Join a PC to a specific OU?

[Guest]

Archived from groups: microsoft.public.win2000.setup_deployment (More info?)

Hi,

I have a pure AD Win2k network with some OUs. How can I manually join a
client PC to the domain to a specific OU?

I'm aware of Unattend facilities for this, but how can I do it sitting
at the PC?

--
Gerry Hickman (London UK)

 

[Guest]

Archived from groups: microsoft.public.win2000.setup_deployment (More info?)

Hi Gerry

Netdom.exe (part of the support tools on the CD) can do this from the
command line. I would recommend that you create a dedicated user for this
and use the delegation of control wizard to allow it to create and delete
computer objects in the specific OUs you want.

Hope this helps

Oli




"Gerry Hickman" <gerry666uk@yahoo.co.uk> wrote in message
news:u0GoQdePEHA.680@TK2MSFTNGP11.phx.gbl...
> Hi,
>
> I have a pure AD Win2k network with some OUs. How can I manually join a
> client PC to the domain to a specific OU?
>
> I'm aware of Unattend facilities for this, but how can I do it sitting at
> the PC?
>
> --
> Gerry Hickman (London UK)

 

[Guest]

Archived from groups: microsoft.public.win2000.setup_deployment (More info?)

Oli Restorick [MVP] wrote:

> Netdom.exe (part of the support tools on the CD) can do this from the
> command line.

Right, that does mean it will only work (interactively) on stations with
netdom installed though.

I find the lack of an OU field in the GUI very odd, when you think Win2k
was designed to work with AD. Even more strange is that (apparently) XP
does not have this facility either.

> I would recommend that you create a dedicated user for this
> and use the delegation of control wizard to allow it to create and delete
> computer objects in the specific OUs you want.

This sounds good. At present I have a domain admin account but strangely
if I unjoin a workstation it refuses to delete the computer account in
AD. If I go to "Active Directory Users and Computers" on the Admin
station it lets me delete it without a problem.

--
Gerry Hickman (London UK)

 

[Guest]

Archived from groups: microsoft.public.win2000.setup_deployment (More info?)

"Gerry Hickman" <gerry666uk@yahoo.co.uk> wrote in message
news:O04weFqPEHA.4036@TK2MSFTNGP12.phx.gbl...
> Right, that does mean it will only work (interactively) on stations with
> netdom installed though.
Yes. Since I'm doing the domain join as part of an unattended build, I just
include the netdom.exe file as part of the build. If you're looking for a
way to add machines that have already been built to a specific OU, then I'm
not sure.

What you're really looking for is a way to specify in Active Directory which
should be the default container/OU to add machines to. It's probably
possible to do that. Perhaps one of the Directory Services guys might
know -- a repost in microsoft.public.windows.server.active_directory might
do the trick.

It would be really cool if you could somehow use a WMI filter specified
using AD that could determine the correct default OU for a machine.

> I find the lack of an OU field in the GUI very odd, when you think Win2k
> was designed to work with AD. Even more strange is that (apparently) XP
> does not have this facility either.
I think most people would find it confusing, to be honest. Most people
would not get the LDAP path correct if you had to type it by hand. To
provide a browse button, you'd need to authenticate against AD first.

While most small businesses I know will go to the keyboard of the machine to
do a domain join, bigger companies are more likely to create the machine
account in the correct OU and then let the end user do the domain join
themselves. Then again, the default of allowing 10 domain joins per user
doesn't tie up with this, as it doesn't have any administrative involvement.
You really don't want people dumping new machines into your computers
container.

As you've probably realised, you can't apply a GPO to the computers
container (because it's a container). So, if you want a GPO to apply here,
you have to apply it at the site or domain level, at which point it's going
to get applied to your servers and probably several other machines you don't
want to hit.

Regards

Oli

 

[Guest]

Archived from groups: microsoft.public.win2000.setup_deployment (More info?)

See http://support.microsoft.com/default.aspx?kbid=324949

A new feature in Windows 2003 is you can redirect the Computers container to
an OU. It doesn't give you the flexibillity to put the computers into
different OUs but at least you can add the computer to an OU which has the
appropriate GPOs applied, rather than having to worry about applying and
fitlering GPOs at the domain level.

We don't use this though - all our PCs are added through RIS and we use
menus to choose which OU to add them into.

"Oli Restorick [MVP]" <oli@mvps.org> wrote in message
news:O4#hdDAQEHA.1160@TK2MSFTNGP09.phx.gbl...
>
> "Gerry Hickman" <gerry666uk@yahoo.co.uk> wrote in message
> news:O04weFqPEHA.4036@TK2MSFTNGP12.phx.gbl...
> > Right, that does mean it will only work (interactively) on stations with
> > netdom installed though.
> Yes. Since I'm doing the domain join as part of an unattended build, I
just
> include the netdom.exe file as part of the build. If you're looking for a
> way to add machines that have already been built to a specific OU, then
I'm
> not sure.
>
> What you're really looking for is a way to specify in Active Directory
which
> should be the default container/OU to add machines to. It's probably
> possible to do that. Perhaps one of the Directory Services guys might
> know -- a repost in microsoft.public.windows.server.active_directory might
> do the trick.
>
> It would be really cool if you could somehow use a WMI filter specified
> using AD that could determine the correct default OU for a machine.
>
> > I find the lack of an OU field in the GUI very odd, when you think Win2k
> > was designed to work with AD. Even more strange is that (apparently) XP
> > does not have this facility either.
> I think most people would find it confusing, to be honest. Most people
> would not get the LDAP path correct if you had to type it by hand. To
> provide a browse button, you'd need to authenticate against AD first.
>
> While most small businesses I know will go to the keyboard of the machine
to
> do a domain join, bigger companies are more likely to create the machine
> account in the correct OU and then let the end user do the domain join
> themselves. Then again, the default of allowing 10 domain joins per user
> doesn't tie up with this, as it doesn't have any administrative
involvement.
> You really don't want people dumping new machines into your computers
> container.
>
> As you've probably realised, you can't apply a GPO to the computers
> container (because it's a container). So, if you want a GPO to apply
here,
> you have to apply it at the site or domain level, at which point it's
going
> to get applied to your servers and probably several other machines you
don't
> want to hit.
>
> Regards
>
> Oli
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.setup_deployment (More info?)

Thanks very much for the info, Brendon.

Oli


"Brendon Rogers" <brendon@nospam-itology.net> wrote in message
news:ubsaAyLQEHA.1392@TK2MSFTNGP09.phx.gbl...
> See http://support.microsoft.com/default.aspx?kbid=324949
>
> A new feature in Windows 2003 is you can redirect the Computers container
> to
> an OU. It doesn't give you the flexibillity to put the computers into
> different OUs but at least you can add the computer to an OU which has the
> appropriate GPOs applied, rather than having to worry about applying and
> fitlering GPOs at the domain level.
>
> We don't use this though - all our PCs are added through RIS and we use
> menus to choose which OU to add them into.
>
> "Oli Restorick [MVP]" <oli@mvps.org> wrote in message
> news:O4#hdDAQEHA.1160@TK2MSFTNGP09.phx.gbl...
>>
>> "Gerry Hickman" <gerry666uk@yahoo.co.uk> wrote in message
>> news:O04weFqPEHA.4036@TK2MSFTNGP12.phx.gbl...
>> > Right, that does mean it will only work (interactively) on stations
>> > with
>> > netdom installed though.
>> Yes. Since I'm doing the domain join as part of an unattended build, I
> just
>> include the netdom.exe file as part of the build. If you're looking for
>> a
>> way to add machines that have already been built to a specific OU, then
> I'm
>> not sure.
>>
>> What you're really looking for is a way to specify in Active Directory
> which
>> should be the default container/OU to add machines to. It's probably
>> possible to do that. Perhaps one of the Directory Services guys might
>> know -- a repost in microsoft.public.windows.server.active_directory
>> might
>> do the trick.
>>
>> It would be really cool if you could somehow use a WMI filter specified
>> using AD that could determine the correct default OU for a machine.
>>
>> > I find the lack of an OU field in the GUI very odd, when you think
>> > Win2k
>> > was designed to work with AD. Even more strange is that (apparently) XP
>> > does not have this facility either.
>> I think most people would find it confusing, to be honest. Most people
>> would not get the LDAP path correct if you had to type it by hand. To
>> provide a browse button, you'd need to authenticate against AD first.
>>
>> While most small businesses I know will go to the keyboard of the machine
> to
>> do a domain join, bigger companies are more likely to create the machine
>> account in the correct OU and then let the end user do the domain join
>> themselves. Then again, the default of allowing 10 domain joins per user
>> doesn't tie up with this, as it doesn't have any administrative
> involvement.
>> You really don't want people dumping new machines into your computers
>> container.
>>
>> As you've probably realised, you can't apply a GPO to the computers
>> container (because it's a container). So, if you want a GPO to apply
> here,
>> you have to apply it at the site or domain level, at which point it's
> going
>> to get applied to your servers and probably several other machines you
> don't
>> want to hit.
>>
>> Regards
>>
>> Oli
>>
>>
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.setup_deployment (More info?)

Hi Oli,

> What you're really looking for is a way to specify in Active Directory which
> should be the default container/OU to add machines to.

No, the way I see it is that there should be a third box called "OU"
that you can fill in when joining a computer to a domain.

> It would be really cool if you could somehow use a WMI filter specified
> using AD that could determine the correct default OU for a machine.

But I'm joining it manually, and I know where I want to put it!

>>I find the lack of an OU field in the GUI very odd,

> I think most people would find it confusing, to be honest.

But surely most people who have been assigned the task of joining
computers are capable of such things? If they're not, they could just
leave the field blank and it would join to the root.

> Most people
> would not get the LDAP path correct if you had to type it by hand. To
> provide a browse button, you'd need to authenticate against AD first.

I do understand what you're saying here. I was thinking most enterprises
would have their ou's directly below their root - this would only
require one word in a text box e.g.

Domain_Root
- OU1
- OU2

It's not hard to type "OU2" if you want to join to the second OU? As you
say though, an LDAP string would more complicated, but it's still not
rocket science - they can leave the box blank if they want.

Actually the more I look at this, the more I'm wishing I'd kept a
separate "resource" domain. When we did our Win2k migration we disolved
all the child domains and put the AD in head office (using OUs instead).
Trouble is, there's a few things cropping up now that don't work too
well with OUs.

1. Policies - head office say we can't "block" theirs even if they conflict
2. Software - lots of software can operate on "domains" but not on "OUs"
3. Joining - as above you really need to be a domain admin for the whole
thing
4. Network browsing (Entire Network) is still "flat file", the fact the
PCs are in different OUs doesn't help. When they were in domains they
each had their own subtree.

--
Gerry Hickman (London UK)

 

[Guest]

Archived from groups: microsoft.public.win2000.setup_deployment (More info?)

"Gerry Hickman" <gerry666uk@yahoo.co.uk> wrote in message
news:%23b8wyZpQEHA.644@tk2msftngp13.phx.gbl...
> But surely most people who have been assigned the task of joining
> computers are capable of such things? If they're not, they could just
> leave the field blank and it would join to the root.
Much of the GUI in Windows is aimed at the lowest common denominator and is
designed to be easy to learn. If you want to do something a little more
adventurous, scripting is the way to go (although it would be nice if
netdom.exe was part of the defaul installation).

> I do understand what you're saying here. I was thinking most enterprises
> would have their ou's directly below their root
I don't!

I think an extra box would have been useful, but it's not there, so we just
have to live with that.

> 1. Policies - head office say we can't "block" theirs even if they
> conflict
Yep.
> 2. Software - lots of software can operate on "domains" but not on "OUs"
Can you clarify. I don't get what you mean here.

> 3. Joining - as above you really need to be a domain admin for the whole
> thing
Aaaaagh! Why do you need to be a domain admin? I administer my whole
network without needing to log in as a domain admin. My regular work
account is not a domain admin. I don't log in to member servers with a
domain admin account and I sure as hell don't join workstations to the
domain using a domain admin account!

> 4. Network browsing (Entire Network) is still "flat file", the fact the
> PCs are in different OUs doesn't help. When they were in domains they each
> had their own subtree.
The computer browser service is turned off on every machine in my domain, so
I don't have that issue.

Start | Run | \\machinename works great!

Regards

Oli

 

[Jose]

Archived from groups: microsoft.public.win2000.setup_deployment (More info?)

"Oli Restorick [MVP]" <oli@mvps.org> wrote in
news:O9aAGJqQEHA.3708@TK2MSFTNGP10.phx.gbl:

>
> "Gerry Hickman" <gerry666uk@yahoo.co.uk> wrote in message
> news:%23b8wyZpQEHA.644@tk2msftngp13.phx.gbl...
>> But surely most people who have been assigned the task of joining
>> computers are capable of such things? If they're not, they could just
>> leave the field blank and it would join to the root.
> Much of the GUI in Windows is aimed at the lowest common denominator
> and is designed to be easy to learn. If you want to do something a
> little more adventurous, scripting is the way to go (although it would
> be nice if netdom.exe was part of the defaul installation).
>
>> I do understand what you're saying here. I was thinking most
>> enterprises would have their ou's directly below their root
> I don't!
>
> I think an extra box would have been useful, but it's not there, so we
> just have to live with that.
>
>> 1. Policies - head office say we can't "block" theirs even if they
>> conflict
> Yep.
>> 2. Software - lots of software can operate on "domains" but not on
>> "OUs"
> Can you clarify. I don't get what you mean here.
>
>> 3. Joining - as above you really need to be a domain admin for the
>> whole thing
> Aaaaagh! Why do you need to be a domain admin? I administer my whole
> network without needing to log in as a domain admin. My regular work
> account is not a domain admin. I don't log in to member servers with
> a domain admin account and I sure as hell don't join workstations to
> the domain using a domain admin account!
>
>> 4. Network browsing (Entire Network) is still "flat file", the fact
>> the PCs are in different OUs doesn't help. When they were in domains
>> they each had their own subtree.
> The computer browser service is turned off on every machine in my
> domain, so I don't have that issue.
>
> Start | Run | \\machinename works great!
>
> Regards
>
> Oli
>
>
>
>
>

There is a way for you to enter computers to a spacific ou but it has to
be done when you first log in at the text mode. There is a file on the
server you must configure. Choice.OSC

If you removed these entries on the RIS then you will get more options
and one of them is to name the computer and to choose which OU the
computer must reside in.

<meta server action="DNRESET">
<meta server action="FILTER CHOICE">


Regards.

 

[Guest]

Archived from groups: microsoft.public.win2000.setup_deployment (More info?)

Oli Restorick [MVP] wrote:

> Much of the GUI in Windows is aimed at the lowest common denominator and is
> designed to be easy to learn. If you want to do something a little more
> adventurous, scripting is the way to go (although it would be nice if
> netdom.exe was part of the defaul installation).

In most scenarios this is fine, however certain dialogs can only be
seen/changed when an administrator is logged in and I see no reason
these dialogs would need to be over simplistic.

>>I do understand what you're saying here. I was thinking most enterprises
>>would have their ou's directly below their root
>
> I don't!

So what do you have before the OUs in your tree?

>>2. Software - lots of software can operate on "domains" but not on "OUs"
>
> Can you clarify. I don't get what you mean here.

e.g. Anti-Virus software, SMS 2.0. It's got things like install/monitor
whole domain x, domain y, but it doesn't allow you to only install to
ou1, ou2 etc. Probably the same in things like HFNetchkPro. If ou1 wants
to use SUS and ou2 wants to use Shavlik, this could be an issue.

> Aaaaagh! Why do you need to be a domain admin? I administer my whole
> network without needing to log in as a domain admin. My regular work
> account is not a domain admin. I don't log in to member servers with a
> domain admin account and I sure as hell don't join workstations to the
> domain using a domain admin account!

My regular work account is a user account. I think people are idiots
that check their email logged in as domain admin! I also don't log into
member servers as domain admin. I don't put domain admin passwords in
scripts etc. The only time I use it is for joining/unjoining machines.
I'm not allowed to create new accounts on the domain and some user
accoutns can only join 10 machines before croaking, so I'm not sure the
correct way to do this. I also need to delete the old account when
unjoining and I thought I needed admin rights to do that? I'm not a
local admin on any of the DCs, and am not allowed access to the DCs.

>>4. Network browsing

> The computer browser service is turned off on every machine in my domain, so
> I don't have that issue.

Hehe, that's one way of solving it!

> Start | Run | \\machinename works great!

It's not great when you don't know the machine name.

--
Gerry Hickman (London UK)