FAQ  Search  Memberlist  Usergroups  Register  Profile  Private messages  Log in

Redirect computers to a specific OU by IP Address

Forum Index -> microsoft.public.windows.server.active_directory

Author	Message
Guest	Posted: Tue Jun 26, 2007 6:01 am    Post subject: Redirect computers to a specific OU by IP Address Hi, I've seen relevant posts in the past for various queries on the "Default Computers" OU ,which work great. However I have come across a legacy site with a very loose AD environment where hundreds of computer accounts are unaccounted for (forgive the pun) scattered within this AD environment. The main problems are: - No computer naming convention (various flavours of different Depts) - No policies in place previously to move new accounts out of the default container. - Distributed remote sites. I was wondering how to go about marrying a script to perform the following: - Parsing the machines by / for its IP address (approx 15 different subnets assigned through DHCP) - Once the machine subnet has been identified - then the PC's are moved into their new site specific OU where the local GP can be enforced. This will then be added as a startup or shutdown script and linked to a "Default Computers" OU ( will create a new OU for existing container to support this task). Am I being too vague or too ambitious ? Could anyone point me to rough script since I'm a complete novice and rely on seasoned veterans to post miracle scripts on a regular basis. kind Regards Hoot.
Back to top
Ryan Hanisco Guest	Posted: Tue Jun 26, 2007 6:01 am    Post subject: RE: Redirect computers to a specific OU by IP Address SpamShoe... <G> There are two answers to your question: 1. Remember that computer accounts' site membership is determined by subnet at the time. Since Site is one of the three places where you can bind a Group Policy, it is relatively easy to create policies by site without having to create OUs. 2. This flexibility is a blessing and a curse. If all your workstations are static, it isn't a big deal. So something like folder redirection becomes easy as you always bind to the local site. With mobile computers, the site affinity changes as they move, making it more complicated. Even with statically assigned OUs, you'll run into this problem. So you could write a script to add computers to an OU, but what if they move -- or worse, what if they're not at their primary site when the script runs? You'll need to look at what you're really trying to do befor eyou pick a solution. Are you jsut trying to apply a policy by site or is there something else you gain by OUs? If you need something flexible enough to allow computers to move, do you need a replicated environment like DFS or SAN GeoSynch? There is a bit to consider here and it all must be carefully planned. -- Ryan Hanisco MCSE, MCTS: SQL 2005, Project+ Chicago, IL Remember: Marking helpful answers helps everyone find the info they need quickly. "is.that.spam.on.my.shoe@gmail.com" wrote: Quote: Hi, I've seen relevant posts in the past for various queries on the "Default Computers" OU ,which work great. However I have come across a legacy site with a very loose AD environment where hundreds of computer accounts are unaccounted for (forgive the pun) scattered within this AD environment. The main problems are: - No computer naming convention (various flavours of different Depts) - No policies in place previously to move new accounts out of the default container. - Distributed remote sites. I was wondering how to go about marrying a script to perform the following: - Parsing the machines by / for its IP address (approx 15 different subnets assigned through DHCP) - Once the machine subnet has been identified - then the PC's are moved into their new site specific OU where the local GP can be enforced. This will then be added as a startup or shutdown script and linked to a "Default Computers" OU ( will create a new OU for existing container to support this task). Am I being too vague or too ambitious ? Could anyone point me to rough script since I'm a complete novice and rely on seasoned veterans to post miracle scripts on a regular basis. kind Regards Hoot.
Back to top
Ryan Hanisco Guest	Posted: Tue Jun 26, 2007 3:12 pm    Post subject: Re: Redirect computers to a specific OU by IP Address Hi, Getting the IP address of the workstation is easy if you are running the script from the workstation. The issue there is that it woudl be a huge security hole to let the workstation update the directory from the UI. (If you were to do this, you would have to hard code admin credentials.) From the server you would be relying on a DNS or DHCP lease lookup. Neither of these is authoritative -- what about dual homed computers, DNS entries that haven't been scavenged, expired leases... And if doing these in batches, you couldn't guarantee that all the machines would be available. From a consistentcy standpoint, I see this going all quagmire on you. In the face of that, I'd probably just make that the responsibility of the local admins and give them a timeline. This really SHOULDN'T take too long at all. As to going forward, you can create a new OU to have all new computer accounts as they are created. You'd then place a GPO on that OU to COMPLETELY lock them down until an admin put them into the right OU. This eliminates the problem, forces administration, and gives the admins incentive to do their jobs. Have a look at the following article: http://support.microsoft.com/default.aspx/kb/324949 Hope this helps. -- Ryan Hanisco MCSE, MCTS: SQL 2005, Project+ Chicago, IL Remember: Marking helpful answers helps everyone find the info they need quickly. "is.that.spam.on.my.shoe@gmail.com" wrote: Quote: Ryan, Much appreciate the response To be more succinct: I do agree with you on the site v's OU model. However because this is an environment where its become more or less a free for all (prior to me coming on board) where there has been appprox 15 seperate admins (with sufficient damage priveleges) joining computer accounts to a W2K3 domain without any thought as to where they should be placed thereafter. All workstations will be static from that respect (any laptops can be moved into a seperate OU). I'm in the process of disabling computer accounts that have not been used for approx 180-240 days (as there is over 1000 computer accounts currently held in the Computer container). Like I said , I want to try to put a policy in place that will automatically place any new computers into the relevant Site/Sub- Container (Remote Site -> Computers_OU) if the site admin does not move it after creation. My problem is that I can't curtail the additions of new/rebuilt PC's in the remote locations (very loose corporate enforcement policy) so I want to attempt to put a cleanup process in place automatically in HQ. My biggest problem is that I just dont know where to start the script at.... :) Hoot On Jun 26, 5:36 am, Ryan Hanisco RyanHani...@discussions.microsoft.com> wrote: SpamShoe... <G There are two answers to your question: 1. Remember that computer accounts' site membership is determined by subnet at the time. Since Site is one of the three places where you can bind a Group Policy, it is relatively easy to create policies by site without having to create OUs. 2. This flexibility is a blessing and a curse. If all your workstations are static, it isn't a big deal. So something like folder redirection becomes easy as you always bind to the local site. With mobile computers, the site affinity changes as they move, making it more complicated. Even with statically assigned OUs, you'll run into this problem. So you could write a script to add computers to an OU, but what if they move -- or worse, what if they're not at their primary site when the script runs? You'll need to look at what you're really trying to do befor eyou pick a solution. Are you jsut trying to apply a policy by site or is there something else you gain by OUs? If you need something flexible enough to allow computers to move, do you need a replicated environment like DFS or SAN GeoSynch? There is a bit to consider here and it all must be carefully planned. -- Ryan Hanisco MCSE, MCTS: SQL 2005, Project+ Chicago, IL Remember: Marking helpful answers helps everyone find the info they need quickly. "is.that.spam.on.my.s...@gmail.com" wrote: Hi, I've seen relevant posts in the past for various queries on the "Default Computers" OU ,which work great. However I have come across a legacy site with a very loose AD environment where hundreds of computer accounts are unaccounted for (forgive the pun) scattered within this AD environment. The main problems are: - No computer naming convention (various flavours of different Depts) - No policies in place previously to move new accounts out of the default container. - Distributed remote sites. I was wondering how to go about marrying a script to perform the following: - Parsing the machines by / for its IP address (approx 15 different subnets assigned through DHCP) - Once the machine subnet has been identified - then the PC's are moved into their new site specific OU where the local GP can be enforced. This will then be added as a startup or shutdown script and linked to a "Default Computers" OU ( will create a new OU for existing container to support this task). Am I being too vague or too ambitious ? Could anyone point me to rough script since I'm a complete novice and rely on seasoned veterans to post miracle scripts on a regular basis. kind Regards Hoot.- Hide quoted text - - Show quoted text -
Back to top
Guest	Posted: Wed Jun 27, 2007 12:25 pm    Post subject: Re: Redirect computers to a specific OU by IP Address On Jun 26, 3:52 pm, Ryan Hanisco <RyanHani...@discussions.microsoft.com> wrote: Quote: Hi, Getting theIPaddress of the workstation is easy if you are running the script from the workstation. The issue there is that it woudl be a huge security hole to let the workstation update the directory from the UI. (If you were to do this, you would have to hard code admin credentials.) From the server you would be relying on a DNS or DHCP lease lookup. Neither of these is authoritative -- what about dual homedcomputers, DNS entries that haven't been scavenged, expired leases... And if doing these in batches, you couldn't guarantee that all the machines would be available. From a consistentcy standpoint, I see this going all quagmire on you. In the face of that, I'd probably just make that the responsibility of the local admins and give them a timeline. This really SHOULDN'T take too long at all. As to going forward, you can create a newOUto have all new computer accounts as they are created. You'd then place a GPO on thatOUto COMPLETELY lock them down until an admin put them into the rightOU. This eliminates the problem, forces administration, and gives the admins incentive to do their jobs. Have a look at the following article:http://support.microsoft.com/default.aspx/kb/324949 Hope this helps. -- Ryan Hanisco MCSE, MCTS: SQL 2005, Project+ Chicago, IL Remember: Marking helpful answers helps everyone find the info they need quickly. "is.that.spam.on.my.s...@gmail.com" wrote: Ryan, Much appreciate the response To be more succinct: I do agree with you on the site v'sOUmodel. However because this is an environment where its become more or less a free for all (prior to me coming on board) where there has been appprox 15 seperate admins (with sufficient damage priveleges) joining computer accounts to a W2K3 domain without any thought as to where they should be placed thereafter. All workstations will be static from that respect (any laptops can be moved into a seperateOU). I'm in the process of disabling computer accounts that have not been used for approx 180-240 days (as there is over 1000 computer accounts currently held in the Computer container). Like I said , I want to try to put a policy in place that will automatically place any newcomputersinto the relevant Site/Sub- Container (Remote Site -> Computers_OU) if the site admin does not moveit after creation. My problem is that I can't curtail the additions of new/rebuilt PC's in the remote locations (very loose corporate enforcement policy) so I want to attempt to put a cleanup process in place automatically in HQ. My biggest problem is that I just dont know where to start the script at.... :) Hoot On Jun 26, 5:36 am, Ryan Hanisco RyanHani...@discussions.microsoft.com> wrote: SpamShoe... <G There are two answers to your question: 1. Remember that computer accounts' site membership is determined by subnet at the time. Since Site is one of the three places where you can bind a Group Policy, it is relatively easy to create policies by site without having to create OUs. 2. This flexibility is a blessing and a curse. If all your workstations are static, it isn't a big deal. So something like folder redirection becomes easy as you always bind to the local site. With mobilecomputers, the site affinity changes as theymove, making it more complicated. Even with statically assigned OUs, you'll run into this problem. So you could write a script to addcomputersto anOU, but what if theymove-- or worse, what if they're not at their primary site when the script runs? You'll need to look at what you're really trying to do befor eyou pick a solution. Are you jsut trying to apply a policy by site or is there something else you gain by OUs? If you need something flexible enough to allowcomputerstomove, do you need a replicated environment like DFS or SAN GeoSynch? There is a bit to consider here and it all must be carefully planned. -- Ryan Hanisco MCSE, MCTS: SQL 2005, Project+ Chicago, IL Remember: Marking helpful answers helps everyone find the info they need quickly. "is.that.spam.on.my.s...@gmail.com" wrote: Hi, I've seen relevant posts in the past for various queries on the "DefaultComputers"OU,which work great. However I have come across a legacy site with a very loose AD environment where hundreds of computer accounts are unaccounted for (forgive the pun) scattered within this AD environment. The main problems are: - No computer naming convention (various flavours of different Depts) - No policies in place previously tomovenew accounts out of the default container. - Distributed remote sites. I was wondering how to go about marrying a script to perform the following: - Parsing the machines by / for itsIPaddress (approx 15 different subnets assigned through DHCP) - Once the machine subnet has been identified - then the PC's are moved into their new site specificOUwhere the local GP can be enforced. This will then be added as a startup or shutdown script and linked to a "DefaultComputers"OU( will create a new OUfor existing container to support this task). Am I being too vague or too ambitious ? Could anyone point me to rough script since I'm a complete novice and rely on seasoned veterans to post miracle scripts on a regular basis. kind Regards Hoot.- Hide quoted text - - Show quoted text - Thanks Ryan that makes a lot more sense.
Back to top
Display posts from previous: All Posts1 Day7 Days2 Weeks1 Month3 Months6 Months1 Year Oldest FirstNewest First

	Forum Index -> microsoft.public.windows.server.active_directory	All times are GMT
Page 1 of 1