GPO for the TS: ... Right click 'Terminal Servers' OU, ... Ensure that TestUser1 is a member of Domain Users & Remote Desktop ... Make the Security group member of RDU. ...
    (microsoft.public.windows.terminal_services)
  • Re: Group Policy Wont Apply Unless User is a Member of Domain Admin. Why?
    ... the security group that my test user is a member of. ... you wrote added by default when I created the gpo. ... gpo will only apply if the test user (uTest) is a member of theDomain> Adminssecurity group. ...
    (microsoft.public.windows.server.sbs)
  • GP/OU Problem/Question
    ... DC and a separate Windows 2003 member server as the TS. ... Create OU & GPO for the TS: ... Make the Security group member of RDU. ... Edit GPO & Setup Edit for test: ...
    (microsoft.public.windows.terminal_services)
  • Re: GP/OU Problem/Question
    ... Create OU & GPO for the TS: ... Right click 'Terminal Servers' OU, ... Ensure that TestUser1 is a member of Domain Users & Remote Desktop ... Make the Security group member of RDU. ...
    (microsoft.public.windows.terminal_services)
Loading