How to make computer objects go to specific OU?

loss4wordsloss4words Member Posts: 165 ■■■□□□□□□□
Hi everyone,

Here I am with another newbie question :) At work we run Active Directory on Windows Server 2003. When a computer has to be re-joined to domain (when it has been re-imaged for example) and given the same name that it had before I see that the computer object has been added to the default Computers container in AD. Is there anyway to automate this process so that I don't have to move computer objects from default Computers OU to Computers OU where the object really belongs?

Sorry if this is confusing.
Thank you.

Comments

  • DevilsbaneDevilsbane Member Posts: 4,214 ■■■■■■■■□□
    I know you can do it from an answer file and I believe a command line as well. Otherwise you could create the Computer object in the OU that you want it in and then when you join your computer link it to that alrready created account.

    Not sure how to actually do this though. I have only read about it. For me it was never a huge deal to select all the computers and just move them over.
    Decide what to be and go be it.
  • DevilsbaneDevilsbane Member Posts: 4,214 ■■■■■■■■□□
    What I don't understand is, if Microsoft Recommends moving your users and computers to OU's... why do they send them to containers by defualt?
    Decide what to be and go be it.
  • motogpmanmotogpman Member Posts: 412
    Because there are many different ways that companies can structure their AD tree.
    -WIP- (70-294 and 297)

    Once MCSE 2k3 completed:

    WGU: BS in IT, Design/Management

    Finish MCITP:EA, CCNA, PMP by end of 2012

    After that, take a much needed vacation!!!!!
  • earweedearweed Member Posts: 5,192 ■■■■■■■■■□
    If you don't set them up beforehand you'll know where to find them.
    No longer work in IT. Play around with stuff sometimes still and fix stuff for friends and relatives.
  • DevilsbaneDevilsbane Member Posts: 4,214 ■■■■■■■■□□
    motogpman wrote: »
    Because there are many different ways that companies can structure their AD tree.

    I just read a section out of the MS press book that says
    "It is best to always create user objects in an OU so you can manage them later using group policies."
    Couple lines later
    "Therefore, your Active Directory installation should have appropriate OUs in it, in accordance with your organization's Active Directorydesign, before you begin creating user objects."

    If that is the best way to do it, why not make it default? Even if you choose not to make an OU tree, I don't see how having that container would be any different if it was an OU named Users.
    Decide what to be and go be it.
  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    Devilsbane wrote: »
    If that is the best way to do it, why not make it default? Even if you choose not to make an OU tree, I don't see how having that container would be any different if it was an OU named Users.

    You can't assign GPOs to the default users and computers containers, which is why you should configure new objects to go to a specific OU where you have locked things down. It's easy, especially in large organizations, to forgot to move computer and user objects to the appropriate OU.

    Ideally, these default containers will have the most restrictive group policies applied to them. It's better to error on the side of being too restrictive rather than too permissive. If a user needs access to do something they're supposed to, they'll let you know. It's much rarer to have a user complain about having excessive privileges.
  • DevilsbaneDevilsbane Member Posts: 4,214 ■■■■■■■■□□
    dynamik wrote: »
    You can't assign GPOs to the default users and computers containers, which is why you should configure new objects to go to a specific OU where you have locked things down. It's easy, especially in large organizations, to forgot to move computer and user objects to the appropriate OU.

    Ideally, these default containers will have the most restrictive group policies applied to them. It's better to error on the side of being too restrictive rather than too permissive. If a user needs access to do something they're supposed to, they'll let you know. It's much rarer to have a user complain about having excessive privileges.

    I know that you can't link a GPO to a container, thats why I'm confused that the users container is even a container. Why did't/doesn't Microsoft just make it an OU?
    Decide what to be and go be it.
Sign In or Register to comment.